mTLS PeerAuthentication: allowing specific sources/clients using AuthorizationPolicy?

Hi there,

Just rather new to Istio so bear with me as I’m trying to understand from a conceptual point of view. I’ve set up the PeerAuthentication successful in a couple of namespaces and this works all as expected. I can also work with RequestAuthorization without any problems.

Allowing clients from a certain principle on the mTLS/Peer is done from the AuthorizationPolicy as well specifying the mTLS principle right? So having a strict policy on PeerAuthentication guarantees the identity which in turn enables the specification and the authenticity of the principle?

I want to make sure I can control who’s able to access who as a first line of control using mTLS. More fine grained control can be done using RequestAuthorization using JWT and AuthorizationPolicy on requestPrincipals.

Is this a sane strategy? Or am I approaching this backwards?


Yes your approach sounds good, typically mTLS is used for app to app communication. So you use mTLS to help determine where traffic can come from and RequestAuthorization helps determine the “who” can talk to your application.

1 Like

Thanks for getting back. Did a small demo on some sandbox cluster. This will have a huge impact on how we will think about deployments from a dev perspective.

1 Like