mirror of https://github.com/istio/istio.io.git
Revise the description of istio-demo (#2743)
This commit is contained in:
Tao Li
Martin Taillefer
parent
15d6dee1f3
commit
6e3acad482
|
|
@ -251,6 +251,30 @@ For a client to call a server with mutual TLS authentication:
|
|||
|
||||
1. After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.
|
||||
|
||||
#### Permissive mode
|
||||
|
||||
Istio mutual TLS has a permissive mode, which allows a service to accept
|
||||
both plain text traffic and mutual TLS traffic at the same time. This
|
||||
feature greatly improves the mutual TLS onboarding experience.
|
||||
|
||||
Many non-Istio clients communicating with a non-Istio server presents a
|
||||
problem for an operator who wants to migrate that server to Istio with
|
||||
mutual TLS enabled. Commonly, the operator cannot install an Istio sidecar
|
||||
for all clients at the same time or does not even have the permissions to
|
||||
do so on some clients. Even after installing the Istio sidecar on the
|
||||
server, the operator cannot enable mutual TLS without breaking existing
|
||||
communications.
|
||||
|
||||
With the permissive mode enabled, the server accepts both plain text and
|
||||
mutual TLS traffic. The mode provides great flexibility for the
|
||||
on-boarding process. The server's installed Istio sidecar takes mutual TLS
|
||||
traffic immediately without breaking existing plain text traffic. As a
|
||||
result, the operator can gradually install and configure the client's
|
||||
Istio sidecars to send mutual TLS traffic. Once the configuration of the
|
||||
clients is complete, the operator can configure the server to mutual TLS
|
||||
only mode. For more information, visit the
|
||||
[Mutual TLS Migration tutorial](/docs/tasks/security/mtls-migration).
|
||||
|
||||
#### Secure naming
|
||||
|
||||
The secure naming information contains *N-to-N* mappings from the server identities, which are encoded in certificates,
|
||||
|
|
|
|||
|
|
@ -38,10 +38,10 @@ we recommend installing with the
|
|||
[Helm Chart](/docs/setup/kubernetes/helm-install/), to use all the
|
||||
configuration options. This permits customization of Istio to operator specific requirements.
|
||||
|
||||
### Option 1: Install Istio without mutual TLS authentication between sidecars
|
||||
### Option 1: Install Istio with mutual TLS enabled and set to use permissive mode between sidecars
|
||||
|
||||
Visit our
|
||||
[mutual TLS authentication between sidecars concept page](/docs/concepts/security/#mutual-tls-authentication)
|
||||
[mutual TLS permissive mode page](/docs/concepts/security/#permissive-mode)
|
||||
for more information.
|
||||
|
||||
Choose this option for:
|
||||
|
|
@ -54,12 +54,19 @@ Choose this option for:
|
|||
* Headless services, or
|
||||
* `StatefulSets`
|
||||
|
||||
To install Istio without mutual TLS authentication between sidecars:
|
||||
To install Istio with mutual TLS enabled and set to use permissive mode
|
||||
between sidecars:
|
||||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f install/kubernetes/istio-demo.yaml
|
||||
{{< /text >}}
|
||||
|
||||
In this option, all services, as servers, can accept both plain text and
|
||||
mutual TLS traffic. However, all services, as clients, will send plain
|
||||
text traffic.
|
||||
Visit [mutual migration](/docs/tasks/security/mtls-migration/#configure-clients-to-send-mutual-tls-traffic)
|
||||
for how to configure clients behavior.
|
||||
|
||||
### Option 2: Install Istio with default mutual TLS authentication
|
||||
|
||||
Use this option only on a fresh Kubernetes cluster where newly deployed
|
||||
|
|
|
|||
Loading…
Reference in New Issue