clusters, it is best to share a certificate authority (CA) between the clusters as it will enable mTLS across clusters to just work. The easiest way to establish this is to pass --inherit-ca to the install on your machine. Cilium’s Istio integration allows Cilium to enforce HTTP L7 network policies for mTLS protected traffic within the Istio sidecar proxies. Note that Istio can also be deployed without Cilium Cilium will enforce HTTP L7 policies outside of the Istio sidecar proxy, but that will only work if mTLS is not used. If you haven’t read the Introduction to Cilium & Hubble yet, we’d encourage you to do

Hubble Relay provides cross-cluster visibility without any particular configuration. When mutual TLS (mTLS) is enabled (default), TLS certificates for Hubble and Hubble Relay need to be signed by the same on your machine. Cilium’s Istio integration allows Cilium to enforce HTTP L7 network policies for mTLS protected traffic within the Istio sidecar proxies. Note that Istio can also be deployed without Cilium Cilium will enforce HTTP L7 policies outside of the Istio sidecar proxy, but that will only work if mTLS is not used. If you haven’t read the Introduction to Cilium & Hubble yet, we’d encourage you to do

clusters, it is best to share a certificate authority (CA) between the clusters as it will enable mTLS across clusters to just work. You can propagate the CA copying the Kubernetes secret containing the on your machine. Cilium’s Istio integration allows Cilium to enforce HTTP L7 network policies for mTLS protected traffic within the Istio sidecar proxies. Note that Istio can also be deployed without Cilium Cilium will enforce HTTP L7 policies outside of the Istio sidecar proxy, but that will only work if mTLS is not used. If you haven’t read the Introduction to Cilium & Hubble yet, we’d encourage you to do

sidecarInjectorWebhook.enabled=false \ --set global.controlPlaneSecurityEnabled=true \ --set global.mtls.enabled=true \ --set global.proxy.image=docker.io/cilium/istio_proxy:${ISTIO_VERSION com/cilium/cilium/v1.5/examples/ku kubectl create -f - destinationrule.networking.istio.io/kafka-disable-mtls created $ kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.5/ex service/kafka

on your machine. Cilium’s Istio integration allows Cilium to enforce HTTP L7 network policies for mTLS protected traffic within the Istio sidecar proxies. Note that Istio can also be deployed without Cilium Cilium will enforce HTTP L7 policies outside of the Istio sidecar proxy, but that will only work if mTLS is not used. If you haven’t read the Introduction to Cilium & Hubble yet, we’d encourage you to do