Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0501 - Namespace-Wide DestinationRule Enabling mTLS is Missing

A DestinationRule enabling namespace-wide mTLS is missing.

Recommendation: Add Namespace-Wide DestinationRule to Enforce mTLS

To secure communication between services within a namespace, add a namespace-wide DestinationRule that sets the tls traffic policy to ISTIO_MUTUAL. This ensures all services within the namespace communicate securely.

Examples

  1. No Namespace-Wide DestinationRule Configured

    # No namespace-wide `DestinationRule` present in the namespace configuration

    Explanation: Without a namespace-wide DestinationRule specifying mTLS, secure communication between services within the namespace is not enforced. This may result in services communicating in plaintext, which compromises security within the namespace.

Recommendation

Add a DestinationRule with a *.[namespace].svc.cluster.local host and ISTIO_MUTUAL as the tls traffic policy mode to enforce mTLS for services within the namespace.

  1. Add Namespace-Wide DestinationRule to Enforce mTLS

    Create a DestinationRule in the target namespace that applies to all services within that namespace, enabling ISTIO_MUTUAL mode for mTLS.

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: namespace-wide-mtls
      namespace: example-namespace
    spec:
      host: "*.example-namespace.svc.cluster.local"
      trafficPolicy:
        tls:
          mode: ISTIO_MUTUAL

    Explanation: This DestinationRule enforces mTLS for all services within the example-namespace by applying the rule to any host ending in .example-namespace.svc.cluster.local. Setting the tls mode to ISTIO_MUTUAL ensures that all services use mutual TLS for secure communication within the namespace.