• How can I enable/disable mTLS encryption after I installed Istio?

    The most straightforward way to enable/disable mTLS is by entirely uninstalling and re-installing Istio.

    If you are an advanced user and understand the risks you can also do the following:

    kubectl edit configmap -n istio-system istio

    comment out or uncomment out authPolicy: MUTUAL_TLS to toggle mTLS and then

    kubectl delete pods -n istio-system -l istio=pilot

    to restart Pilot, after a few seconds (depending on your *RefreshDelay) your Envoy proxies will have picked up the change from Pilot. During that time your services may be unavailable.

    We are working on a smoother solution.

  • Can a service with Istio Auth enabled communicate with a service without Istio?

    This is not supported currently, but will be in the near future.

  • Can I enable Istio Auth with some services while disable others in the same cluster?

    This is not supported currently, but will be in the near future.

  • How can I use Kubernetes liveness and readiness for service health check with Istio Auth enabled?

    If Istio Auth is enabled, http and tcp health check from kubelet will not work since they do not have Istio Auth issued certs. A workaround is to use a liveness command for health check, e.g., one can install curl in the service pod and curl itself within the pod. The Istio team is actively working on a solution.

    An example of readinessProbe:

        - curl
        - -f
        - http://localhost:8080/healthz # Replace port and URI by your actual health check
      initialDelaySeconds: 10
      periodSeconds: 5
  • Can I access the Kubernetes API Server with Auth enabled?

    The Kubernetes API server does not support mutual TLS authentication. Hence, when Istio mTLS authentication is enabled, it is currently not possible to communicate from a pod with Istio sidecar to the Kubernetes API server.