Bird
Raised Fist0
Kubernetesdevops~7 mins

Mutual TLS for service communication in Kubernetes - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Mutual TLS helps two services talk to each other securely by checking each other's identity. It stops outsiders from listening or pretending to be one of the services.
When you want to make sure only trusted services in your cluster can talk to each other.
When you need to encrypt data sent between microservices to keep it private.
When you want to prevent attackers from impersonating a service inside your network.
When you want to add an extra layer of security without changing your application code.
When you want to comply with security rules that require encrypted and authenticated service communication.
Config File - istio-mutual-tls.yaml
istio-mutual-tls.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  mtls:
    mode: STRICT
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: default
  namespace: default
spec:
  host: '*.default.svc.cluster.local'
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

This file has two parts:

  • PeerAuthentication: It tells Istio to require mutual TLS for all services in the default namespace.
  • DestinationRule: It configures clients to use mutual TLS when talking to any service in the default namespace.
Commands
This command applies the mutual TLS settings to the Kubernetes cluster using Istio. It enables strict mutual TLS for service communication in the default namespace.
Terminal
kubectl apply -f istio-mutual-tls.yaml
Expected OutputExpected
peerauthentication.security.istio.io/default created destinationrule.networking.istio.io/default created
This command checks that the PeerAuthentication resource is created and active in the default namespace.
Terminal
kubectl get peerauthentication -n default
Expected OutputExpected
NAME AGE default 10s
-n - Specifies the namespace to look in
This command verifies that the DestinationRule resource is created and active in the default namespace.
Terminal
kubectl get destinationrule -n default
Expected OutputExpected
NAME AGE default 10s
-n - Specifies the namespace to look in
This command checks the mutual TLS status between the client and the service pod named my-service-1234 in the default namespace.
Terminal
istioctl authn tls-check my-service-1234.default
Expected OutputExpected
HOST:PORT STATUS CLIENT SERVER AUTHN POLICY my-service-1234.default.svc.cluster.local:80 OK mTLS mTLS default
Key Concept

If you remember nothing else from this pattern, remember: mutual TLS makes both services prove who they are before talking, keeping communication private and trusted.

Common Mistakes
Not applying both PeerAuthentication and DestinationRule resources.
Without both, either the server or client won't enforce mutual TLS, so communication won't be fully secure.
Always apply both PeerAuthentication to enforce server-side TLS and DestinationRule to configure client-side TLS.
Using permissive mode instead of strict mode in PeerAuthentication.
Permissive mode allows both encrypted and unencrypted traffic, which weakens security.
Set mtls mode to STRICT to require all traffic to use mutual TLS.
Not specifying the correct namespace when applying or checking resources.
Resources may be created or checked in the wrong namespace, causing confusion or failure.
Always use the -n flag with kubectl commands to specify the correct namespace.
Summary
Apply PeerAuthentication and DestinationRule to enable mutual TLS in the namespace.
Verify the resources are created with kubectl get commands.
Use istioctl tls-check to confirm mutual TLS is active between services.

Practice

(1/5)
1. What is the main purpose of Mutual TLS (mTLS) in Kubernetes service communication?
easy
A. To disable encryption for faster debugging
B. To increase the speed of service communication
C. To allow services to communicate without authentication
D. To encrypt data and verify identities between services

Solution

  1. Step 1: Understand mTLS purpose

    Mutual TLS encrypts data and verifies both client and server identities to secure communication.

  2. Step 2: Compare options

    Only To encrypt data and verify identities between services correctly describes encryption and identity verification, others are incorrect or opposite.

  3. Final Answer:

    To encrypt data and verify identities between services -> Option D

  4. Quick Check:

    mTLS = encrypt + verify identities [OK]
Hint: mTLS means both encryption and identity check [OK]
Common Mistakes:
  • Thinking mTLS only encrypts but doesn't verify identity
  • Confusing mTLS with disabling security
  • Assuming mTLS speeds up communication
2. Which PeerAuthentication mode in Istio allows both encrypted (mTLS) and plain traffic to a service?
easy
A. STRICT
B. PERMISSIVE
C. DISABLE
D. ENFORCED

Solution

  1. Step 1: Recall PeerAuthentication modes

    STRICT enforces mTLS only, PERMISSIVE allows both mTLS and plain, DISABLE turns off mTLS.

  2. Step 2: Match mode to description

    PERMISSIVE mode allows both encrypted and plain traffic, matching the question.

