DevSecOps - Kubernetes DevOps & Security
Kubernetes Operations and Security
Istio mTLS Basics
In modern microservices architectures, securing traffic between pods is critical. Istio’s mutual TLS (mTLS) ensures that every call between services is both encrypted and authenticated.
How Istio mTLS Works
Istio leverages a sidecar container pattern. Each application pod has an Envoy proxy injected beside it. When mTLS is enabled:
- The client‐side Envoy obtains a certificate from Istio’s Citadel (the mesh CA).
- It initiates a TLS handshake with the server‐side Envoy.
- Both proxies verify each other’s certificates.
- Once verified, traffic is encrypted in transit and then decrypted before reaching the application.
By default, Istio:
- Automatically detects injected workloads and negotiates mTLS.
- Leaves traffic to non-injected pods in plaintext.
Note
Make sure your pods are annotated or labeled for automatic sidecar injection. See Istio Automatic Injection.
Example Pod Topology
Consider three pods in your cluster:
- Pod A and Pod B: Part of the Istio mesh (sidecar injected). Traffic between them is encrypted with mTLS.
- Pod C: Not part of the mesh (no sidecar). Traffic between Pod B and Pod C is sent in plaintext over HTTP.
Configuring PeerAuthentication
Istio uses the PeerAuthentication API to control mTLS behavior at namespace or workload level. A basic resource looks like this:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE
PeerAuthentication Modes
| Mode | Description | Behavior |
|---|---|---|
| PERMISSIVE | Allows both mTLS and plaintext | mTLS inside mesh, plaintext from outside |
| STRICT | Enforces mTLS for all inbound connections | Rejects any plaintext |
| DISABLE | Disables mTLS entirely | All traffic is plaintext |
Warning
Switching from PERMISSIVE to STRICT may break clients that don’t support mTLS. Roll out changes carefully and monitor with Kiali.
1. PERMISSIVE Mode
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE
2. STRICT Mode
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: STRICT
3. DISABLE Mode
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: DISABLE
Next Steps
- Apply each
PeerAuthenticationin a test namespace. - Use
kubectl logson Envoy sidecars to verify TLS handshakes. - Visualize service-to-service traffic in the Kiali dashboard.
Links and References
Watch Video
Watch video content