Istio 101 : mTLS and interrupted connections

The mLTS protocol is a mutual TLS that helps the client identify itself with the server and vice-versa.

To activate mTLS for a service, we use a Yaml to create a policy in the namespace where that service "lives".

We use the target parameter of the policy's Yaml file to tell Istio which service - mycluster.default.svc.cluster.local -, mTLS will apply to:

The above configuration could cause some client applications to lose connectivity if they don't possess the appropriate mTLS certificates.

To remedy that, we make the use of mTLS optionally in our namespace by using the below Yaml file:

This configuration allows workloads in the mesh to contact any service in the default namespace using either mTLS or unencrypted, plain text.


The target field is not set in the above Yaml file, meaning that it applies to all the targets in the namespace.


Leave as a comment: