DestinationRule vs PeerAuthentication clarification

I am currently migrating a workload to a new cluster running Istio 1.7.1

The workload has certain endpoints that require mTLS to be disabled. This has been achieved using a DestinationRule in the past, but now when PeerAuthentication is available I am not sure which method I should use?

Why are you able to control mtls through both resources?

I spent my morning digging through the docs, but the difference between these resources is still somewhat unclear.


Well thw documentation mentions that PeerAuthentication is applicable at a namespace level with provisions to make exceptions for certain services at port levels.

Destination rule on the other hand applies to that specific service and is tied to the virtual service. You cannot make port level we exceptions here.

In your case if this is the specific service that needs mtls to be disabled the stick to Destination rules. If on the other hand you need a specific port where mtls to be disabled then peerauthentication would work for you as well.

Hope that helps


Thank you, that makes it clearer! We decided to stick with DestinationRules, and in regards to your answer it seems to be the correct way.

Both are relevant.
The crucial point is that PeerAuthentication defines what the destination service requires from the client (e.g. must provide a client cert).
The destination rule controls what the client side will provide.

So if a PeerAuthentication requires strict mode, the DestinationRule must provide a certificate (using tls mode MUTUAL or ISTIO_MUTUAL).
If the PeerAuthentication is permissive, the DestinationRule may provide a certificate but is not required to.