Configure transport security

In Cloud Service Mesh with Istio APIs for Kubernetes workloads, auto mutualTLS (auto mTLS) is enabled by default. With auto mTLS, a client sidecar proxyautomatically detects if the server has a sidecar. The client sidecar sends mTLSto workloads with sidecars and sends plaintext to workloads without sidecars.Note, however, servicesaccept both plaintext and mTLS traffic. As you injectsidecar proxies to your Pods, we recommend that you also configure your servicesto only accept mTLS traffic.

With Cloud Service Mesh, you can configure your services to only accept mTLSby applying aPeerAuthentication policy. Cloud Service Mesh gives you theflexibility to apply the policy to the entire service mesh, to a namespace, orto an individual workload. When you specify a policy for a specific workload,that policy takes precedence. For example, a workload-specific policy takesprecedence over a namespace-specific one. If no policy is specified for theworkload, it inherits the policy from the namespace or the mesh.

SeeSupported features for details of whichfields of thePeerAuthentication CR are supported by platform.

Enable mutual TLS per namespace

To enable mTLS for all workloads within a particular namespace, use anamespace-wide authentication policy. You specify the namespace it applies toundermetadata.

kubectl apply -f - <<EOFapiVersion: "security.istio.io/v1beta1"kind: "PeerAuthentication"metadata:  name: "AUTH_POLICY_NAME"  namespace: "NAMESPACE"spec:  mtls:    mode: STRICTEOF

Expected output:

peerauthentication.security.istio.io/AUTH_POLICY_NAME created

Enable mutual TLS per workload

To set aPeerAuthentication policy for a specific workload, you must configuretheselector section and specify the labels that match the desired workload.However, Cloud Service Mesh can't aggregate workload-level policies foroutbound mTLS traffic to a service. You need to configure a destination rule tomanage that behavior.

1. Apply an authentication policy to a specific workload in your namespace:

   cat <<EOF | kubectl apply -nNAMESPACE -f -apiVersion: "security.istio.io/v1beta1"kind: "PeerAuthentication"metadata:  name: "AUTH_POLICY_NAME"  namespace: "NAMESPACE"spec:  selector:    matchLabels:      app:WORKLOAD  mtls:    mode: STRICTEOF

   Expected output:

   peerauthentication.security.istio.io/AUTH_POLICY_NAME created

2. Configure a matching destination rule:

   cat <<EOF | kubectl apply -nNAMESPACE -f -apiVersion: "networking.istio.io/v1alpha3"kind: "DestinationRule"metadata:  name: "DEST_RULE_NAME"spec:  host: "WORKLOAD.NAMESPACE.svc.cluster.local"  trafficPolicy:    tls:      mode: ISTIO_MUTUALEOF

   Expected output:

   destinationrule.networking.istio.io/WORKLOAD created

Enforce mesh-wide mTLS

To prevent all your services in the mesh from accepting plain-text traffic, seta mesh-widePeerAuthentication policy with the mTLS mode set toSTRICT (thedefault isPERMISSIVE). The mesh-widePeerAuthentication policy shouldn'thave a selector and must be applied in the root namespace,istio-system. Whenyou deploy the policy, the control plane automatically provisions TLScertificates so that workloads can authenticate with each other.

To enforce mesh-wide mTLS:

kubectl apply -f - <<EOFapiVersion: "security.istio.io/v1beta1"kind: "PeerAuthentication"metadata:  name: "AUTH_POLICY_NAME"  namespace: "istio-system"spec:  mtls:    mode: STRICTEOF

Expected output:

peerauthentication.security.istio.io/AUTH_POLICY_NAME created

Find and deletePeerAuthentication policies

For a list of all thePeerAuthentication policies in the service mesh:

kubectl get peerauthentication --all-namespaces

If there is aPeerAuthentication policy in force, you can delete it withkubectl delete:

kubectl delete peerauthentication -nNAMESPACEAUTH_POLICY_NAME

What's next

• Cloud Service Mesh by example: mTLS
• Learn about security in Cloud Service Mesh