Is selective Istio mTLS possible?

0
votes

I've Istio 1.4.0 running on Kubernetes 1.15.9. I'm trying to achieve below but the more I read Istio documentation the more I'm getting confused. Let me put it in a simple way.

First thing is, I want to have mTLS for maximum services (if possible).

I've one elasticsearch-master pod with service exposed on 9300. I've one elasticsearch-data pod with service exposed on 9200 and 9300. When I've Istio's default Automatic mTLS enabled, both of these pods work nice and a helathy ES cluster starts up. I think that's because ES master and data nodes communicate over port 9300. Also, I don't want to access any of these ES pods from outside of K8S cluster.

Now, I want to start one Kibana pod with service exposed on 5601. When I start Kibana pod with Istio's default Automatic mTLS enabled, it fails to start. Because it can't connect to elasticsearch-data service on 9200. I'm getting all kinds of SSL errors (may be because of whole mTLS thing?). I don't know if it's even possible to have this connection with this whole Istio's Automatic mTLS enabled. Also, I want to access this Kibana from outside of K8S cluster.

Appreciate your help. Thanks.

  • Ajit
1
elasticsearchkubernetesistio
Can you add a minimal reproducible example to your question? Even if Istio is embedding calls between services in a TLS transport, from the point of view of clients, they're making plain HTTP calls; you should be configuring Kibana with a http://... URL (not https://...).David Maze
We have this mostly worked out in combination with our Kubernetes Operator, see description github.com/elastic/cloud-on-k8s/issues/…. Either use that directly or reuse the right bindings and health checks to build your own (if you really have to).xeraa
Check out this kibana guide. Let me know if that answer your question.Jakub
@xeraa Yes, excluding port 9300 from Istio will make ES come up just fine. But Kibana is not able to connect to ES on 9200.ajit
@DavidMaze When I start Kibana with http URL of ES, it fails. Because (my guess), it hits the envoy proxy first which is expecting TLS data because of mTLS STRICT.ajit

1 Answers

1
votes

Kibana is working with http URL only. But in order to make elasticsearch master and node communicate with each other I've to put port 9300 in exclude list of Istio.