  3. Final Answer:

    PERMISSIVE -> Option B

  4. Quick Check:

    PERMISSIVE = both encrypted and plain allowed [OK]
Hint: PERMISSIVE means allow both secure and insecure traffic [OK]
Common Mistakes:
  • Confusing STRICT with PERMISSIVE
  • Thinking DISABLE allows encrypted traffic
  • Assuming ENFORCED is a valid mode
3. Given this PeerAuthentication YAML snippet:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: myapp
spec:
  mtls:
    mode: STRICT

What happens when a service in namespace myapp receives plain HTTP traffic?
medium
A. The traffic is rejected because mTLS is enforced
B. The traffic is accepted without encryption
C. The traffic is accepted but logged as insecure
D. The traffic is redirected to HTTPS automatically

Solution

  1. Step 1: Analyze PeerAuthentication mode

    The mode is STRICT, which enforces mTLS for all incoming traffic in the namespace.

  2. Step 2: Understand effect on plain HTTP

    Plain HTTP traffic without mTLS will be rejected because encryption and identity verification are mandatory.

  3. Final Answer:

    The traffic is rejected because mTLS is enforced -> Option A

  4. Quick Check:

    STRICT mode rejects plain HTTP [OK]
Hint: STRICT mode blocks non-mTLS traffic [OK]
Common Mistakes:
  • Assuming plain HTTP is accepted in STRICT mode
  • Thinking traffic is redirected automatically
  • Confusing logging with rejection
4. You applied this PeerAuthentication config but your service still accepts plain HTTP traffic:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: test
spec:
  mtls:
    mode: STRICT

What is the most likely reason?
medium
A. The service is in a different namespace than 'test'
B. PeerAuthentication resource is missing the selector field
C. STRICT mode allows plain HTTP by default
D. mTLS is disabled globally in Istio

Solution

  1. Step 1: Check namespace scope

    PeerAuthentication applies only to the specified namespace 'test'. If the service is outside, it won't be affected.

  2. Step 2: Understand effect on service

    If the service is in another namespace, it won't enforce STRICT mode and may accept plain HTTP.

  3. Final Answer:

    The service is in a different namespace than 'test' -> Option A

  4. Quick Check:

    Namespace mismatch causes no mTLS enforcement [OK]
Hint: PeerAuthentication applies per namespace only [OK]
Common Mistakes:
  • Assuming STRICT mode allows plain HTTP
  • Thinking selector is mandatory for namespace-wide policy
  • Ignoring namespace differences
5. You want to enforce mTLS only for service payments in namespace finance, but allow other services to accept plain traffic. Which PeerAuthentication config achieves this?
hard
A. 
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: permissive-all
  namespace: finance
spec:
  mtls:
    mode: PERMISSIVE
B. 
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: finance-wide
  namespace: finance
spec:
  mtls:
    mode: STRICT
C. 
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: payments-mtls
  namespace: finance
spec:
  selector:
    matchLabels:
      app: payments
  mtls:
    mode: STRICT
D. 
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: payments-disable
  namespace: finance
spec:
  selector:
    matchLabels:
      app: payments
  mtls:
    mode: DISABLE

Solution

  1. Step 1: Understand requirement

    Enforce mTLS STRICT only for 'payments' service, allow others to accept plain traffic.

  2. Step 2: Analyze options

    apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: payments-mtls
  namespace: finance
spec:
  selector:
    matchLabels:
      app: payments
  mtls:
    mode: STRICT
    applies STRICT mode with selector for 'payments' only. 
    apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: finance-wide
  namespace: finance
spec:
  mtls:
    mode: STRICT
    enforces STRICT for whole namespace, not desired. 
    apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: permissive-all
  namespace: finance
spec:
  mtls:
    mode: PERMISSIVE
    allows both for all services. 
    apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: payments-disable
  namespace: finance
spec:
  selector:
    matchLabels:
      app: payments
  mtls:
    mode: DISABLE
    disables mTLS for payments, opposite of requirement.

  3. Final Answer:

    PeerAuthentication with selector for payments and STRICT mode -> Option C

  4. Quick Check:

    Selector + STRICT = mTLS only for selected service [OK]
Hint: Use selector with STRICT mode for specific service enforcement [OK]
Common Mistakes:
  • Applying STRICT mode to whole namespace accidentally
  • Using DISABLE mode when enforcement is needed
  • Not using selector to target specific service