When mTLS is enabled, does TLS need to be setup within the App itself

JimJJR5040 · August 2, 2022, 8:38am

So I have enabled mTLS in the root namespace (istio-system), which should enforce a Strict policy of mTLS between all pods via their istio-proxy. Really nice an easy to do.

Here is an example of what my config kind of looks like (mine is in the istio-system namespace): [Istio / Mutual TLS Migration](mTLS PeerAuthentication config example).

Do I need to worry about encrypting communication at the app level?
Say with my Spring Boot application, do I need to generate my own certificates and enable TLS within the app - or is my PeerAuthentication config mentioned above a enough from a security stand point?

Thanks in advance

rafaelmnatali · August 3, 2022, 7:25am

Hi Jim!

As for your applications that are inside the mesh Istio enabled at the namespace level provides you with the encryption at transit and certificates management necessary.

I’d suggest you to review the Security concepts page for more details and other important configurations.

Other point is if you storing persistent data Istio does not encrypt at rest. If that’s the case, you need to look for other alternatives.

Hope this can help!

Topic		Replies	Views
mTLS configuration ignored Security	2	1955	January 28, 2021
Change default namespace (istio-system) for mutual TLS for the entire mesh using PeerAuthentication Config security	3	729	May 28, 2020
Istio mTLS and legacy TLS workloads Networking security	3	1114	March 17, 2022
Istio External Authorization to pod inside cluster and MTLS Security	3	740	February 26, 2021
How enable mTLS STRICT with MongoDB Security	2	1608	May 9, 2022

When mTLS is enabled, does TLS need to be setup within the App itself

Related topics