Revise the description of istio-demo (#2743)

content/docs/concepts/security/index.md

@@ -251,6 +251,30 @@ For a client to call a server with mutual TLS authentication:
 
 1. After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.
 
+#### Permissive mode
+
+Istio mutual TLS has a permissive mode, which allows a service to accept
+both plain text traffic and mutual TLS traffic at the same time. This
+feature greatly improves the mutual TLS onboarding experience.
+
+Many non-Istio clients communicating with a non-Istio server presents a
+problem for an operator who wants to migrate that server to Istio with
+mutual TLS enabled. Commonly, the operator cannot install an Istio sidecar
+for all clients at the same time or does not even have the permissions to
+do so on some clients. Even after installing the Istio sidecar on the
+server, the operator cannot enable mutual TLS without breaking existing
+communications.
+
+With the permissive mode enabled, the server accepts both plain text and
+mutual TLS traffic. The mode provides great flexibility for the
+on-boarding process. The server's installed Istio sidecar takes mutual TLS
+traffic immediately without breaking existing plain text traffic. As a
+result, the operator can gradually install and configure the client's
+Istio sidecars to send mutual TLS traffic. Once the configuration of the
+clients is complete, the operator can configure the server to mutual TLS
+only mode. For more information, visit the
+[Mutual TLS Migration tutorial](/docs/tasks/security/mtls-migration).
+
 #### Secure naming
 
 The secure naming information contains *N-to-N* mappings from the server identities, which are encoded in certificates,

content/docs/setup/kubernetes/quick-start/index.md

@@ -38,10 +38,10 @@ we recommend installing with the
 [Helm Chart](/docs/setup/kubernetes/helm-install/), to use all the
 configuration options. This permits customization of Istio to operator specific requirements.
 
-### Option 1: Install Istio without mutual TLS authentication between sidecars
+### Option 1: Install Istio with mutual TLS enabled and set to use permissive mode between sidecars
 
 Visit our
-[mutual TLS authentication between sidecars concept page](/docs/concepts/security/#mutual-tls-authentication)
+[mutual TLS permissive mode page](/docs/concepts/security/#permissive-mode)
 for more information.
 
 Choose this option for:
@@ -54,12 +54,19 @@ Choose this option for:
 * Headless services, or
 * `StatefulSets`
 
-To install Istio without mutual TLS authentication between sidecars:
+To install Istio with mutual TLS enabled and set to use permissive mode
+between sidecars:
 
 {{< text bash >}}
 $ kubectl apply -f install/kubernetes/istio-demo.yaml
 {{< /text >}}
 
+In this option, all services, as servers, can accept both plain text and
+mutual TLS traffic. However, all services, as clients, will send plain
+text traffic.
+Visit [mutual migration](/docs/tasks/security/mtls-migration/#configure-clients-to-send-mutual-tls-traffic)
+for how to configure clients behavior.
+
 ### Option 2: Install Istio with default mutual TLS authentication
 
 Use this option only on a fresh Kubernetes cluster where newly deployed