Hi All,
I have two services on test namespace, one on port 26500 and one on port 80
nc-pod-svc ClusterIP 10.15.241.111 26500/TCP 82d
backend LoadBalancer 10.15.244.7 34.73.179.226 80:30295/TCP 89d
When I’m applying the following destination rule I would expect that only traffic to *.test.svc.cluster.local on port 80 will be encrypted.
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: test-test-istio-mtls namespace: test spec: host: "*.test.svc.cluster.local" trafficPolicy: port: number: 80 tls: mode: ISTIO_MUTUAL
But it applied to nc-pod-svc service on port 26500
{ "version_info": "2019-11-26T12:35:06Z/39", "cluster": { "name": "outbound|26500||nc-pod-svc.test.svc.cluster.local", "type": "EDS", "eds_cluster_config": { "eds_config": { "ads": {}, "initial_fetch_timeout": "0s" }, "service_name": "outbound|26500||nc-pod-svc.test.svc.cluster.local" }, "connect_timeout": "10s", "circuit_breakers": { "thresholds": [ { "max_retries": 1024 } ] }, "tls_context": { "common_tls_context": { "tls_certificates": [ { "certificate_chain": { "filename": "/etc/certs/cert-chain.pem" }, "private_key": { "filename": "/etc/certs/key.pem" } } ], "validation_context": { "trusted_ca": { "filename": "/etc/certs/root-cert.pem" }, "verify_subject_alt_name": [ "spiffe://cluster.local/ns/test/sa/default" ] }, "alpn_protocols": [ "istio" ] }, "sni": "outbound_.26500_._.nc-pod-svc.test.svc.cluster.local" }, "metadata": { "filter_metadata": { "istio": { "config": "/apis/networking/v1alpha3/namespaces/test/destination-rule/test-test-istio-mtls" } } } }, "last_updated": "2019-11-26T12:35:06.730Z" },
Is this the expected behavior?