Optional mutal TLS for ingressgateway

Hi
i playing with istio recently, i have followed this for setting up secure ingress with SDS.

What i like to do is instead of strict mTLS validation i like to set it as optional mTLS validation. To allow clients with or without mTLS certs to connect.

I tried to add something like this, but does not work.

 kubectl apply -f - <<EOF                                                                                                                                                              
apiVersion: "rbac.istio.io/v1alpha1"
kind: ClusterRbacConfig
metadata:
  name: default
spec:
  mode: 'ON_WITH_INCLUSION'
  inclusion:
    namespaces: []         
  enforcement_mode: PERMISSIVE
EOF

if someone can give some suggestions it would be really great thanks in advance.

Hi!
We added mtls recently but also didn’t want to enforce it right away, so here’s what we did and worked for us:

We define a authentication policy setting tls mode to permissive:

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default
  namespace: namespace-name
spec:
  peers:
    - mtls:
        mode: PERMISSIVE

And if a particular service/namespace should have mtls we add a destination rule:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: default
  namespace: namespace-name
spec:
  host: "*.namespace-name.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

We are on Istio 1.1.
You might also want to create DestinationRules for external endpoints that are not supposed to use mtls.
Here is the doc page that helped https://istio.io/docs/tasks/security/mtls-migration/.

I am using mtls only for ingress
I will try this
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: istio-system
spec:
peers:
- mtls:
mode: PERMISSIVE
For istio-system namespace.
(Typing from mobile, formatting does not seem to work well)

does not seem to work. :sob: