Does Istio on GKE creates different service account for each service for mutual TLS

10/29/2019

To enable Mutual TLS, every service in service mesh needs to have different identity and client certificates.

Does Istio on GKE creates different service account for each service for mutual TLS?

-- Pragmatic
google-kubernetes-engine
istio
kubernetes

1 Answer

10/30/2019

The answer is no. More information can be viewed here.

By default Istio on GKE will not create different/multiple service accounts for each service that has a mutual TLS enabled. When a Citadel instance notices that a ServiceAccount is created in a namespace, it must decide whether it should generate an istio.io/key-and-cert secret for that ServiceAccount. You just need to check that there is a secret assigned to the service account.

Under the section How Citadel determines whether to create Service Account secrets there is a table that will show you the decision making process.

Additionally, in the section Mutual TLS authentication you will see the step-by-step process for a client to call a server with mTLS.

-- EliasH
Source: StackOverflow