New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support PeerAuthentication (STRICT) mode #42696
Comments
This is working as implemented; there is currently open discussion if we will support this API in ambient |
Can I see similar discussions somewhere, I'm more concerned about the completeness of ambient's capabilities |
Doc is in https://docs.google.com/document/d/1Lk1I1qB-XwVWFP0sVcIN5JMJZHjuF3j8lGWtUeDK6pY/edit#heading=h.nluvz4y67j4c. Note its very much under discussion. I can assure anyone reading this though, some equivalent to "only allow mTLS" will be available. That is 100% critical |
not stale, we still need discussion on if peer authentication should be supported and if so when. |
Update: After discussion in the Ambient WG, we decided to move forward with supporting PeerAuthentication for now. I'll take care of the ambient implementation |
Bug Description
I'm following the tutorial https://istio.io/latest/docs/tasks/security/authentication/authn-policy/#globally-enabling-istio-mutual-tls-in-strict-mod.
I find that I can access the pod without sidecar from ambent pod or sidecar pod when I've set the mtls mode to
STRICT
globally or in namespace level or per-pod.From the envoy config_dump of caller side, I see the actual behaviour is
PERMISSIVE
mode no matter what I set.Version
Additional Information
No response
The text was updated successfully, but these errors were encountered: