I’m running istio 1.0.5 in Kubernetes (EKS v1.11).
I have a working configuration where the istio ingress gateway pod is terminating SSL connections and then sending traffic to the correct pod (determined by the gateway/virtualservice) config. The service pods have the istio sidecar running in this scenario.
What’s not clear to me is whether the traffic leaving the ingress gateway pod going to the service pod is getting encrypted. I couldn’t find any documentation that called out this point specifically. My thought is that because the ingress gateway pod is also running an envoy proxy that the traffic between the ingress gatewaypod and the service pod is encrypted using mTLS.
Can anyone confirm this one way or the other? Additionally does the envoy proxy running in the ingress gateway pod adhere to the same mesh policy that the sidecars in the service pods use? Should I think of the istio ingressgateway as just another pod that runs envoy proxy? My mental model
may be the root of the problem because i don’t think of the of the ingress gateway pod being the same as a service pod with the istio sidecar.