Enable Istio mTLS for Authservice
By default, when istio is deployed, it's deployed with a PERMISSIVE
mode that allows an istio injected pod to talk to any non-istio pod without mutual TLS.
Istio uses PeerAuthentication to enforce mTLS at the mesh level and can be applied either at the namespace level, which applies to all pods in the namespace, or at a global level when the PeerAuthentication
is applied to the istio-system
namespace.
- Create the
PeerAuthentication
in the{{ .Release.Namespace }}
namespace (NOTE: this should be added to the package repo).apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default-{package} namespace: {{ .Release.Namespace }} spec: mtls: mode: STRICT
- Test the functionality of the package
- When there are issues, add an exception policy
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: name-of-expection
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
exception: label-here
mtls:
mode: PERMISSIVE
- iterate on 2) and 3)
- Add conditionals to the
PeerAuthentication
objects so that they are only created when.Values.istio.mtls
and.Values.istio.enabled
are true inside each package chart. Setistio.mtls
totrue
by default inchart/values.yaml
.
Edited by Micah Nagel