Hi,
I was trying to verify mTLS enabled/enforced in a namespace. I installed Istio with values.global.proxy.privileged=true.
I used the httpbin and sleep sample apps and deployed them across “foo”, “bar” and “legacy” namespaces. Istio sidecar proxy are not injected in legacy namespace.
I then enforced mTLS in “foo” namespace using the following
kubectl apply -n foo -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
spec:
mtls:
mode: STRICT
EOF
Everything works fine. Traffic from sleep.foo and sleep.bar to httpbin.foo is allowed. Traffic from sleep.legacy to httpbin.foo is denied.
I decided to sniff the traffic going to httpbin.bar using the following:
kubectl exec -nbar "$(kubectl get pod -nbar -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A
Note that mTLS strict is NOT set in “bar” namespace. I generated traffic from sleep.foo and sleep.legacy to httpbin.bar. There are no errors and can see the web page contents fine in both cases.
However noticed the following:
- tcpdump will show/log traffic from either sleep.foo or sleep.bar to httpbin.bar. However it is not consistent and will not always show. Most of the times it will though.
- traffic from sleep.legacy to httpbin.bar is not captured/shown. Of the many times I attempted this it managed to capture it only once and it appeared to be encrypted (definitely not plain text).
I am testing this with minikube. Is this expected? Am particularly curious about traffic from sleep.legacy to httpbin.bar not getting sniffed.
What gives? thx
K