Hello all,
I’m attempting to have SVCA (non-istio) in namespace A speak to SVCB (istio + mTLS) in namespace B. I’ve created a mesh policy in PERMISSIVE mode as specified in the global TLS documents
Here is our meshPolicy:
kind: MeshPolicy
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"authentication.istio.io/v1alpha1","kind":"MeshPolicy","metadata":{"annotations":{},"labels":{"app":"security","chart":"security","heritage":"Tiller","release":"istio"},"name":"default","namespace":""},"spec":{"peers":[{"mtls":{"mode":"PERMISSIVE"}}]}}
creationTimestamp: "2019-07-18T18:29:35Z"
generation: 1
labels:
app: security
chart: security
heritage: Tiller
release: istio
name: default
resourceVersion: "5245"
selfLink: /apis/authentication.istio.io/v1alpha1/meshpolicies/default
uid: fe79a8f8-a989-11e9-9fb1-4201ac100006
spec:
peers:
- mtls:
mode: PERMISSIVE
I can confirm that there are no destination rules besides the istio defaults
$ k get destinationRules --all-namespaces
NAMESPACE NAME HOST AGE
istio-system istio-policy istio-policy.istio-system.svc.cluster.local 1h
istio-system istio-telemetry istio-telemetry.istio-system.svc.cluster.local 1h
When I have istio turned off I am able to communicate fine between these services. What steps would I need to take to allow this cross-namespace communcation?