• About
    • Service mesh
    • Solutions
    • Case studies
    • Ecosystem
    • Deployment
    • Training
    • FAQ
  • Blog
  • News
  • Get involved
  • Documentation
    • Preliminary
    • v1.27 (Current)
    • v1.26
    • v1.25
    • v1.24
    • v1.23
Try Istio

Istio 1.27.3 is now available! Click here to learn more

  • Overview
    • What is Istio?
    • Why choose Istio?
    • Sidecar or ambient?
    • Quickstart
  • Concepts
    • Traffic Management
    • Security
    • Observability
    • Extensibility
  • Sidecar Mode
    • Getting Started
    • Platform Setup
      • Alibaba Cloud
      • Amazon EKS
      • Azure
      • Docker Desktop
      • Google Kubernetes Engine
      • Huawei Cloud
      • IBM Cloud
      • k3d
      • kind
      • Kops
      • Kubernetes Gardener
      • KubeSphere Container Platform
      • MicroK8s
      • Minikube
      • OpenShift
      • Oracle Cloud Infrastructure
      • Tencent Cloud
    • Install
      • Install with Istioctl
      • Install with Helm
      • Install Multicluster
        • Before you begin
        • Install Multi-Primary
        • Install Primary-Remote
        • Install Multi-Primary on different networks
        • Install Primary-Remote on different networks
        • Verify the installation
      • Install Istio with an External Control Plane
      • Install Multiple Istio Control Planes in a Single Cluster
      • Virtual Machine Installation
    • Upgrade
      • Canary Upgrades
      • In-place Upgrades
      • Upgrade with Helm
    • More Guides
      • Download the Istio release
      • Installation Configuration Profiles
      • Compatibility Versions
      • Installing Gateways
      • Installing the Sidecar
      • Customizing the installation configuration
      • Advanced Helm Chart Customization
      • Install Istio in Dual-Stack mode
      • Install Istio with Pod Security Admission
      • Install the Istio CNI node agent
      • Getting Started without the Gateway API
  • Ambient Mode
    • Overview
    • Getting Started
      • Deploy a sample application
      • Secure and visualize the application
      • Enforce authorization policies
      • Manage traffic
      • Clean up
    • Install
      • Platform-Specific Prerequisites
      • Install with Helm
      • Install with istioctl
      • Install Multicluster
        • Before you begin
        • Install ambient multi-primary on different networks
        • Verify the ambient installation
    • Upgrade
      • Upgrade with Helm
    • User Guides
      • Add workloads to the mesh
      • Verify mutual TLS is enabled
      • Ambient and Kubernetes NetworkPolicy
      • Use Layer 4 security policy
      • Configure waypoint proxies
      • Use Layer 7 features
      • Extend waypoints with WebAssembly plugins *
      • Troubleshoot connectivity issues with ztunnel
      • Troubleshoot issues with waypoints
    • Architecture
      • Ambient and the Istio control plane
      • Ambient data plane
      • HBONE
      • Ztunnel traffic redirection
  • Tasks
    • Traffic Management
      • Request Routing
      • Fault Injection
      • Traffic Shifting
      • TCP Traffic Shifting
      • Request Timeouts
      • Circuit Breaking
      • Mirroring
      • Locality Load Balancing
        • Before you begin
        • Locality failover
        • Locality weighted distribution
        • Cleanup
      • Ingress
        • Ingress Gateways
        • Secure Gateways
        • Ingress Gateway without TLS Termination
        • Ingress Sidecar TLS Termination
        • Kubernetes Ingress
        • Kubernetes Gateway API
      • Egress
        • Accessing External Services
        • Egress TLS Origination
        • Egress Gateways
        • Egress Gateways with TLS Origination
        • Egress using Wildcard Hosts
        • Kubernetes Services for Egress Traffic
        • Using an External HTTPS Proxy
    • Security
      • Certificate Management
