"unknown" status on connection security policy with prometheus


#1

Hello,

i’m using istio 1.0.5, with mTLS enabled. There are no conflicts , i verified this using the ‘istioctl authn tls-check’. Policy and DestinationRule are applied and the app is working,

Having a look at prometheus logs i found that connection_security_policy=“unknown” using the command
istio_requests_total{destination_service_namespace=“myNs”, destination_workload_namespace=“myNs”}

What is the meaning of this “unknown” status please ?
and what can i do to resolve this issue ? normally i should have mtls instead of unknown.

Cheers.


#2

Client-side, the information on the security of the connection is not available. If you look solely at server-side telemetry (reporter="destination"), you should see mtls reflected.

@kuat has been working on improving the situation. See: https://docs.google.com/document/d/1IdUL7qObUTGR2dNZuIE21AJyBOAiv_MIHbFoHfohGE8/edit#heading=h.3ee9gtngy5zf. We are discussing that in today’s P&T WG.


#3

I don’t think it’s a matter of server or client side metrics, because i have other server-to-server communications, in other namespaces, with mTLS enabled and have the value connection_security_policy=“mutual_tls”.