Usefulness of the tls section in the destination rule

Hugo · March 26, 2020, 6:09pm

Hello,

I don’t fully understand why we can set some tls settings in the destination rule.

  [...]authentication policies apply to requests that a service receives. To specify client-side authentication rules in mutual TLS, you need to specify the TLSSettings in the DestinationRule. You can find more information in our TLS settings reference docs.

Is it possible to have an example requiring to have TLS settings in the PeerAuthentication and in the destination rule?

I ran the following test: I set an PeerAuthentication with mtls to strict for a whole namespace. Then, I could set any values in destination rule for the DestinationRule, it won’t change anything since the service requires to have mtls on both side.

Thanks for your help,
Hugo

Tomas_Kohout · March 26, 2020, 6:22pm

Sometimes you want to use egress gateway and control TLS setting used for some domain.

Hugo · March 26, 2020, 6:27pm

Hello Tomas,

Thanks for your response.

For internal traffic in a Kubernetes cluster, is it a good practice to set TLS settings in the PeerAuthentication and in the DestinationRule or is it just redundant?

Thanks,
Hugo

Topic		Replies	Views
Strict mtls default with opt out for specific services Security security	1	395	April 17, 2021
Do I need multiple gateways or just handle multiple ports?	2	1200	April 19, 2022
Destination rule cause SSL error in dotnet app Networking	0	297	April 13, 2023
mTLS policy not working as expected	1	422	March 2, 2020
Originate TLS for arbitrary domains Security	4	671	May 20, 2022

Usefulness of the tls section in the destination rule

Related Topics