Tetrate Istio SubscriptionVersion: Next

TIS0001 - Multiple configuration objects within the same namespace

Multiple configuration objects within the same namespace can lead to conflicts and unexpected behavior.

Recommendation: Consolidate the objects or using selectors to target specific workloads

By consolidating the objects or using selectors to target specific workloads, you ensure that the configurations are applied as intended without causing conflicts or unexpected behavior in your Istio service mesh.

Examples

Multiple PeerAuthentication Objects Without Selectors

First PeerAuthentication Object:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: strict-mtls
  namespace: example-namespace
spec:
  mtls:
    mode: STRICT

Second PeerAuthentication Object:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: permissive-mtls
  namespace: example-namespace
spec:
  mtls:
    mode: PERMISSIVE

Explanation: Both policies apply to all workloads in the namespace, leading to conflicts in TLS settings.

Multiple RequestAuthentication Objects Without Selectors

First RequestAuthentication Object:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: jwt-auth
  namespace: example-namespace
spec:
  jwtRules:
    - issuer: "https://secure.token.service"
      jwksUri: "https://secure.token.service/.well-known/jwks.json"

Second RequestAuthentication Object:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: another-jwt-auth
  namespace: example-namespace
spec:
  jwtRules:
    - issuer: "https://another.token.service"
      jwksUri: "https://another.token.service/.well-known/jwks.json"

Explanation: Both policies apply to all workloads in the namespace, leading to conflicts in TLS JWT validation rules.

Multiple Telemetry Objects Without Selectors

First Telemetry Object:

apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: default-telemetry
  namespace: example-namespace
spec:
  accessLogging:
    - disabled: false

Second Telemetry Object:

apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: custom-telemetry
  namespace: example-namespace
spec:
  accessLogging:
    - disabled: true

Explanation: Conflicting logging settings can cause undefined behavior in telemetry data collection.

Recommendation

Consolidate the objects or define a selector field to target specific workloads.

Consolidate the objects

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mtls-settings
  namespace: example-namespace
spec:
  mtls:
    mode: STRICT

Define Selector for RequestAuthentication

First RequestAuthentication Object:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: jwt-auth
  namespace: example-namespace
spec:
  selector:
    matchLabels:
      app: secure-service
  jwtRules:
    - issuer: "https://secure.token.service"
      jwksUri: "https://secure.token.service/.well-known/jwks.json"

Second RequestAuthentication Object:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: another-jwt-auth
  namespace: example-namespace
spec:
  selector:
    matchLabels:
      app: another-service
  jwtRules:
    - issuer: "https://another.token.service"
      jwksUri: "https://another.token.service/.well-known/jwks.json"

Define Selector for Telemetry

First Telemetry Object:

apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: default-telemetry
  namespace: example-namespace
spec:
  selector:
    matchLabels:
      app: logging-enabled
  accessLogging:
    - disabled: false

Second Telemetry Object:

apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: custom-telemetry
  namespace: example-namespace
spec:
  selector:
    matchLabels:
      app: logging-disabled
  accessLogging:
    - disabled: true

TIS0001 - Multiple configuration objects within the same namespace

Examples​

Recommendation​

Examples

Recommendation