PeerAuthentication can't work!

catman002 · March 17, 2020, 9:15am

In istio 1.5.0, I configure the global authentication policy “peerauthentication” or “meshpolicy” according to the document. in “destinationrule” does not configure the MTLs, but the services still work normally. According to the chapter documents, the services should not be accessible!

apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

Does anyone know why ？

catman002 · March 18, 2020, 1:07am

I had a wrong understanding of peer authentication before.
I grabbed the header upstream of the request, which contains “x-forward-client-cert”, indicating that TLS province is effective

Oliver · March 18, 2020, 4:22am

So I think this issue is resolved, correct?

catman002 · March 18, 2020, 6:21am

Yes, it has been solved. In addition, through several other tests, peer authentication has been proved to work

Oliver · March 18, 2020, 3:58pm

Good to know. Thanks.

bethmage · April 4, 2020, 8:41am

Yes, istio 1.5,1 peer authentication works.
But still do not understand what is the real difference between the global authentication policy v1beta1 peerauthentication or v1alpha1 meshpolicy.

with peerauthentication (default in istio-system namespace)
when I analyze the pods via istioctl x describe for sample:

istioctl x describe pod httpbin-944df658f-b2p9z.foo
…
Pod Ports: 80 (httpbin), 15090 (istio-proxy)
Service: httpbin.foo
Port: http 8000/HTTP targets pod port 80
Pod is DISABLE, clients configured automatically

Why the state is DISABLE ? With the meshpolicy was NOT.

111 · May 21, 2020, 5:49am

what is the istioctl authn tls-check . output? has mtls.auto=true?

bethmage · May 31, 2020, 9:08am

seem like istio 1.6.0 fix above and
istioctl authn tls-check is also removed in istio v1.6.0

111 · June 2, 2020, 12:14am

Yes, the old format is deprecated, the new one in istio 1.6 looks like

$ istioctl x authz check productpage-v1-7f44c4d57c-4gkml.default
Checked 12/29 listeners with node IP 192.168.240.16.
LISTENER[FilterChain] CERTIFICATE mTLS (MODE) AuthZ (RULES)
0.0.0.0_80[0] none no (none) no (none)
0.0.0.0_80[1] none no (none) no (none)
0.0.0.0_3000[0] none no (none) no (none)
0.0.0.0_3000[1] none no (none) no (none)
0.0.0.0_8000[0] none no (none) no (none)
0.0.0.0_8000[1] none no (none) no (none)
0.0.0.0_9080[0] none no (none) no (none)
0.0.0.0_9080[1] none no (none) no (none)
0.0.0.0_9090[0] none no (none) no (none)
0.0.0.0_9090[1] none no (none) no (none)
0.0.0.0_9411[0] none no (none) no (none)
0.0.0.0_9411[1] none no (none) no (none)

Topic		Replies	Views
How to debug service mesh mTLS settings with PeerAuthentication and DestinationRule applied	3	1114	March 17, 2021
Is it possible that an identical PeerAuthentication could result in two different network environments? Security	3	545	July 29, 2020
PeerAuthentication Strict does not appear to be working Security	5	1503	February 4, 2021
Istio DISABLE PeerAuthentication on workloads Networking security	1	1071	April 30, 2021
When mTLS is enabled, does TLS need to be setup within the App itself Security security	1	907	August 3, 2022

PeerAuthentication can't work!

Related Topics