I have MTLS globally enabled, and a headless service where I’d like only one port to use MTLS.
I have difficulty setting up the configuration. I then tried to disable completely MTLS on my headless service as a first step but it does not work. Anyone can help understanding what’s going on ?
Here is my configuration in the namespace where I have my headless service with a statefulset :
apiVersion: "authentication.istio.io/v1alpha1" kind: "Policy" metadata: name: "default" namespace: "cassandra-e2e" spec: peers: - mtls: mode: PERMISSIVE --- apiVersion: "networking.istio.io/v1alpha3" kind: "DestinationRule" metadata: name: "tls-only-native-port" namespace: "cassandra-e2e" spec: host: "*.cassandra-e2e.svc.cluster.local" trafficPolicy: tls: mode: DISABLE
The issue is between 2 nodes of the headless service that can’t communicate with each other. I would expect the destination rule to be applied to all pods, even pods belonging to the service. Am I wrong ?