Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0104 - Mutual TLS (mTLS) is Required for Specified Configuration Field

Mutual TLS (mTLS) is required for this field.

Recommendation: Ensure Mutual TLS is Enabled Where Required

Mutual TLS (mTLS) is crucial for secure communication within the mesh. Ensure that mTLS is either enabled explicitly or that autoMtls is used to enforce secure communication, reducing the risk of potential vulnerabilities.

Examples

  1. DestinationRule without mTLS Enabled

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: no-mtls-destination-rule
      namespace: example-namespace
    spec:
      host: "my-service.example-namespace.svc.cluster.local"
      trafficPolicy:
        tls:
          mode: DISABLE

    Explanation: The DestinationRule specifies tls.mode: DISABLE, but mTLS is required for this field. Disabling mTLS can lead to security vulnerabilities.

  2. PeerAuthentication without mTLS

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: no-mtls-peer-auth
      namespace: example-namespace
    spec:
      mtls:
        mode: DISABLE

    Explanation: The PeerAuthentication configuration sets mtls.mode: DISABLE, but mTLS is required for secure communication. Disabling mTLS compromises the security of the mesh.

Recommendation

Remove this field or enable autoMtls.

  1. Remove the Field Disabling mTLS

    Remove the field that disables mTLS to allow Istio to use default security settings.

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: mtls-destination-rule
      namespace: example-namespace
    spec:
      host: "my-service.example-namespace.svc.cluster.local"
      trafficPolicy: {}

  2. Enable mTLS Manually

    Update the configuration to explicitly enable mTLS.

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: mtls-enabled-destination-rule
      namespace: example-namespace
    spec:
      host: "my-service.example-namespace.svc.cluster.local"
      trafficPolicy:
        tls:
          mode: ISTIO_MUTUAL

  3. Enable autoMtls in Mesh Configuration

    Enable autoMtls to automatically configure mTLS for the entire mesh.

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      name: example-istiocontrolplane
      namespace: istio-system
    spec:
      meshConfig:
        enableAutoMtls: true