We have few services running without a sidecar and we want to keep them that way. And we want these services to speak to other services in the mesh running with sidecar.
We have applied cluster-wide mTLS in STRICT mode (we want to keep STRICT mode).
Services can communicate from without sidecar to with sidecar when we have mTLS set as PERMISSIVE but we want to keep it as STRICT mode.
We checked VirtualServices, DestinationRule, and ServiceEntry but none of them seems to address our use case. We want to communicate from services without a sidecar to services with a sidecar but the above-mentioned things work another way.
You’ll not be able to use STRICT mode this way as the mTLS tunnel happens between Envoy proxies, if you bypass this then mTLS is not possible.
In that case you’ll need to implement mTLS at workload level and not use the proxies.
You can do in any case this connectivity but use different port, see below, port 8080 disabling mTLS (extracted from official docs):
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
portLevelMtls:
8080:
mode: DISABLE
1 Like
We explored this option but we have enabled STRICT mTLS at the cluster level and want to keep it that way. Would the mTLS option at workload take priority?
Policies in Istio take precedence at the most granular level so:
- workload > namespace > cluster
so the workload selector will override your cluster level settings
1 Like
I agree with @Mark_Rogers. @ilgatnau solution would be the ideal way to do it without affecting the cluster wide strict mtls feature.
1 Like