Istio-mTLS and POD IP, Port

Have seen that lot of teams are having issue to reach podIP and ports when applying mtls-strict. Infact we had some difficult trying to achieve that using service entry and rules as maintenance is tough.

We worked around the problem using the following approach.

Basically the pod and port combination we created as a service entry. We make that service as headless. In that way we can avoid managing the endpoints manually using Service Entry, Also all the endpoints,port are treated as service and mtls will function between two pods via the pod IP,port combination.

We would like to know if our understanding is right and also hopefully it helps others who are trying to achieve the same.

1 Like

do you access the service via headless service name/ip or directly the pod ip?

I tried same thing but had to access the headless service, direct pod IP access didnt work

I use the pod ip and port, but the target port number should match the port on container. And port name should have the right naming tcp-, http-

1 Like

Hello Istio-community, I am waiting for some feedback from istio community on our approach. Do we see any issues with our approach.

Best regards
Naveen A

This thread might help?

Actually deepak who has liked my comment here initiated that thread. Looks like he found the answer he was looking for in this post. Actually if we create a headless service looks like no need to create service entry and everything works out of the box. But the fact that i don’t see that as a general recommendation by istio for pod to pod communication and in particular for prometheus to scrape endpoints directly is what I am trying to figure out. Its more like headless service solves my problem but am i missing something.