How to connect to pods with sidecar from pod without sidecar?

We have few services running without a sidecar and we want to keep them that way. And we want these services to speak to other services in the mesh running with sidecar.

We have applied cluster-wide mTLS in STRICT mode (we want to keep STRICT mode).

Services can communicate from without sidecar to with sidecar when we have mTLS set as PERMISSIVE but we want to keep it as STRICT mode.

We checked VirtualServices, DestinationRule, and ServiceEntry but none of them seems to address our use case. We want to communicate from services without a sidecar to services with a sidecar but the above-mentioned things work another way.

You’ll not be able to use STRICT mode this way as the mTLS tunnel happens between Envoy proxies, if you bypass this then mTLS is not possible.

In that case you’ll need to implement mTLS at workload level and not use the proxies.

You can do in any case this connectivity but use different port, see below, port 8080 disabling mTLS (extracted from official docs):

kind: PeerAuthentication
  name: default
  namespace: foo
      app: finance
    mode: STRICT
      mode: DISABLE

1 Like

We explored this option but we have enabled STRICT mTLS at the cluster level and want to keep it that way. Would the mTLS option at workload take priority?

Policies in Istio take precedence at the most granular level so:

  • workload > namespace > cluster

so the workload selector will override your cluster level settings

1 Like

I agree with @Mark_Rogers. @ilgatnau solution would be the ideal way to do it without affecting the cluster wide strict mtls feature.

1 Like