Is TLS used between istio ingressgateway pod and service pod?


#1

Hello.
I’m running istio 1.0.5 in Kubernetes (EKS v1.11).

I have a working configuration where the istio ingress gateway pod is terminating SSL connections and then sending traffic to the correct pod (determined by the gateway/virtualservice) config. The service pods have the istio sidecar running in this scenario.

What’s not clear to me is whether the traffic leaving the ingress gateway pod going to the service pod is getting encrypted. I couldn’t find any documentation that called out this point specifically. My thought is that because the ingress gateway pod is also running an envoy proxy that the traffic between the ingress gatewaypod and the service pod is encrypted using mTLS.

Can anyone confirm this one way or the other? Additionally does the envoy proxy running in the ingress gateway pod adhere to the same mesh policy that the sidecars in the service pods use? Should I think of the istio ingressgateway as just another pod that runs envoy proxy? My mental model
may be the root of the problem because i don’t think of the of the ingress gateway pod being the same as a service pod with the istio sidecar.

Thanks. G.


#2

(m)TLS settings for all traffic within the mesh, including from ingress-gateway to other pods, are controlled by authentication policy (for server side) and destination rule. You can enable/disable them independent from gateway TLS.

Hope this help.


#3

There is a strange limit on number of links I can put per message :). Anyway, here) are some tutorials to enable mTLS between services in the mesh.