-
Apply updated Kubernetes configuration files
$ kubectl apply -f modules/security/mtls/config/destinationrule.yamlThis creates two DestinationRules, the first of which forces Istio to use mTLS everywhere:
$ kubectl describe -n istio-system destinationrule.networking.istio.io/default ... Spec: Host: *.local Traffic Policy: Tls: Mode: ISTIO_MUTUALAnd the second which excludes the Kubernetes API server from mTLS:
$ kubectl describe -n istio-system destinationrule.networking.istio.io/api-server ... Spec: Host: kubernetes.default.svc.cluster.local Traffic Policy: Tls: Mode: DISABLE
-
Create a new Namespace that doesn't have Istio automatic sidecar injection.
$ kubectl create ns noistio -
Run the
sleepToolbox Pod in the noistio namespace.:.$ kubectl -n noistio apply -f modules/security/mtls/config/sleep.yaml -
Wait for this pod to start.
$ kubectl get pods -n noistio -w -
Connect to Account Service from the Toolbox that doesn't have Istio mTLS.
$ export USERNAME=<login name from demo site> $ kubectl -n noistio exec -it $(kubectl get pod -n noistio -l app=sleep -o jsonpath='{.items..metadata.name}') -- curl http://user.default/v1/users/${USERNAME}/accounts
-
Apply strict mTLS mesh policy
$ kubectl apply -f modules/security/mtls/config/strictpolicy.yamlWe can verify the policy matches what we expect:
$ kubectl describe peerauthentication.security.istio.io/default ... Spec: Mtls: Mode: STRICT -
Run the last step in previous task to verify it no longer connects:
$ kubectl -n noistio exec -it $(kubectl get pod -n noistio -l app=sleep -o jsonpath='{.items..metadata.name}') -- curl http://user.default/v1/users/${USERNAME}/accounts curl: (56) Recv failure: Connection reset by peer command terminated with exit code 56If everything worked correctly, we should see curl return an error code 56, indicating if failed to establish a TLS connection.