Mutual TLS

TLS authentication overview

Istio offers mutual TLS as a solution for service-to-service authentication.

Note: For FIPS-compliant TLS settings, see FIPS-compliant service mesh.

Istio uses the sidecar pattern, meaning that each application container has a sidecar Envoy proxy container running beside it in the same pod.

1. When a service receives or sends network traffic, the traffic always goes through the Envoy proxies first.
2. When mTLS is enabled between two services, the client side and server side Envoy proxies verify each other’s identities before sending requests.
3. If the verification is successful, then the client-side proxy encrypts the traffic, and sends it to the server-side proxy.
4. The server-side proxy decrypts the traffic and forwards it locally to the actual destination service.

In Service Mesh Manager, you can manage the mTLS settings:

• of a service using the Service Mesh Manager UI, and
• mesh-wide, namespace-wide, and service-specific settings using the PeerAuthentication custom resource.

Change service-specific mTLS settings using the UI

To configure service-specific mTLS settings using the UI, complete the following steps. You can change the mTLS settings of a namespace or the entire service mesh from the command line.

1. Select the service on the MENU > TOPOLOGY or MENU > SERVICES page.

2. Select MTLS POLICIES. You can configure the MTLS policy you want to use independently for each port of the service. The following policies are available:

   • STRICT: The service can accept only mutual TLS traffic.
   • PERMISSIVE: The service can accept both plaintext/unencrypted traffic and mutual TLS traffic at the same time.
   • DISABLED: The service can accept plaintext/unencrypted traffic only.
   • DEFAULT: Use the global MTLS policy.

   

3. Select APPLY CHANGES.

4. When a load is sent to the service, you can verify whether the traffic between your services is actually encrypted or not on the MENU > TOPOLOGY page by selecting EDGE LABELS > security.

   Either red open locks or green closed ones are displayed between the services in the UI, indicating non-encrypted or encrypted traffic between the services.

Change mTLS settings using PeerAuthentication

You can change the mTLS settings of a workload, namespace, or the entire service mesh from the command line using the PeerAuthentication custom resource. For example, the following CR disables mTLS for the “catalog” service.

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: catalog
  namespace: smm-demo
spec:
  mtls:
    mode: DISABLE

For other examples, see the PeerAuthentication documentation.