K
Q

What are the benefits of enabling mTLS in Istio?

4/1/2019

I try to understand why Istio have the mTLS feature? It enables mutual TLS authentication between all the services in a cluster via automatically issued certificates.

Mandatory TLS authentication is a benefit only as long as they are services outside Istio, but when Istio is enabled globally in Kubernetes, this is not the case - then every service gets certificate automatically, so can connect to any other.

Maybe TLS is used as identity provider, required by Istio authorization rules, like asked in yet unanswered Does istio authorization have effect if mtls is not used for istio authentication?? But why Istio does not just use Kubernetes service accounts as identity provider. This is even mentioned in documentation.

Also, even with TLS for identity, why encrypting traffic (TLS can be used without encryption)? I am assuming here that the container is not able to spoof IP address.

-- Rafał Kłys
istio
kubernetes
ssl

Similar Questions

What is the deployment controller sync period for kube-controller-manager?
Horizontal Pod Autoscaler (HPA): Current utilization: <unknown> with custom namespace
Kubernetes python client: authentication problem
Kubernetes POD's does not receive any data
JKube doesn&#39;t create imagePullSecret

0 Answers