Verify MTLS enabled in Istio through wireshark

1
votes

I am running services on Kubernetes cluster and for security purpose, I came to know about service-mesh named istio. Currently, I have enabled the Mtls in istio-system namespace and I can see Sidecars is running inside the pod in bookinfo service. But while capturing traffic through Wireshark between pod I can see my context route in Wireshark is still in HTTP. I supposed that it should be in TLS and encrypted.

Note : I am using istio-1.6.3 and Defined Gateway and ingress (Kubernetes ingress) to the service.

Here is the screen shot : Wireshark image

1
kuberneteswiresharkistiokiali
Hello, As far as I checked here, it worked as designed. If you want to see tls you could try that what is mentioned in above tutorial, You can do this by removing the “http” filter, and instead adding a display filter to only show TCP traffic with a destination IP address of your Pod and a target port of 20000, which you can see that the Envoy sidecar is listening on via the earlier issued kubectl describe command. Could you try it and let me know if that worked?Jakub
Hi @jt97 I can see lock badge in kiali dashboard, I read somewhere that this is a representation of encryption is happening over there. I am confused about how can I make different virtual service in a different namespace. If I need to expose a same service. so what VS should be? How gateway will identify which namespace request should go?hardik dadhich
Hello @hardik dadhich, I have posted an answer to answer your question. About the second question about different virtual service in a different namespace, you should create a new thread with new question as per stackoverflow rules, one question per post as it can help to other users with a proper title.Jakub

1 Answers

0
votes

As I mentioned in comment, AFAIK it´s working as designed, if you want to see tls you could try that what mentioned in this tutorial.

Seeing that unencrypted communication to the QOTM service is only occurring over the loopback adapter is only one part of the TLS verification process. You ideally want to see the encrypted traffic flowing around your cluster. You can do this by removing the “http” filter, and instead adding a display filter to only show TCP traffic with a destination IP address of your QOTM Pod and a target port of 20000, which you can see that the Envoy sidecar is listening on via the earlier issued kubectl describe command.

Hi @jt97 I can see lock badge in kiali dashboard, I read somewhere that this is a representation of encryption is happening over there.

Exactly, there is github issue about that.

enter image description here enter image description here

Hope you find this useful.