Logo

mutual tls

A microservices architecture means more requests on the network, and more opportunities for malicious parties to intercept traffic. Mutual TLS (mTLS) authentication is a way to encrypt services traffic using certificates.

With Istio, you can automate the enforcement of mTLS across all services. Below, we enable mTLS for the entire mesh. Two pods in the cluster, client and server, are shown establishing a secure connection with the mTLS policy in place.

Diagram

apiVersion: authentication.istio.io/v1alpha1
kind: MeshPolicy
metadata:
  name: default
spec:
  peers:
  - mtls:
      mode: STRICT
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: default
  namespace: istio-system
spec:
  host: *.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

Here, a MeshPolicy enforces TLS for all services receiving requests (server-side), and a DestinationRule enforces TLS for all services sending requests (client-side), resulting in mutual (“both”) TLS.

Authentication Flow:

  1. client application container sends a plain-text HTTP request to server.
  2. client proxy container intercepts the outbound request.
  3. client proxy performs a TLS handshake with the server-side proxy. This handshake includes an exchange of certificates. These certs are pre-loaded into the proxy containers by Istio.
  4. client proxy performs a secure naming check on the server’s certificate, verifying that an authorized identity is running the server.
  5. client and server establish a mutual TLS connection, and the server proxy forwards the request to the server application container.

Learn more: