DestinationRule vs PeerAuthentication clarification

I am currently migrating a workload to a new cluster running Istio 1.7.1

The workload has certain endpoints that require mTLS to be disabled. This has been achieved using a DestinationRule in the past, but now when PeerAuthentication is available I am not sure which method I should use?

Why are you able to control mtls through both resources?

I spent my morning digging through the docs, but the difference between these resources is still somewhat unclear.


Well thw documentation mentions that PeerAuthentication is applicable at a namespace level with provisions to make exceptions for certain services at port levels.

Destination rule on the other hand applies to that specific service and is tied to the virtual service. You cannot make port level we exceptions here.

In your case if this is the specific service that needs mtls to be disabled the stick to Destination rules. If on the other hand you need a specific port where mtls to be disabled then peerauthentication would work for you as well.

Hope that helps

1 Like

Thank you, that makes it clearer! We decided to stick with DestinationRules, and in regards to your answer it seems to be the correct way.