Enable Mutual TLS for Control Plane

zhaohuabing · January 17, 2019, 8:48am

Hi there,

Can I enforce Mutal TLS between control plane components and sidecar, but allow plain TCP traffic for services?

I found some clues in the configuration of pilot and sidecar, but no clear documentation about how to achieve this.

Thanks,
Huabing

rafik8 · January 17, 2019, 12:55pm

Hi Zhao,
It should be achievable by enable mTLS only on istio-system namespace by adding a namespace Policy and DestinationRule as following:

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default
  namespace: istio-system
spec:
  peers:
  - mtls: {}
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: default
  namespace: istio-system
spec:
  host: "*.istio-system.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

I am curious to know which use case need such configuration.

zhaohuabing · January 17, 2019, 1:06pm

Hi Rafik8,

Thanks for the information, is it possible to be done in Consul deployment?

Huabing

rafik8 · January 17, 2019, 1:29pm

I don’t have much knowledge on Consul so I can not confirm that.

Topic		Replies	Views
How enable mTLS STRICT with MongoDB Security	2	1321	May 9, 2022
Policy and destination rule set to mtls & ISTIO_MUTUAL but communicating over http	4	2878	May 16, 2019
Default mTLS between canary installs Security	2	308	November 9, 2021
How can we enable Mutual TLS for two namespaces and test it	2	385	June 20, 2019
Sidecar to Service communication Security	6	1574	April 26, 2019

Enable Mutual TLS for Control Plane

Related Topics