mirror of https://github.com/istio/istio.io.git
Revise the description of istio-demo (#2743)
This commit is contained in:
parent
15d6dee1f3
commit
6e3acad482
|
@ -251,6 +251,30 @@ For a client to call a server with mutual TLS authentication:
|
||||||
|
|
||||||
1. After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.
|
1. After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.
|
||||||
|
|
||||||
|
#### Permissive mode
|
||||||
|
|
||||||
|
Istio mutual TLS has a permissive mode, which allows a service to accept
|
||||||
|
both plain text traffic and mutual TLS traffic at the same time. This
|
||||||
|
feature greatly improves the mutual TLS onboarding experience.
|
||||||
|
|
||||||
|
Many non-Istio clients communicating with a non-Istio server presents a
|
||||||
|
problem for an operator who wants to migrate that server to Istio with
|
||||||
|
mutual TLS enabled. Commonly, the operator cannot install an Istio sidecar
|
||||||
|
for all clients at the same time or does not even have the permissions to
|
||||||
|
do so on some clients. Even after installing the Istio sidecar on the
|
||||||
|
server, the operator cannot enable mutual TLS without breaking existing
|
||||||
|
communications.
|
||||||
|
|
||||||
|
With the permissive mode enabled, the server accepts both plain text and
|
||||||
|
mutual TLS traffic. The mode provides great flexibility for the
|
||||||
|
on-boarding process. The server's installed Istio sidecar takes mutual TLS
|
||||||
|
traffic immediately without breaking existing plain text traffic. As a
|
||||||
|
result, the operator can gradually install and configure the client's
|
||||||
|
Istio sidecars to send mutual TLS traffic. Once the configuration of the
|
||||||
|
clients is complete, the operator can configure the server to mutual TLS
|
||||||
|
only mode. For more information, visit the
|
||||||
|
[Mutual TLS Migration tutorial](/docs/tasks/security/mtls-migration).
|
||||||
|
|
||||||
#### Secure naming
|
#### Secure naming
|
||||||
|
|
||||||
The secure naming information contains *N-to-N* mappings from the server identities, which are encoded in certificates,
|
The secure naming information contains *N-to-N* mappings from the server identities, which are encoded in certificates,
|
||||||
|
|
|
@ -38,10 +38,10 @@ we recommend installing with the
|
||||||
[Helm Chart](/docs/setup/kubernetes/helm-install/), to use all the
|
[Helm Chart](/docs/setup/kubernetes/helm-install/), to use all the
|
||||||
configuration options. This permits customization of Istio to operator specific requirements.
|
configuration options. This permits customization of Istio to operator specific requirements.
|
||||||
|
|
||||||
### Option 1: Install Istio without mutual TLS authentication between sidecars
|
### Option 1: Install Istio with mutual TLS enabled and set to use permissive mode between sidecars
|
||||||
|
|
||||||
Visit our
|
Visit our
|
||||||
[mutual TLS authentication between sidecars concept page](/docs/concepts/security/#mutual-tls-authentication)
|
[mutual TLS permissive mode page](/docs/concepts/security/#permissive-mode)
|
||||||
for more information.
|
for more information.
|
||||||
|
|
||||||
Choose this option for:
|
Choose this option for:
|
||||||
|
@ -54,12 +54,19 @@ Choose this option for:
|
||||||
* Headless services, or
|
* Headless services, or
|
||||||
* `StatefulSets`
|
* `StatefulSets`
|
||||||
|
|
||||||
To install Istio without mutual TLS authentication between sidecars:
|
To install Istio with mutual TLS enabled and set to use permissive mode
|
||||||
|
between sidecars:
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl apply -f install/kubernetes/istio-demo.yaml
|
$ kubectl apply -f install/kubernetes/istio-demo.yaml
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
|
||||||
|
In this option, all services, as servers, can accept both plain text and
|
||||||
|
mutual TLS traffic. However, all services, as clients, will send plain
|
||||||
|
text traffic.
|
||||||
|
Visit [mutual migration](/docs/tasks/security/mtls-migration/#configure-clients-to-send-mutual-tls-traffic)
|
||||||
|
for how to configure clients behavior.
|
||||||
|
|
||||||
### Option 2: Install Istio with default mutual TLS authentication
|
### Option 2: Install Istio with default mutual TLS authentication
|
||||||
|
|
||||||
Use this option only on a fresh Kubernetes cluster where newly deployed
|
Use this option only on a fresh Kubernetes cluster where newly deployed
|
||||||
|
|
Loading…
Reference in New Issue