Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0206 - Missing PeerAuthentication for Namespace-Wide mTLS

PeerAuthentication enabling namespace-wide mTLS is missing.

Recommendation: Add Namespace-Wide PeerAuthentication for Proper mTLS Handling

To ensure that workloads in the namespace can handle mTLS connections, add a namespace-wide PeerAuthentication setting mTLS to STRICT or PERMISSIVE. This ensures consistent communication and prevents connection failures when clients initiate mTLS connections.

Examples

  1. No Namespace-Wide PeerAuthentication Configured

    # No `PeerAuthentication` object present in the namespace

    Explanation: Without a namespace-wide PeerAuthentication, workloads in the namespace may not be configured to accept mTLS connections, which can cause connection issues when clients initiate mTLS. This can lead to failures in communication if clients expect mTLS to be enabled.

Recommendation

A PeerAuthentication enabling mTLS is required for workloads in the namespace. Otherwise, clients will initiate mTLS connections that the workloads cannot handle. Add a PeerAuthentication in the same namespace as the DestinationRule, setting mTLS mode to STRICT or PERMISSIVE without specifying targets.

  1. Add Namespace-Wide PeerAuthentication with STRICT Mode

    To enforce mTLS for all workloads within a specific namespace, add a PeerAuthentication with STRICT mode.

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: namespace-wide-strict
      namespace: example-namespace
    spec:
      mtls:
        mode: STRICT

  2. Add Namespace-Wide PeerAuthentication with PERMISSIVE Mode

    To allow both mTLS and plaintext communication for workloads in the namespace, add a PeerAuthentication with PERMISSIVE mode.

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: namespace-wide-permissive
      namespace: example-namespace
    spec:
      mtls:
        mode: PERMISSIVE