• About
    • Service mesh
    • Solutions
    • Case studies
    • Ecosystem
    • Deployment
    • Training
    • FAQ
  • Blog
  • News
  • Get involved
  • Documentation
Try Istio
  • Overview
    • What is Istio?
    • Why choose Istio?
    • Sidecar or ambient?
  • Concepts
    • Traffic Management
    • Security
    • Observability
    • Extensibility
  • Sidecar Mode
    • Getting Started
    • Platform Setup
      • Alibaba Cloud
      • Amazon EKS
      • Azure
      • Docker Desktop
      • Google Kubernetes Engine
      • Huawei Cloud
      • IBM Cloud
      • k3d
      • kind
      • Kops
      • Kubernetes Gardener
      • KubeSphere Container Platform
      • MicroK8s
      • Minikube
      • OpenShift
      • Oracle Cloud Infrastructure
      • Tencent Cloud
    • Install
      • Install with Istioctl
      • Install with Helm
      • Install Multicluster
        • Before you begin
        • Install Multi-Primary
        • Install Primary-Remote
        • Install Multi-Primary on different networks
        • Install Primary-Remote on different networks
        • Verify the installation
      • Install Istio with an External Control Plane
      • Install Multiple Istio Control Planes in a Single Cluster
      • Virtual Machine Installation
      • Istio Operator Install
    • Upgrade
      • Canary Upgrades
      • In-place Upgrades
      • Upgrade with Helm
    • More Guides
      • Download the Istio release
      • Installation Configuration Profiles
      • Compatibility Versions
      • Installing Gateways
      • Installing the Sidecar
      • Customizing the installation configuration
      • Advanced Helm Chart Customization
      • Install Istio in Dual-Stack mode
      • Install Istio with Pod Security Admission
      • Install the Istio CNI node agent
      • Getting Started without the Gateway API
  • Ambient Mode
    • Overview
    • Getting Started
      • Deploy the application
      • Secure and visualize the application
      • Enforce authorization policies
      • Manage traffic
      • Cleanup
    • Install
      • Install with Helm
      • Platform-Specific Prerequisites
    • Upgrade
      • Upgrade with Helm *
    • User Guides
      • Add workloads to the mesh
      • Use Layer 4 security policy
      • Configure waypoint proxies
      • Use Layer 7 features
      • Extend waypoints with WebAssembly plugins *
      • Troubleshoot connectivity issues with ztunnel
      • Troubleshoot issues with waypoints
    • Architecture
      • Ambient and the Istio control plane
      • Ambient data plane
      • HBONE
      • Ztunnel traffic redirection
  • Tasks
    • Traffic Management
      • Request Routing
      • Fault Injection
      • Traffic Shifting
      • TCP Traffic Shifting
      • Request Timeouts
      • Circuit Breaking
      • Mirroring
      • Locality Load Balancing
        • Before you begin
        • Locality failover
        • Locality weighted distribution
        • Cleanup
      • Ingress
        • Ingress Gateways
        • Secure Gateways
        • Ingress Gateway without TLS Termination
        • Ingress Sidecar TLS Termination
        • Kubernetes Ingress
        • Kubernetes Gateway API
      • Egress
        • Accessing External Services
        • Egress TLS Origination
        • Egress Gateways
        • Egress Gateways with TLS Origination
        • Egress using Wildcard Hosts
        • Kubernetes Services for Egress Traffic
        • Using an External HTTPS Proxy
    • Security
      • Certificate Management
        • Plug in CA Certificates
        • Custom CA Integration using Kubernetes CSR *
      • Authentication
        • Authentication Policy
        • JWT claim based routing *
        • Copy JWT Claims to HTTP Headers *
        • Mutual TLS Migration
      • Authorization
        • HTTP Traffic
        • TCP Traffic
        • JWT Token
        • External Authorization
        • Explicit Deny
        • Ingress Access Control
        • Trust Domain Migration
        • Dry Run *
      • TLS Configuration
        • Istio Workload Minimum TLS Version Configuration
    • Policy Enforcement
      • Enabling Rate Limits using Envoy
    • Observability
      • Telemetry API
      • Metrics
        • Customizing Istio Metrics with Telemetry API
        • Collecting Metrics for TCP Services
        • Customizing Istio Metrics
        • Classifying Metrics Based on Request or Response
        • Querying Metrics from Prometheus
        • Visualizing Metrics with Grafana
      • Logs
        • Configure access logs with Telemetry API
        • Envoy Access Logs
        • OpenTelemetry
      • Distributed Tracing
        • Overview
        • Configure tracing with Telemetry API
        • Apache SkyWalking
        • Jaeger
        • OpenCensus Agent
        • OpenTelemetry
        • Trace Sampling
        • Zipkin
        • Configure tracing using MeshConfig and Pod annotations
        • Lightstep
      • Visualizing Your Mesh
      • Remotely Accessing Telemetry Addons
    • Extensibility
      • Distributing WebAssembly Modules *
  • Examples
    • Bookinfo Application
    • Bookinfo with a Virtual Machine
    • Learn Microservices using Kubernetes and Istio
      • Prerequisites
      • Set up a Kubernetes Cluster
      • Set up a Local Computer
      • Run a Microservice Locally
      • Run ratings in Docker
      • Run Bookinfo with Kubernetes
      • Test in production
      • Add a new version of reviews
      • Enable Istio on productpage
      • Enable Istio on all the microservices
      • Configure Istio Ingress Gateway
      • Monitoring with Istio
  • Operations
    • Deployment
      • Platform Requirements
      • Architecture
      • Deployment Models
      • Virtual Machine Architecture
      • Performance and Scalability
      • Application Requirements
