Secure Traffic in namespace istio-system

I have a requirement that every network traffic has to be encrypted.
Istio works great for that and now I have almost every application network traffic encrypted.

When I check with istioctl authn tls-check I can see that it look mainly like that for all the applications:

elastic-elasticsearch-client.elastic.svc.cluster.local:9200                             OK           mTLS          mTLS       default/elastic                 default/elastic
elastic-elasticsearch-discovery.elastic.svc.cluster.local:9300                          OK           mTLS          mTLS       default/elastic                 default/elastic
elastic-kibana.elastic.svc.cluster.local:443                                            OK           mTLS          mTLS       default/elastic                 default/elastic

but for istio itself http is still available (see below).

is it possible to encrypt the istio-networktraffic too?

istio-citadel.istio-system.svc.cluster.local:8060                                       OK           HTTP/mTLS     HTTP       default/                        -
istio-citadel.istio-system.svc.cluster.local:15014                                      OK           HTTP/mTLS     HTTP       default/                        -
istio-galley.istio-system.svc.cluster.local:443                                         OK           HTTP/mTLS     HTTP       default/                        -
istio-galley.istio-system.svc.cluster.local:9901                                        OK           HTTP/mTLS     HTTP       default/                        -
istio-galley.istio-system.svc.cluster.local:15014                                       OK           HTTP/mTLS     HTTP       default/                        -

yes, traffic for istio control plane in istio-system namespade can aslo be encrypted.

@Tao_Li do we have a user guide for that?

This the helm installation values.yaml File looks promising: controlPlaneSecurityEnabled but I couldn’t find much documentation.

I’ll give it a go.

global:
  # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
  # propagated, not recommended for tests.
  controlPlaneSecurityEnabled: true

That’s correct. The controlPlaneSecurityEnabled=true in helm is the correct way to enable control plane mTLS. We should probably make that explicit on istio.io. Let us know if you still have questions.

1 Like