Configure Istio in mTLS Way
Configure Istio in mTLS mode for secure service-to-service communication.
Descriptionโ
This How-To will cover the deploying and verifying of a sample Book-info application using Istio mutual TLS (mTLS) for secure service-to-service communication within your Kubernetes cluster.
When Istio mTLS is enabled, the Istio sidecar proxy (Envoy) automatically:
- Intercepts all service-to-service communication
- Establishes TLS connections between services
- Converts HTTP traffic to HTTPS traffic transparently
- Authenticates both client and server identities
- Encrypts all service-to-service communication
This provides secure communication without requiring changes to your application code.
Preconditionsโ
- Istio Installation: Istio must be installed in your OpenShift environment
- OpenShift Access: You have access to an OpenShift cluster with administrative permissions
- Command-line Tools: You have
ocandkubectlcommand-line tools installed
Step-by-Step Guideโ
1. Deploy Book-info Projectโ
Connect to OpenShift:
- Log in to your OpenShift environment using the
occommand-line tool
Download Required YAML Files:
- Download gateway.yml
- Download mtls.yml
- Download bookinfo.yml
Deploy the Application:
- Execute the following commands to deploy the application components
oc apply -f gateway.yml
oc apply -f mtls.yml
oc apply -f bookinfo.yml
Wait until all pods are up and running before proceeding to the next steps.
2. Verify Plain-Text Communicationโ
Before enabling strict mTLS, verify that the application is currently accepting plain-text requests:
kubectl exec $(kubectl get pod -l app=productpage -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl http://reviews:9080/health -o /dev/null -s -w '%{http_code}\n'
You should receive a 200 status code, indicating successful communication without mTLS enforcement.
3. Enable Strict mTLS Modeโ
Now, let's enable strict mTLS across the namespace by applying a PeerAuthentication policy:
oc apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: "default"
namespace: istio-system
spec:
mtls:
mode: STRICT
EOF
4. Verify mTLS Enforcementโ
Try plain-text request again to confirm that strict mTLS is now enforced:
kubectl exec $(kubectl get pod -l app=productpage -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl http://reviews:9080/health -o /dev/null -s -w '%{http_code}\n'
The command should return 000 with exit code 56, confirming that plain-text requests are no longer accepted.
Conclusionโ
Congratulations! You have successfully deployed a sample application with Istio and enabled strict mTLS for secure service-to-service communication. Your services are now communicating with encrypted, authenticated connections.