Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0401 - Mesh-Wide DestinationRule Enabling mTLS is Missing

A mesh-wide DestinationRule enabling mTLS is missing.

Recommendation: Add Mesh-Wide DestinationRule to Enforce mTLS

To ensure secure communication between services, add a mesh-wide DestinationRule that sets the tls traffic policy to ISTIO_MUTUAL for all services in the mesh.

Examples

  1. No Mesh-Wide DestinationRule Configured

    # No mesh-wide `DestinationRule` present in the mesh configuration

    Explanation: Without a mesh-wide DestinationRule specifying mTLS, secure communication between services in the mesh is not enforced. This may lead to plaintext traffic between services, which compromises security.

Recommendation

Add a DestinationRule with a *.cluster host and ISTIO_MUTUAL as the tls traffic policy mode to enforce mTLS across the mesh.

  1. Add Mesh-Wide DestinationRule to Enforce mTLS

    Create a DestinationRule in the istio-system namespace that applies to all services in the mesh, enabling ISTIO_MUTUAL mode for mTLS.

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: mesh-wide-mtls
      namespace: istio-system
    spec:
      host: "*.cluster.local"
      trafficPolicy:
        tls:
          mode: ISTIO_MUTUAL

    Explanation: This DestinationRule enforces mTLS for all services within the mesh by applying the rule to any host ending in .cluster.local. Setting the tls mode to ISTIO_MUTUAL ensures that all services use mutual TLS for secure communication.