Usefulness of the tls section in the destination rule

Hugo · March 26, 2020, 6:09pm

Hello,

I don’t fully understand why we can set some tls settings in the destination rule.

  [...]authentication policies apply to requests that a service receives. To specify client-side authentication rules in mutual TLS, you need to specify the TLSSettings in the DestinationRule. You can find more information in our TLS settings reference docs.

Is it possible to have an example requiring to have TLS settings in the PeerAuthentication and in the destination rule?

I ran the following test: I set an PeerAuthentication with mtls to strict for a whole namespace. Then, I could set any values in destination rule for the DestinationRule, it won’t change anything since the service requires to have mtls on both side.

Thanks for your help,
Hugo

Tomas_Kohout · March 26, 2020, 6:22pm

Sometimes you want to use egress gateway and control TLS setting used for some domain.

Hugo · March 26, 2020, 6:27pm

Hello Tomas,

Thanks for your response.

For internal traffic in a Kubernetes cluster, is it a good practice to set TLS settings in the PeerAuthentication and in the DestinationRule or is it just redundant?

Thanks,
Hugo

Topic		Replies	Views
DestinationRule vs PeerAuthentication clarification Security	3	2847	October 2, 2020
Enable STRICT MTLS for external clients Security	4	1244	February 8, 2022
DestinationRule with subsets for selecting TLS mode? Security	2	663	June 11, 2019
How to configure certs for DestinationRule using MUTUAL tls mode Config security	1	3576	May 18, 2021
Virtual Service and mutual tls Networking	9	1360	October 27, 2019

Usefulness of the tls section in the destination rule

Related topics