        • Plug in CA Certificates
        • Custom CA Integration using Kubernetes CSR *
      • Authentication
        • Authentication Policy
        • JWT claim based routing *
        • Copy JWT Claims to HTTP Headers *
        • Mutual TLS Migration
      • Authorization
        • HTTP Traffic
        • TCP Traffic
        • JWT Token
        • External Authorization
        • Explicit Deny
        • Ingress Access Control
        • Trust Domain Migration
        • Dry Run *
      • TLS Configuration
        • Istio Workload Minimum TLS Version Configuration
    • Policy Enforcement
      • Enabling Rate Limits using Envoy
    • Observability
      • Telemetry API
      • Metrics
        • Customizing Istio Metrics with Telemetry API
        • Collecting Metrics for TCP Services
        • Customizing Istio Metrics
        • Classifying Metrics Based on Request or Response
        • Querying Metrics from Prometheus
        • Visualizing Metrics with Grafana
      • Logs
        • Configure access logs with Telemetry API
        • Envoy Access Logs
        • OpenTelemetry
      • Distributed Tracing
        • Overview
        • Configure tracing with Telemetry API
        • Configure tracing using MeshConfig and pod annotations
        • Configure trace sampling
        • OpenTelemetry
        • Jaeger
        • Zipkin
        • Apache SkyWalking
      • Visualizing Your Mesh
      • Remotely Accessing Telemetry Addons
    • Extensibility
      • Distributing WebAssembly Modules *
  • Examples
    • Bookinfo Application
    • Bookinfo with a Virtual Machine
    • Learn Microservices using Kubernetes and Istio
      • Prerequisites
      • Set up a Kubernetes Cluster
      • Set up a Local Computer
      • Run a Microservice Locally
      • Run ratings in Docker
      • Run Bookinfo with Kubernetes
      • Test in production
      • Add a new version of reviews
      • Enable Istio on productpage
      • Enable Istio on all the microservices
      • Configure Istio Ingress Gateway
      • Monitoring with Istio
  • Operations
    • Deployment
      • Platform Requirements
      • Architecture
      • Security Model
      • Deployment Models
      • Virtual Machine Architecture
      • Ambient Multicluster Performance
      • Performance and Scalability
      • Application Requirements
    • Configuration
      • Mesh Configuration
        • Dynamic Admission Webhooks Overview
        • Health Checking of Istio Services
        • Configuration Scoping
      • Traffic Management
        • Protocol Selection
        • Managing In-Mesh Certificates
        • TLS Configuration
        • Traffic Routing
        • DNS
        • Configuring Gateway Network Topology *
        • DNS Proxying
        • Multi-cluster Traffic Management
      • Security
        • Security policy examples
        • Harden Docker Container Images
      • Observability
        • Envoy Statistics
        • Monitoring Multicluster Istio with Prometheus
      • Extensibility
        • Pull Policy for WebAssembly Modules *
    • Best Practices
      • Deployment Best Practices
      • Traffic Management Best Practices
      • Security Best Practices
      • Image Signing and Validation
      • Observability Best Practices
    • Common Problems
      • Traffic Management Problems
      • Security Problems
      • Observability Problems
      • Sidecar Injection Problems
      • Configuration Validation Problems
      • Upgrade Problems
    • Diagnostic Tools
      • Using the Istioctl Command-line Tool
      • Debugging Envoy and Istiod
      • Understand your Mesh with Istioctl Describe
      • Diagnose your Configuration with Istioctl Analyze
      • Verifying Istio Sidecar Injection with Istioctl Check-Inject
      • Istiod Introspection
      • Component Logging
      • Debugging Virtual Machines
      • Troubleshooting Multicluster
      • Troubleshooting the Istio CNI plugin
    • Integrations
      • cert-manager
      • Grafana
