istio: route traffic between sidecar-enabled pods and non-sidecar-enabled pods

0
votes

If I enable Istio on some of my apps (but not all of them) using Manual sidecar injection, can I route traffic between non-based-Istio apps and Istio-based apps? If yes, is it still true if I enable Citadel? I'm wondering because I'd like to slowly enable the sidecar injection on my apps and migrate over. Do both Istio-based-apps and non-Istio-based apps still talk to each other (within cluster) via the normal Kubernetes service objects? Is there anything else I need to do in order to allow Istio and regular services to talk to each other?

I'm new to Istio, so any context is helpful.

1
kubernetescontainersistioenvoyproxy
Answer to your questions will strongly depend on the TLS mode (authentication policy) currently set in your Istio/sidecar enabled Pods, is it STRICT or PERMISSIVE ? Have you seen this mtls migration task ? istio.io/docs/tasks/security/authentication/mtls-migrationNepomucen
Thank you @Nepomucen for pointing me towards that reference. So it looks like, to allow non-sidecar services to talk to sidecar services, I need to create a destination rule with the tls trafficPolicy set to ISTIO_MUTUAL. And I need to create one such destination rule for each kubernetes service that I want to enable mutual tls on.Joe J
You should set PERMISSIVE policy as @Nepomucen mentioned, and set a destination rule for each non-istio service with tls mode "NONE".Vadim Eisenberg

1 Answers

1
votes

To highlight the proper solution to achieve your goal, as @Vadim Eisenberg mentioned:

You should set PERMISSIVE policy and set a destination rule for each non-istio service with tls mode "NONE".