-mtls.yaml destinationrule.networking.istio.io/productpage created destinationrule.networking.istio.io/reviews created destinationrule.networking.istio.io/ratings created destinationrule.networking.istio 4.2.6. 双向 TLS 的变化 当使用带有特定工作负载 PeerAuthentication 策略的 mTLS 时，如果工作负载策略与命名空间/全局策略 不同，则需要一个对应的 DestinationRule 来允许流量。 auto mTLS 默认启用，但可以通过将 ServiceMeshControlPlane 资源中的 spec.security.dataPlane.automtls DestinationRules 进行服务间的正常通信。例如，将一个命名空间的 PeerAuthentication 设置为 STRICT 可能会阻止其他命名空间中的服务访问它们，除非 DestinationRule 为命名空间中的服务配置 TLS 模式。 有关 mTLS 的详情请参考 启用 mutual Transport Layer Security（mTLS） 1.11.4.4.2.6.1

Some container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd DestinationRule ServiceEntry Gateway VirtualService Some service outside of cluster Version 1 Version Some container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd DestinationRule ServiceEntry Gateway VirtualService Some service outside of cluster Version 1 Version Some container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd DestinationRule ServiceEntry Gateway VirtualService Some service outside of cluster Version 1 Version

Auto-mTLS in Istio ● Decide what type of traffic the client sidecar to send automatically ○ If DestinationRule is configured, respect it ○ If server has a sidecar and allows mTLS, send mTLS – reviews-v1 in Istio - Destination rule http http http http mTLS mTLS #IstioCon mTLS in Istio - DestinationRule Defines what type of traffic the client sidecar will send ● DISABLE: send plain text, common if you want to TLS with service outside mesh apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: tls: mode: ISTIO_MUTUAL

attacker that is able to intercept raw network connections between Envoy proxies and upstream DestinationRule targets can perform a man-in-the-middle attack against clients whose TLS-configured DestinationRules GitHub repository’s issue #25652,12 as part of its process to generate Envoy configurations from DestinationRule policies, Istio translates the Destina- tionRule trafficPolicy.tls (ClientTLSSettings) field Google Istio Security Assessment Google / NCC Group Confidential Recommendation Update the DestinationRule documentation16 to provide a clear warning early on that the lack of a configured caCertificates

developers to consume this contract ● Prior knowledge of Istio ● Need to create VirtualService and DestinationRule before anything happens ● VirtualService evaluation order matters #IstioCon Checkpoint 1

HorizontalPodAutoscaler ● PodDisruptionBudget ● ConfigMap ● ServiceAccount ● VirtualService ● DestinationRule ● ServiceEntry #IstioCon Helm Starters for Istio 2.6. It is easier to move a problem around

reviews subset: v1 weight: 100 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: tls: mode: ISTIO_MUTUAL com/cilium/cilium/v1.5/examples/ku kubectl apply -f - virtualservice.networking.istio.io/reviews created destinationrule.networking.istio.io/reviews created Deploy the ratings v1 and reviews v2 services: $ for -s https://raw.githubusercontent.com/cilium/cilium/v1.5/examples/ku kubectl create -f - destinationrule.networking.istio.io/kafka-disable-mtls created $ kubectl create -f https://raw.githubusercontent

reviews subset: v1 weight: 100 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: tls: mode: ISTIO_MUTUAL

reviews subset: v1 weight: 100 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: tls: mode: ISTIO_MUTUAL

reviews subset: v1 weight: 100 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: tls: mode: ISTIO_MUTUAL