· ☕ 1 分钟
https://istio.io/v1.4/docs/tasks/security/authentication/mtls-migration/
Ensure that your cluster is in PERMISSIVE mode before migrating to mutual TLS. Run the following command to check:
1 2 3 4 5 6 $ kubectl get meshpolicy default -o yaml ... spec: peers: - mtls: mode: PERMISSIVE In PERMISSIVE mode, the Envoy sidecar relies on the ALPN value istio to decide whether to terminate the mutual TLS traffic. If your workloads (without Envoy sidecar) have enabled mutual TLS directly to the services with Envoy sidecars, enabling PERMISSIVE mode may cause these connections to fail.