Enabling strict mTLS across the mesh does not enable strict mode

[nak3]

Which section(s) is the issue in?

Enabling strict mTLS across the mesh
https://docs.openshift.com/container-platform/4.6/service_mesh/v2x/ossm-security.html#ossm-security-enabling-strict-mtls_ossm-security

The docs says "Enabling strict mTLS" by setting spec.security.controlPlane.mtls to true in your ServiceMeshControlPlane resource. But it enables permissive mode not strict mode.

What needs fixing?

Edit PeerAuthentication in the namespace where SMCP is deployed.

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: <NAMESPACE where SMCP is deployed>
spec:
  mtls:
    mode: STRICT

[JStickler]

Created https://issues.redhat.com/browse/OSSMDOC-286 to track this.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[nak3]

#30131 changed spec.security.controlPlane.mtls to spec.security.dataPlane.mtls and so it will add strict PeerAuthentication I think.

Closing.