A microservices architecture means more requests on the network, and more opportunities for malicious parties to intercept traffic. Mutual TLS (mTLS) authentication is a way to encrypt services traffic using certificates.
With Istio, you can automate the enforcement of mTLS across all services. Below, we enable mTLS for the entire mesh. Two pods in the cluster,
server, are shown establishing a secure connection with the mTLS policy in place.
apiVersion: authentication.istio.io/v1alpha1 kind: MeshPolicy metadata: name: default spec: peers: - mtls: mode: STRICT
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: default namespace: istio-system spec: host: *.local trafficPolicy: tls: mode: ISTIO_MUTUAL
MeshPolicy enforces TLS for all services receiving requests (server-side), and a
DestinationRule enforces TLS for all services sending requests (client-side), resulting in mutual (“both”) TLS.
clientapplication container sends a plain-text HTTP request to
clientproxy container intercepts the outbound request.
clientproxy performs a TLS handshake with the server-side proxy. This handshake includes an exchange of certificates. These certs are pre-loaded into the proxy containers by Istio.
clientproxy performs a secure naming check on the server’s certificate, verifying that an authorized identity is running the
serverestablish a mutual TLS connection, and the
serverproxy forwards the request to the