-
Notifications
You must be signed in to change notification settings - Fork 1
Istio
Andres Olarte edited this page Aug 9, 2019
·
3 revisions
Check config:
kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml
Normally is with inclusion or exclusion:
kubectl label namespace xxxx istio-injection=enabled --overwrite
kubectl get service -n istio-system --field-selector "metadata.name=istio-ingressgateway" -o jsonpath='{.items[].status.loadBalancer.ingress[].ip}'
-
mTLS policies:
- MeshPolicy (mesh scoped, but not multi-tenant friendly)
- Policy (namespace scoped)
-
STRICTby default.
Mesh-wide Permissive
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
spec:
peers:
- mtls:
mode: PERMISSIVE