I recently ran into an issue on a cluster that has mTLS strict mode enabled. The Lens application by default makes requests through the proxy endpoint in order to discover and gather metrics for rendering. Here is an example request that it makes when you run Lens in debug mode:
This request ultimately returns a 503 with the error seen below.
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "error trying to reach service: EOF",
"reason": "ServiceUnavailable",
"code": 503
}
I can get around this by adding a PeerAuthentication resource that disables mTLS STRICT for this, however it seems like this is a highly permissive action that may not be desirable.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: monitoring-lens-exception
namespace: monitoring
spec:
mtls:
mode: STRICT
portLevelMtls:
'9090':
mode: PERMISSIVE
selector:
matchLabels:
app: prometheus
Is there a better or an alternative way to do this?
Lens allows for specifying a different service, protocol and port combination as well.
