Istio mTLS Basics

How Istio mTLS Works
Example Pod Topology
Configuring PeerAuthentication
PeerAuthentication Modes
1. PERMISSIVE Mode
2. STRICT Mode
3. DISABLE Mode
Next Steps
Links and References

In modern microservices architectures, securing traffic between pods is critical. Istio’s mutual TLS (mTLS) ensures that every call between services is both encrypted and authenticated.

How Istio mTLS Works

Istio leverages a sidecar container pattern. Each application pod has an Envoy proxy injected beside it. When mTLS is enabled:

The client‐side Envoy obtains a certificate from Istio’s Citadel (the mesh CA).
It initiates a TLS handshake with the server‐side Envoy.
Both proxies verify each other’s certificates.
Once verified, traffic is encrypted in transit and then decrypted before reaching the application.

By default, Istio:

Automatically detects injected workloads and negotiates mTLS.
Leaves traffic to non-injected pods in plaintext.

Make sure your pods are annotated or labeled for automatic sidecar injection. See Istio Automatic Injection.

Example Pod Topology

Consider three pods in your cluster:

Pod A and Pod B: Part of the Istio mesh (sidecar injected). Traffic between them is encrypted with mTLS.
Pod C: Not part of the mesh (no sidecar). Traffic between Pod B and Pod C is sent in plaintext over HTTP.

Configuring PeerAuthentication

Istio uses the PeerAuthentication API to control mTLS behavior at namespace or workload level. A basic resource looks like this:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: PERMISSIVE

PeerAuthentication Modes

Mode	Description	Behavior
PERMISSIVE	Allows both mTLS and plaintext	mTLS inside mesh, plaintext from outside
STRICT	Enforces mTLS for all inbound connections	Rejects any plaintext
DISABLE	Disables mTLS entirely	All traffic is plaintext

Switching from PERMISSIVE to STRICT may break clients that don’t support mTLS. Roll out changes carefully and monitor with Kiali.

1. PERMISSIVE Mode

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: PERMISSIVE

2. STRICT Mode

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: foo
spec:
  mtls:
    mode: STRICT

3. DISABLE Mode

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: foo
spec:
  mtls:
    mode: DISABLE

Next Steps

Apply each PeerAuthentication in a test namespace.
Use kubectl logs on Envoy sidecars to verify TLS handshakes.
Visualize service-to-service traffic in the Kiali dashboard.

Links and References

Watch Video

Promoting App to Prod and Visualize using Kiali

Demo Istio mTLS

⌘I

Introduction

Kubernetes Operations and Security

Additional Topics

Dev Ops Pipeline

Dev Sec Ops Pipeline

Hashi Corp Vault Kubernetes

How Istio mTLS Works

Example Pod Topology

Configuring PeerAuthentication

PeerAuthentication Modes

1. PERMISSIVE Mode

2. STRICT Mode

3. DISABLE Mode

Next Steps

Links and References

Watch Video

Introduction

Kubernetes Operations and Security

Additional Topics

Dev Ops Pipeline

Dev Sec Ops Pipeline

Hashi Corp Vault Kubernetes

​How Istio mTLS Works

​Example Pod Topology

​Configuring PeerAuthentication

​PeerAuthentication Modes

​1. PERMISSIVE Mode

​2. STRICT Mode

​3. DISABLE Mode

​Next Steps

​Links and References

Watch Video

How Istio mTLS Works

Example Pod Topology

Configuring PeerAuthentication

PeerAuthentication Modes

1. PERMISSIVE Mode

2. STRICT Mode

3. DISABLE Mode

Next Steps

Links and References