Understanding security in Istio

Hi all, I’m arguing with policies and destinationrules. I’ve two deploy in a istio injection enabled ns:

  • sleep used to make curl to the other service
  • httpbin to serve an mTLS service

If I understand correctly I need to create a destinationrule for make mTLS calls from sleep and a policy to make httpbin accept only mTLS request.

Then with istioctl authn tls-check sleep-5bbf6b4f77-hnc4s httpbin.demo.svc.cluster.local I can check if all is set correctly.

Now these are my yaml:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
name: enable-mtls
namespace: demo
host: ‘*.demo.svc.cluster.local’

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
name: httpbin
namespace: demo
- mtls: {}
- name: httpbin

Despite this I can’t make this call k exec sleep-5bbf6b4f77-hnc4s -- curl httpbin.demo
Where I’m wrong?

Your understand is correct. What error do you see? Can you also paste the output of tls-check

Can you also confirm:

  • Both sleep and httpbin have sidecar.
  • There is no destination rule specifically for httpbin

Hi @diemtvu,
thanks for reply.

HOST:PORT                                  STATUS     SERVER     CLIENT     AUTHN POLICY          DESTINATION RULE
httpbin.demo.svc.cluster.local:80     OK         mTLS       mTLS       httpbin/demo     disable-mtls/demo

I receive this error
curl: (56) Recv failure: Connection reset by peer

Hi @diemtvu, sorry for asking again but do you have any suggestion?

It was a problem related to istio version, with 1.3.3 it’s ok!