Understanding security in Istio

Hi all, I’m arguing with policies and destinationrules. I’ve two deploy in a istio injection enabled ns:

• sleep used to make curl to the other service
• httpbin to serve an mTLS service

If I understand correctly I need to create a destinationrule for make mTLS calls from sleep and a policy to make httpbin accept only mTLS request.

Then with istioctl authn tls-check sleep-5bbf6b4f77-hnc4s httpbin.demo.svc.cluster.local I can check if all is set correctly.

Now these are my yaml:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata
name: enable-mtls
namespace: demo
spec:
host: ‘*.demo.svc.cluster.local’
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
—
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: httpbin
namespace: demo
spec:
peers:
- mtls: {}
targets:
- name: httpbin

Despite this I can’t make this call k exec sleep-5bbf6b4f77-hnc4s -- curl httpbin.demo
Where I’m wrong?

Your understand is correct. What error do you see? Can you also paste the output of tls-check

Can you also confirm:

• Both sleep and httpbin have sidecar.
• There is no destination rule specifically for httpbin

Hi @diemtvu,
thanks for reply.

HOST:PORT                                  STATUS     SERVER     CLIENT     AUTHN POLICY          DESTINATION RULE
httpbin.demo.svc.cluster.local:80     OK         mTLS       mTLS       httpbin/demo     disable-mtls/demo

I receive this error
curl: (56) Recv failure: Connection reset by peer

Hi @diemtvu, sorry for asking again but do you have any suggestion?

It was a problem related to istio version, with 1.3.3 it’s ok!