Tetrate Istio SubscriptionVersion: NextTIS0503 - Mesh-Wide DestinationRule Disabling mTLS is Missing
A mesh-wide DestinationRule disabling mTLS is missing.
DestinationRule and PeerAuthentication for mTLSTo prevent unintended secure communication, either add a mesh-wide DestinationRule to disable mTLS or update the mesh-wide PeerAuthentication to STRICT or PERMISSIVE mode, ensuring proper connectivity across the mesh.
Examples
-
No Mesh-Wide
DestinationRuleConfigured to Disable mTLS# No mesh-wide `DestinationRule` disabling mTLS is present in the mesh configurationExplanation: Without a mesh-wide
DestinationRuleexplicitly disabling mTLS, services in the mesh may inadvertently attempt to use mTLS for communication. This can cause connectivity issues if the workloads are not prepared for secure communication.
Recommendation
Change the mesh-wide DestinationRule to DISABLE mode or update the PeerAuthentication to allow mTLS in STRICT or PERMISSIVE mode.
-
Add Mesh-Wide
DestinationRuleto Disable mTLSCreate a
DestinationRulein theistio-systemnamespace that applies to all services in the mesh, disabling mTLS.apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: mesh-disable-mtls
namespace: istio-system
spec:
host: "*.cluster.local"
trafficPolicy:
tls:
mode: DISABLEExplanation: This
DestinationRuleensures that mTLS is disabled for all services within the mesh, allowing them to communicate in plaintext when mTLS is not required. -
Update
PeerAuthenticationto Allow mTLSIf the intention is to support both mTLS and plaintext communication, update the mesh-wide
PeerAuthenticationto usePERMISSIVEmode.apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-peer-auth
namespace: istio-system
spec:
mtls:
mode: PERMISSIVEExplanation: Setting the
PeerAuthenticationmode toPERMISSIVEallows services to accept both mTLS and plaintext connections, enabling more flexibility depending on client capabilities.