istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[release-1.5] Add note on automatic mutual TLS in the upgrade note (#6763)

This commit is contained in:
Mariam John 2020-03-06 16:02:34 -06:00 committed by GitHub
parent 8b70b3aec6
commit c7610d31e4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/en/news/releases/1.5.x/announcing-1.5/upgrade-notes/index.md
View File

@ -86,6 +86,10 @@ $ kubectl delete meshpolicies.authentication.istio.io --all
* We have stabilized the SDS certificate and key provisioning flow. Now the Istio workloads are using SDS to provision certificates. The secret volume mount approach is deprecated.
* Please note when mutual TLS is enabled, Prometheus deployment needs to be manually modified to monitor the workloads. The details are described in this [issue](https://github.com/istio/istio/issues/21843). This is not required in 1.5.1.
## Automatic mutual TLS
Automatic mutual TLS is now enabled by default. Traffic between sidecars is automatically configured as mutual TLS. You can disable this explicitly if you worry about the encryption overhead by adding the option `-- set values.global.mtls.auto=false` during install. For more details, refer to [automatic mutual TLS](/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls).
## Control plane security
As part of the Istiod effort, we have changed how proxies securely communicate with the control plane. In previous versions, proxies would connect to the control plane securely when the setting `values.global.controlPlaneSecurityEnabled=true` was configured, which was the default for Istio 1.4. Each control plane component ran a sidecar with Citadel certificates, and proxies connected to Pilot over port 15011.