TIS0207 - PeerAuthentication with STRICT Mode Found, Should Be PERMISSIVE

A PeerAuthentication with mTLS set to STRICT mode was found, but it should be set to PERMISSIVE.

Recommendation: Ensure Compatibility Between PeerAuthentication and Client Settings

To prevent communication failures, ensure that PeerAuthentication is set to PERMISSIVE mode if clients may use plaintext connections, or update the DestinationRule to enforce mTLS. This ensures compatibility and successful communication between services.

Examples

1. PeerAuthentication Configured with STRICT Mode

   apiVersion: security.istio.io/v1beta1
   kind: PeerAuthentication
   metadata:
     name: strict-peer-auth
     namespace: example-namespace
   spec:
     mtls:
       mode: STRICT

   Explanation: The PeerAuthentication is configured with STRICT mode, which enforces mTLS for all communication in the namespace. However, clients may initiate plaintext communication that the workloads cannot accept, leading to failures in connectivity.

Recommendation

Change the PeerAuthentication to PERMISSIVE mode or update the DestinationRule to initiate communications using mTLS.

1. Change PeerAuthentication to PERMISSIVE Mode

   Update the PeerAuthentication to allow both mTLS and plaintext communication, ensuring compatibility with clients that do not use mTLS.

   apiVersion: security.istio.io/v1beta1
   kind: PeerAuthentication
   metadata:
     name: permissive-peer-auth
     namespace: example-namespace
   spec:
     mtls:
       mode: PERMISSIVE

2. Update DestinationRule to Initiate mTLS Communication

   Alternatively, update the DestinationRule to ensure that clients initiate communication using mTLS, making it compatible with the STRICT mode.

   apiVersion: networking.istio.io/v1beta1
   kind: DestinationRule
   metadata:
     name: mtls-destination-rule
     namespace: example-namespace
   spec:
     host: "my-service.example-namespace.svc.cluster.local"
     trafficPolicy:
       tls:
         mode: ISTIO_MUTUAL