Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0205 - Missing PeerAuthentication for Mesh-Level mTLS

PeerAuthentication enabling mesh-level mTLS is missing.

Recommendation: Add Mesh-Level PeerAuthentication for Consistent mTLS

To ensure secure and consistent communication across the service mesh, add a mesh-level PeerAuthentication in the istio-system namespace. This configuration should specify the desired mTLS mode (STRICT or PERMISSIVE) to define how workloads communicate.

Examples

  1. No Mesh-Level PeerAuthentication Configured

    # No `PeerAuthentication` object present in the istio-system namespace

    Explanation: When there is no PeerAuthentication configuration at the mesh level, mTLS settings are undefined, which may lead to inconsistencies in how communication is secured across the mesh. A mesh-level PeerAuthentication is required to define a default mTLS mode for all workloads.

Recommendation

Add a PeerAuthentication in the istio-system namespace without specifying targets, setting peers mTLS mode to STRICT or PERMISSIVE.

  1. Add Mesh-Level PeerAuthentication with STRICT Mode

    To enforce mTLS for all workloads in the mesh, add a PeerAuthentication in the istio-system namespace with STRICT mode.

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: default
      namespace: istio-system
    spec:
      mtls:
        mode: STRICT

  2. Add Mesh-Level PeerAuthentication with PERMISSIVE Mode

    To allow both mTLS and plaintext communication, add a PeerAuthentication in the istio-system namespace with PERMISSIVE mode.

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: default
      namespace: istio-system
    spec:
      mtls:
        mode: PERMISSIVE