UNCLASSIFIED - NO CUI

Skip to content

Enable Istio mTLS globally (on `istio-system`)

NOTE: This should be the last issue worked for this epic. Enabling mTLS globally should only happen when we have enabled it on all BB namespaces and worked through any issues/exceptions.

Istio uses PeerAuthentication to enforce mTLS at the mesh level and can be applied at a global level when the PeerAuthentication is applied to the istio-system namespace.

  1. Create the PeerAuthentication in the istio-system namespace (NOTE: this should be made in the BB repo).
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: foo
spec:
  mtls:
        mode: {{ .Values.mtls.mode }}

Set mtls.mode to STRICT by default in chart/values.yaml. Add a comment above the value that it can be set to PERMISSIVE or STRICT.

  1. Test the functionality of ALL BB packages.
  2. When there are issues, add an exception policy (NOTE: exceptions should be made in the package repo where they are required rather than the BB repo). Since all BB packages have been completed prior to this issue there should only be potential issues with istio-system - reach out to the team if that is not the case.

NOTE: Should be conditional on mtls.mode = STRICT.

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: <package>-<exception description>-exception
  namespace: {{ .Release.Namespace }}
spec:
  selector:
    matchLabels:
      exception: label-here
  mtls:
    mode: {{ .Values.istio.mtls.mode }}
  portLevelMtls:
    "9000": # port number here, in quotes
      mode: PERMISSIVE

NOTE: We can apply the exception to an entire pod (regardless of port number) with:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: <package>-<exception description>-exception
  namespace: {{ .Release.Namespace }}
spec:
  selector:
    matchLabels:
      exception: label-here
  mtls:
    mode: PERMISSIVE

This should be a last resort, since port based exceptions are more restrictive and more ideal.

  1. iterate on 2) and 3)
  2. Add conditionals to the PeerAuthentication objects so that they are only created when .Values.mtls is true inside the chart. (NOTE: May need to think through the best way to handle these conditionals since someone could disable mTLS for one BB package but not all).
Edited by Micah Nagel

UNCLASSIFIED - NO CUI