I'm new to Istio and learning from the official website examples. The one I can't understand is globally enabling Istio mutual TLS.
I can run the example with the yaml code present on the web. After that, I changed the DestinationRule
:
kubectl apply -f - <<EOF
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "default"
namespace: "foo"
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
The only part I changed is replacing the namespace of the example from istio-system
to foo
. Then I switch to foo
namespace, and I run the following test command:
$ for from in "foo" "bar"; do for to in "foo" "bar"; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
and the result is below:
sleep.foo to httpbin.foo: 503
sleep.foo to httpbin.bar: 200
sleep.bar to httpbin.foo: 503
sleep.bar to httpbin.bar: 503
what I expect is:
sleep.foo to httpbin.foo: 200
sleep.foo to httpbin.bar: 503
sleep.bar to httpbin.foo: 503
sleep.bar to httpbin.bar: 503
Followed the official example, I set a mesh-wide authentication policy that enables mutual TLS, and I then configured the client side mutual TLS on namespace foo
, I think it should work on namespace foo
, but it does not work.
Questions:
sleep.foo to httpbin.foo: 503
is 503 instead of 200?sleep.foo to httpbin.bar: 200
is 200 instead of 503?Is there anyone to explain this? thanks.
You should wait for 1-2 minutes before the policies will be fully enforced.