    • Configuration
      • Mesh Configuration
        • Dynamic Admission Webhooks Overview
        • Wait on Resource Status for Applied Configuration
        • Health Checking of Istio Services
        • Configuration Scoping
      • Traffic Management
        • Protocol Selection
        • Managing In-Mesh Certificates
        • TLS Configuration
        • Traffic Routing
        • DNS
        • Configuring Gateway Network Topology *
        • DNS Proxying
        • Multi-cluster Traffic Management
      • Security
        • Security policy examples
        • Harden Docker Container Images
      • Observability
        • Envoy Statistics
        • Monitoring Multicluster Istio with Prometheus
      • Extensibility
        • Pull Policy for WebAssembly Modules *
    • Best Practices
      • Deployment Best Practices
      • Traffic Management Best Practices
      • Security Best Practices
      • Image Signing and Validation
      • Observability Best Practices
    • Common Problems
      • Traffic Management Problems
      • Security Problems
      • Observability Problems
      • Sidecar Injection Problems
      • Configuration Validation Problems
      • Upgrade Problems
    • Diagnostic Tools
      • Using the Istioctl Command-line Tool
      • Debugging Envoy and Istiod
      • Understand your Mesh with Istioctl Describe
      • Diagnose your Configuration with Istioctl Analyze
      • Verifying Istio Sidecar Injection with Istioctl Check-Inject
      • Istiod Introspection
      • Component Logging
      • Debugging Virtual Machines
      • Troubleshooting Multicluster
      • Troubleshooting the Istio CNI plugin
    • Integrations
      • cert-manager
      • Grafana
      • Jaeger
      • Kiali
      • Prometheus
      • SPIRE
      • Apache SkyWalking
      • Zipkin
      • Third Party Load Balancers
  • Releases
    • Feature Status
    • Reporting Bugs
    • Security Vulnerabilities
    • Supported Releases
    • Contribute Documentation
      • Work with GitHub
      • Add New Documentation
      • Remove Retired Documentation
      • Build and serve the website locally
      • Front matter
      • Documentation Review Process
      • Add Code Blocks
      • Use Shortcodes
      • Follow Formatting Standards
      • Style Guide
      • Terminology Standards
      • Diagram Creation Guidelines
    • Website Content Changes
  • Reference
    • Configuration
      • Telemetry
      • Analysis Messages
      • Global Mesh Options
      • IstioOperator Options
      • Configuration Status Field
      • Proxy Extensions
        • Wasm Plugin
        • AccessLogPolicy Config
        • Stackdriver Config
        • Stats Config
        • Wasm-based Telemetry *
      • Traffic Management
        • Destination Rule
        • Envoy Filter
        • Gateway
        • ProxyConfig
        • Service Entry
        • Sidecar
        • Virtual Service
        • Workload Entry
        • Workload Group
      • Security
        • JWTRule
        • PeerAuthentication
        • RequestAuthentication
        • Authorization Policy
        • Authorization Policy Conditions
        • Authorization Policy Normalization
      • Common Types
        • Workload Selector
      • Istio Standard Metrics
      • Resource Annotations
      • Resource Labels
      • Configuration Analysis Messages
        • AlphaAnnotation
        • Analyzer Message Format
        • ConflictingMeshGatewayVirtualServiceHosts
        • ConflictingSidecarWorkloadSelectors
        • ConflictingTelemetryWorkloadSelectors
        • DeploymentAssociatedToMultipleServices
        • DeploymentConflictingPorts
        • Deprecated
        • DeprecatedAnnotation
        • EnvoyFilterUsesAddOperationIncorrectly
        • EnvoyFilterUsesRelativeOperation
        • EnvoyFilterUsesRelativeOperationWithProxyVersion
        • EnvoyFilterUsesRemoveOperationIncorrectly
        • EnvoyFilterUsesReplaceOperationIncorrectly
        • ExternalControlPlaneAddressIsNotAHostname
        • ExternalNameServiceTypeInvalidPortName
        • GatewayPortNotDefinedOnService
        • IneffectivePolicy
        • IneffectiveSelector
        • InternalError
        • InvalidAnnotation
        • InvalidApplicationUID
        • InvalidExternalControlPlaneConfig
        • InvalidGatewayCredential
        • InvalidRegexp
        • InvalidTelemetryProvider
        • LocalhostListener
        • MisplacedAnnotation
        • MultipleSidecarsWithoutWorkloadSelectors
        • MultipleTelemetriesWithoutWorkloadSelectors
        • NamespaceMultipleInjectionLabels
        • NamespaceNotInjected
        • NoMatchingWorkloadsFound
        • NoServerCertificateVerificationDestinationLevel
        • NoServerCertificateVerificationPortLevel
        • PodMissingProxy
        • PodsIstioProxyImageMismatchInNamespace
        • PortNameIsNotUnderNamingConvention
        • ReferencedResourceNotFound
        • SchemaValidationError
        • ServiceEntryAddressesRequired
        • UnknownAnnotation
        • VirtualServiceDestinationPortSelectorRequired
        • VirtualServiceHostNotFoundInGateway
        • VirtualServiceIneffectiveMatch
        • VirtualServiceUnreachableRule
    • Commands
      • install-cni
      • istioctl
      • operator
      • pilot-agent
      • pilot-discovery
    • Glossary
  1. Documentation
  2. Operations
  3. Configuration
  4. Security

Security

Helps you manage the security aspects of a running mesh.

Security policy examples

Shows common examples of using Istio security policy.

Harden Docker Container Images

Use hardened container images to reduce Istio's attack surface.

Links

    English 中文
    • Terms and Conditions | Privacy policy | Trademarks | Edit this Page on GitHub
    © 2024 the Istio Authors. Version Archive 1.22.3
    • current release
    • next release
    • older releases