Policy and destination rule set to mtls & ISTIO_MUTUAL but communicating over http

#1

Hi All, I’m trying to enforce mtls for my application, using the sample apps provided by istio and on the web I can achieve this across the mesh using a combination of destination rules and policies where the client destination rules enforce ISTIO_MUTUAL and the policies server side enforce mtls. As so:

apiVersion: “networking.istio.io/v1alpha3
kind: “DestinationRule”
metadata:
name: “default”
spec:
host: “*.default.svc.cluster.local”
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

apiVersion: “authentication.istio.io/v1alpha1
kind: “Policy”
metadata:
name: “default”
spec:
peers:

  • mtls: {}

Yet when I do this with my own application the apps ignore this and proceed to use http. I can verify this by using Kiali and by capturing traffic on the server side interface, where it is visible in plain text.

The istioctl authn tls-check also shows both client and server operating over just mtls, so I’m at a loss for why this isn’t functioning. Is there a concept I’m missing?

#2

Hello,

The istio-proxy sidecar is what encrypts and decrypts the traffic. Do your application pods have a istio sidecar?

Also, when you say server side interface are you referring to eth0 or the veth pair where your application server runs?

#4

Hi

Yeah my pods have sidecars, when I exec into the sidecar and run a tcpdump on the local interface for my application port I receive no traffic. As so:

sudo tcpdump -i lo -vvvv ‘((dst port 8080))’

This returns no traffic which suggests to me that the istio proxy is not sending incoming traffic to my application listening on 0.0.0.0:8080

I also see no log entries in the istio proxy log (trace) for calls coming to this application.

This suggests to me that the proxy in actual fact is perhaps being bypassed. But what I cannot understand is when I add a policy of global mtls why my application would stop working if the proxy is being bypassed?

The error I get is:

status 503 reading SpiderService content:
upstream connect error or disconnect/reset before headers. reset reason: connection failure

and in the clients istio-proxy log:

2019-05-15 14:27:34.962][23][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:175] [C557] TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[2019-05-15 14:27:34.962][23][debug][connection] [external/envoy/source/common/network/connection_impl.cc:183] [C557] closing socket: 0

I’m probably missing a concept here!

#5

Hi,

From this page: https://istio.io/docs/setup/kubernetes/prepare/requirements/

Please validate the following bullet points:

  • Named service ports
  • Pod ports

If it’s still not working please send me the istio-proxy yaml that you can get by doing a kubectl describe on the pod.

#6

This worked! Thank you

1 Like