Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0002 - Multiple configuration objects applied to the same workload

More than one configuration object (e.g., PeerAuthentication, RequestAuthentication, Telemetry, and Sidecar) is applied to the same workload.

Recommendation: Merge configurations for the same workload

By consolidating multiple configuration objects into single, unified configurations, you can ensure consistent behavior and reduce the risk of conflicts or unintended side effects in your Istio service mesh.

Examples

  1. Multiple PeerAuthentication Objects with Overlapping Selectors

    First PeerAuthentication Object:

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: mtls-strict
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-service
      mtls:
        mode: STRICT

    Second PeerAuthentication Object:

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: mtls-permissive
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-service
          version: v1
      mtls:
        mode: PERMISSIVE

    Explanation: Both policies apply to the my-service workload, specifically version: v1. The first policy targets all versions of my-service, while the second specifically targets version: v1. This overlap can cause conflicts in mTLS settings for the v1 pods.

  2. Multiple RequestAuthentication Objects with Overlapping Selectors

    First RequestAuthentication Object:

    apiVersion: security.istio.io/v1beta1
    kind: RequestAuthentication
    metadata:
      name: jwt-auth
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-service
      jwtRules:
        - issuer: "https://secure.token.service"
          jwksUri: "https://secure.token.service/.well-known/jwks.json"

    Second RequestAuthentication Object:

    apiVersion: security.istio.io/v1beta1
    kind: RequestAuthentication
    metadata:
      name: another-jwt-auth
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-service
      jwtRules:
        - issuer: "https://another.token.service"
          jwksUri: "https://another.token.service/.well-known/jwks.json"

    Explanation: Both policies apply to the same workload, causing it to validate JWTs from multiple issuers. This can lead to authentication conflicts and unintended access behavior.

  3. Multiple Telemetry Objects with Overlapping Selectors

    First Telemetry Object:

    apiVersion: telemetry.istio.io/v1alpha1
    kind: Telemetry
    metadata:
      name: telemetry-logging
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-service
      accessLogging:
        - disabled: false

    Second Telemetry Object:

    apiVersion: telemetry.istio.io/v1alpha1
    kind: Telemetry
    metadata:
      name: telemetry-metrics
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-service
      metrics:
        - disabled: true

    Explanation: Both telemetry configurations target my-service, but they configure different aspects (logging and metrics). Managing multiple telemetry objects can cause confusion and inconsistent telemetry data.

Recommendation

If feasible, merge these objects into a single configuration.

  1. Consolidate PeerAuthentication Objects

    Merged PeerAuthentication Object:

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: mtls-settings
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-service
      mtls:
        mode: STRICT
      portLevelMtls:
        8080:
          mode: PERMISSIVE

    Explanation: By merging policies, you can specify both global and port-level mTLS settings within a single configuration, reducing the potential for conflict.

  2. Consolidate RequestAuthentication Objects

    Merged RequestAuthentication Object:

    apiVersion: security.istio.io/v1beta1
    kind: RequestAuthentication
    metadata:
      name: jwt-auth-combined
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-service
      jwtRules:
        - issuer: "https://secure.token.service"
          jwksUri: "https://secure.token.service/.well-known/jwks.json"
        - issuer: "https://another.token.service"
          jwksUri: "https://another.token.service/.well-known/jwks.json"

    Explanation: Combining JWT rules into a single policy simplifies authentication configuration and reduces the risk of conflicting rules.

  3. Consolidate Telemetry Objects

    Merged Telemetry Object:

    apiVersion: telemetry.istio.io/v1alpha1
    kind: Telemetry
    metadata:
      name: telemetry-settings
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-service
      accessLogging:
        - disabled: false
      metrics:
        - disabled: true

    Explanation: Merging telemetry configurations ensures consistent behavior and simplifies management of telemetry data collection.