      • Jaeger
      • Kiali
      • Prometheus
      • SPIRE
      • Apache SkyWalking
      • Zipkin
      • Third Party Load Balancers
  • Releases
    • Feature Status
    • Reporting Bugs
    • Security Vulnerabilities
    • Supported Releases
    • Contribute Documentation
      • Work with GitHub
      • Add New Documentation
      • Remove Retired Documentation
      • Build and serve the website locally
      • Front matter
      • Documentation Review Process
      • Add Code Blocks
      • Use Shortcodes
      • Follow Formatting Standards
      • Style Guide
      • Terminology Standards
      • Diagram Creation Guidelines
    • Website Content Changes
  • Reference
    • Configuration
      • Analysis Messages
      • Global Mesh Options
      • IstioOperator Options
      • Configuration Status Field
      • Proxy Extensions
        • Wasm Plugin
      • Traffic Management
        • Destination Rule
        • Envoy Filter
        • Gateway
        • ProxyConfig
        • Service Entry
        • Sidecar
        • Virtual Service
        • Workload Entry
        • Workload Group
      • Security
        • PeerAuthentication
        • RequestAuthentication
        • Authorization Policy
        • Authorization Policy Conditions
        • Authorization Policy Normalization
      • Telemetry
      • Common Types
        • Workload Selector
      • Istio Standard Metrics
      • Resource Annotations
      • Resource Labels
      • Configuration Analysis Messages
        • AlphaAnnotation
        • Analyzer Message Format
        • ConflictingMeshGatewayVirtualServiceHosts
        • ConflictingSidecarWorkloadSelectors
        • ConflictingTelemetryWorkloadSelectors
        • DeploymentAssociatedToMultipleServices
        • DeploymentConflictingPorts
        • Deprecated
        • DeprecatedAnnotation
        • EnvoyFilterUsesAddOperationIncorrectly
        • EnvoyFilterUsesRelativeOperation
        • EnvoyFilterUsesRelativeOperationWithProxyVersion
        • EnvoyFilterUsesRemoveOperationIncorrectly
        • EnvoyFilterUsesReplaceOperationIncorrectly
        • ExternalControlPlaneAddressIsNotAHostname
        • ExternalNameServiceTypeInvalidPortName
        • GatewayPortNotDefinedOnService
        • IneffectivePolicy
        • IneffectiveSelector
        • InternalError
        • InvalidAnnotation
        • InvalidApplicationUID
        • InvalidExternalControlPlaneConfig
        • InvalidGatewayCredential
        • InvalidTelemetryProvider
        • LocalhostListener
        • MisplacedAnnotation
        • MultipleSidecarsWithoutWorkloadSelectors
        • MultipleTelemetriesWithoutWorkloadSelectors
        • NamespaceMultipleInjectionLabels
        • NamespaceNotInjected
        • NoMatchingWorkloadsFound
        • NoServerCertificateVerificationDestinationLevel
        • NoServerCertificateVerificationPortLevel
        • PodMissingProxy
        • PodsIstioProxyImageMismatchInNamespace
        • PortNameIsNotUnderNamingConvention
        • ReferencedResourceNotFound
        • SchemaValidationError
        • ServiceEntryAddressesRequired
        • UnknownAnnotation
        • VirtualServiceDestinationPortSelectorRequired
        • VirtualServiceHostNotFoundInGateway
        • VirtualServiceIneffectiveMatch
        • VirtualServiceUnreachableRule
    • Commands
      • install-cni
      • istioctl
      • pilot-agent
      • pilot-discovery
    • Glossary
  1. Documentation
  2. Operations
  3. Configuration
  4. Security

Security

Helps you manage the security aspects of a running mesh.

Security policy examples

Shows common examples of using Istio security policy.

Harden Docker Container Images

Use hardened container images to reduce Istio's attack surface.

Links


    English Español 中文 Українська
    • Terms and Conditions | Privacy policy | Trademarks | Edit this Page on GitHub
    © 2025 the Istio Authors. Version Istio 1.27.3
    • next release
    • older releases