Istio 1.0.6 - set mtls mode to strict from Helm


#1

Hello, my team recently upgraded our test environment from Istio 1.0.2, to 1.0.6. This ugprade includes the change from 1.0.3 that defaults the mtls mode to permissive in the default mesh policy.

We perform our installation with Helm, pulling the chart down from the Istio Github repo on a clean install. As part of our installation, we require the mtls mode to be set to strict, but I have been unable to find an install option for this.

I’ve been working on using kubectl patch to update the default meshpolicy, but it does not seem to be applied.

I am using the following patch on the default mesh policy

spec:
  peers:
  - mtls:
      mode: STRICT

This is appended to the end of the policy when I do output formatted as yaml, but the actual policy does not appear to have the change made, as I still see the following:

apiVersion: authentication.istio.io/v1alpha1
kind: MeshPolicy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"authentication.istio.io/v1alpha1","kind":"MeshPolicy","metadata":{"annotations": 
 {},"labels":{"app":"istio-security","chart":"security- 
 1.0.6","heritage":"Tiller","release":"istio"},"name":"default","namespace":""},"spec":{"peers":[{"mtls":{}}]}}

I would expect to see STRICT within the mtls json block at the end.


#2

“peers”:[{“mtls”:{}} is the proper STRICT mode, you can verify it by sending http traffic to it (it should be rejected)