Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0204 - Mutual TLS (mTLS) Settings Overridden by Non-Local DestinationRule

Mutual TLS (mTLS) settings from a non-local DestinationRule are being overridden.

Recommendation: Ensure Consistent mTLS Settings

To prevent conflicts in mTLS settings, avoid overlapping DestinationRule configurations by merging local and global TLS settings into a single rule. This ensures consistent mTLS behavior and reduces the risk of unpredictable overrides.

Examples

  1. Local DestinationRule Overridden by Higher-Level mTLS Settings

    Local DestinationRule:

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: local-destination-rule
      namespace: example-namespace
    spec:
      host: "my-service.example-namespace.svc.cluster.local"
      trafficPolicy:
        tls:
          mode: DISABLE

    Non-local DestinationRule (in istio-system):

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: global-destination-rule
      namespace: istio-system
    spec:
      host: "*.svc.cluster.local"
      trafficPolicy:
        tls:
          mode: ISTIO_MUTUAL

    Explanation: The global DestinationRule in istio-system specifies ISTIO_MUTUAL for mTLS, while the local DestinationRule in example-namespace disables mTLS (tls.mode: DISABLE). The higher-level configuration overrides the local rule, leading to inconsistencies in mTLS settings.

  2. Conflicting mTLS Settings Between Local and Global Rules

    Local DestinationRule:

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: disable-mtls-rule
      namespace: app-namespace
    spec:
      host: "app-service.app-namespace.svc.cluster.local"
      trafficPolicy:
        tls:
          mode: DISABLE

    Global DestinationRule:

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: enable-mtls-rule
      namespace: istio-system
    spec:
      host: "*.svc.cluster.local"
      trafficPolicy:
        tls:
          mode: ISTIO_MUTUAL

    Explanation: The local DestinationRule attempts to disable mTLS for app-service, but the global rule enables mTLS for all services in the mesh. This conflict results in unpredictable behavior in the mTLS settings.

Recommendation

This suggests that mTLS may be enabled/disabled from a higher-level DestinationRule. Merge the TLS settings into a single DestinationRule to resolve the issue.

  1. Merge mTLS Settings into a Single DestinationRule

    To ensure consistent mTLS behavior, merge the TLS settings from local and global DestinationRule configurations.

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: merged-destination-rule
      namespace: istio-system
    spec:
      host: "*.svc.cluster.local"
      trafficPolicy:
        portLevelSettings:
          - port:
              number: 8080
            tls:
              mode: DISABLE
        tls:
          mode: ISTIO_MUTUAL

  2. Use Port-Level mTLS Settings

    If some services require different mTLS behavior, use port-level mTLS settings to avoid conflicts.

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: flexible-mtls-rule
      namespace: istio-system
    spec:
      host: "*.svc.cluster.local"
      trafficPolicy:
        portLevelSettings:
          - port:
              number: 80
            tls:
              mode: DISABLE
          - port:
              number: 443
            tls:
              mode: ISTIO_MUTUAL