Enable Mutual TLS for Control Plane


#1

Hi there,

Can I enforce Mutal TLS between control plane components and sidecar, but allow plain TCP traffic for services?

I found some clues in the configuration of pilot and sidecar, but no clear documentation about how to achieve this.

Thanks,
Huabing


#2

Hi Zhao,
It should be achievable by enable mTLS only on istio-system namespace by adding a namespace Policy and DestinationRule as following:

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default
  namespace: istio-system
spec:
  peers:
  - mtls: {}
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: default
  namespace: istio-system
spec:
  host: "*.istio-system.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

I am curious to know which use case need such configuration.


#3

Hi Rafik8,

Thanks for the information, is it possible to be done in Consul deployment?

Huabing


#4

I don’t have much knowledge on Consul so I can not confirm that.