I have a Kubernetes app and I'm having the istio sidecar set up. Is it possible configure istio MTLS for a subset of APIs and others with simple TLS?
1
votes
If I understand correctly you should be able to do that with destination rules, as you can use the tls settings mode to change the mtls for specific hosts. Let me know if that answer your question.
– Jakub
I believe if you had spent 5 minutes reading the documentation, you'd know the answer.
– suren
1 Answers
1
votes
As I mentioned in the comments, you should be able to do that with destination rules, as you can use the tls settings mode to change the mtls for specific hosts.
Take a look at below examples from documentation:
For example, the following rule configures a client to use mutual TLS for connections to upstream database cluster.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: db-mtls
spec:
host: mydbserver.prod.svc.cluster.local
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
The following rule configures a client to use TLS when talking to a foreign service whose domain matches *.foo.com.
v1alpha3v1beta1
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: tls-foo
spec:
host: "*.foo.com"
trafficPolicy:
tls:
mode: SIMPLE
The following rule configures a client to use Istio mutual TLS when talking to rating services.
v1alpha3v1beta1
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ratings-istio-mtls
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
