TIS0208 - PeerAuthentication Enabling mTLS Found, Permissive Mode Needed

A PeerAuthentication enabling mTLS was found, but PERMISSIVE mode is required.

Recommendation: Enable PERMISSIVE Mode for Compatibility

To ensure compatibility between services and clients that may not use mTLS, set PeerAuthentication to PERMISSIVE mode. Alternatively, update the DestinationRule to enforce mTLS with ISTIO_MUTUAL mode to maintain secure communication across the mesh.

Examples

1. PeerAuthentication Configured with STRICT Mode

   apiVersion: security.istio.io/v1beta1
   kind: PeerAuthentication
   metadata:
     name: strict-peer-auth
     namespace: example-namespace
   spec:
     mtls:
       mode: STRICT

   Explanation: The PeerAuthentication is set to STRICT mode, which enforces mTLS for all communication in the mesh. However, in this scenario, PERMISSIVE mode is required to allow both mTLS and plaintext communication, ensuring compatibility with clients that may not use mTLS.

Recommendation

Change the PeerAuthentication to enable PERMISSIVE mode for all workloads in the mesh or update the DestinationRule to enable mTLS with ISTIO_MUTUAL mode.

1. Change PeerAuthentication to PERMISSIVE Mode

   Update the PeerAuthentication to allow both mTLS and plaintext communication, providing flexibility for clients that do not use mTLS.

   apiVersion: security.istio.io/v1beta1
   kind: PeerAuthentication
   metadata:
     name: permissive-peer-auth
     namespace: example-namespace
   spec:
     mtls:
       mode: PERMISSIVE

2. Update DestinationRule to Enforce mTLS

   Alternatively, update the DestinationRule to ensure clients initiate mTLS communication, making it compatible with the existing STRICT mode.

   apiVersion: networking.istio.io/v1beta1
   kind: DestinationRule
   metadata:
     name: mtls-destination-rule
     namespace: example-namespace
   spec:
     host: "my-service.example-namespace.svc.cluster.local"
     trafficPolicy:
       tls:
         mode: ISTIO_MUTUAL