TLS authentication overview
Istio offers mutual TLS as a solution for service-to-service authentication.
Note: For FIPS-compliant TLS settings, see FIPS-compliant service mesh.
Istio uses the sidecar pattern, meaning that each application container has a sidecar Envoy proxy container running beside it in the same pod.
- When a service receives or sends network traffic, the traffic always goes through the Envoy proxies first.
- When mTLS is enabled between two services, the client side and server side Envoy proxies verify each other’s identities before sending requests.
- If the verification is successful, then the client-side proxy encrypts the traffic, and sends it to the server-side proxy.
- The server-side proxy decrypts the traffic and forwards it locally to the actual destination service.
In Service Mesh Manager, you can manage the mTLS settings:
- of a service using the Service Mesh Manager UI, and
- mesh-wide, namespace-wide, and service-specific settings using the PeerAuthentication custom resource.
Change service-specific mTLS settings using the UI
To configure service-specific mTLS settings using the UI, complete the following steps. You can change the mTLS settings of a namespace or the entire service mesh from the command line.
Select the service on the MENU > TOPOLOGY or MENU > SERVICES page.
Select MTLS POLICIES. You can configure the MTLS policy you want to use independently for each port of the service. The following policies are available:
- STRICT: The service can accept only mutual TLS traffic.
- PERMISSIVE: The service can accept both plaintext/unencrypted traffic and mutual TLS traffic at the same time.
- DISABLED: The service can accept plaintext/unencrypted traffic only.
- DEFAULT: Use the global MTLS policy.
Select APPLY CHANGES.
When a load is sent to the service, you can verify whether the traffic between your services is actually encrypted or not on the MENU > TOPOLOGY page by selecting EDGE LABELS > security.
Either red open locks or green closed ones are displayed between the services in the UI, indicating non-encrypted or encrypted traffic between the services.
Change mTLS settings using PeerAuthentication
You can change the mTLS settings of a workload, namespace, or the entire service mesh from the command line using the PeerAuthentication custom resource. For example, the following CR disables mTLS for the “catalog” service.
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: catalog namespace: smm-demo spec: mtls: mode: DISABLE
For other examples, see the PeerAuthentication documentation.