Usefulness of the tls section in the destination rule


I don’t fully understand why we can set some tls settings in the destination rule.

According to the documentation:

  [...]authentication policies apply to requests that a service receives. To specify client-side authentication rules in mutual TLS, you need to specify the TLSSettings in the DestinationRule. You can find more information in our TLS settings reference docs.

Is it possible to have an example requiring to have TLS settings in the PeerAuthentication and in the destination rule?

I ran the following test: I set an PeerAuthentication with mtls to strict for a whole namespace. Then, I could set any values in destination rule for the DestinationRule, it won’t change anything since the service requires to have mtls on both side.

Thanks for your help,

Sometimes you want to use egress gateway and control TLS setting used for some domain.

Hello Tomas,

Thanks for your response.

For internal traffic in a Kubernetes cluster, is it a good practice to set TLS settings in the PeerAuthentication and in the DestinationRule or is it just redundant?