istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.12/docs/ops/best-practices/security/index.html

321 lines
123 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Security Best Practices"><meta name=description content="Best practices for securing applications using Istio."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Security Best Practices"><meta property="og:type" content="website"><meta property="og:description" content="Best practices for securing applications using Istio."><meta property="og:url" content="/v1.12/docs/ops/best-practices/security/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.12 / Security Best Practices</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.12/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.12/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.12/feed.xml><link rel="shortcut icon" href=/v1.12/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.12/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.12/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.12/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.12/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.12/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.12/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.12/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.12/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.12/favicons/android-192x192.png sizes=192x192><link rel=mask-icon href=/v1.12/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.12/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.12/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.12/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.12";const docTitle="Security Best Practices";const iconFile="\/v1.12/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.12/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.12/><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.12/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.12/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.12/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.12/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.12/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.12/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.12/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.12/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.12/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.12/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=/v1.12/news/releases/1.12.x/announcing-1.12.3/ class=banner data-title="Latest Release-2022-02-11 00:00:00 +0000 UTC" data-period-start=1644537600000 data-period-end=1645142400000 data-max-impressions=3 data-timeout><div class=content><p>Istio 1.12.3 is now available! Click here to learn more</p></div><div class=frame></div></a></div><main class="primary container has-sidebar has-toc docs"><div id=sidebar-container class=sidebar-container><nav id=sidebar aria-label="Section Navigation"><button id=sidebar-close class="main-navigation-toggle sidebar-close" aria-label="Close sidebar"><svg class="icon menu-close"><use xlink:href="/v1.12/img/icons.svg#menu-close"/></svg></button><div class=sidebar-nav><div class=search><form id=search-docs-form name=cse role=search><input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-docs-url value=/v1.12/search>
<input id=search-docs-textbox class=form-control name=docs-search type=search aria-label="Search this site" placeholder=Search>
<button id=search-show2 class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.12/img/icons.svg#magnifier"/></svg></button></form></div><div class=card><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true aria-labelledby=header0><li role=treeitem aria-label=Concepts><a class=main title="Learn about the different parts of the Istio system and the abstractions it uses." href=/v1.12/docs/concepts/>Concepts</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.12/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.12/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.12/docs/concepts/observability/>Observability</a></li><li role=none><a role=treeitem title="Describes Istio's WebAssembly Plugin system." href=/v1.12/docs/concepts/wasm/>Extensibility</a></li></ul></li><li role=treeitem aria-label=Setup><a class=main title="Instructions for installing the Istio control plane on Kubernetes." href=/v1.12/docs/setup/>Setup</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Try Istios features quickly and easily." href=/v1.12/docs/setup/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.12/docs/setup/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.12/docs/setup/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.12/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for Istio." href=/v1.12/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.12/docs/setup/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an Huawei Cloud kubernetes cluster for Istio." href=/v1.12/docs/setup/platform-setup/huaweicloud/>Huawei Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.12/docs/setup/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup kind for Istio." href=/v1.12/docs/setup/platform-setup/kind/>kind</a></li><li role=none><a role=treeitem title="Instructions to setup Kops for use with Istio." href=/v1.12/docs/setup/platform-setup/kops/>Kops</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.12/docs/setup/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup a KubeSphere Container Platform for Istio." href=/v1.12/docs/setup/platform-setup/kubesphere/>KubeSphere Container Platform</a></li><li role=none><a role=treeitem title="Instructions to setup MicroK8s for use with Istio." href=/v1.12/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for Istio." href=/v1.12/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.12/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to prepare a cluster for Istio using Oracle Container Engine for Kubernetes (OKE)." href=/v1.12/docs/setup/platform-setup/oci/>Oracle Cloud Infrastructure</a></li><li role=none><a role=treeitem title="Instructions to setup Istio quickly in Tencent Cloud." href=/v1.12/docs/setup/platform-setup/tencent-cloud-mesh/>Tencent Cloud</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.12/docs/setup/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Install and customize any Istio configuration profile for in-depth evaluation or production use." href=/v1.12/docs/setup/install/istioctl/>Install with Istioctl</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation." href=/v1.12/docs/setup/install/helm/>Install with Helm</a></li><li role=treeitem aria-label="Install Multicluster"><button aria-hidden=true></button><a title="Install an Istio mesh across multiple Kubernetes clusters." href=/v1.12/docs/setup/install/multicluster/>Install Multicluster</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Initial steps before installing Istio on multiple clusters." href=/v1.12/docs/setup/install/multicluster/before-you-begin/>Before you begin</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple primary clusters." href=/v1.12/docs/setup/install/multicluster/multi-primary/>Install Multi-Primary</a></li><li role=none><a role=treeitem title="Install an Istio mesh across primary and remote clusters." href=/v1.12/docs/setup/install/multicluster/primary-remote/>Install Primary-Remote</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple primary clusters on different networks." href=/v1.12/docs/setup/install/multicluster/multi-primary_multi-network/>Install Multi-Primary on different networks</a></li><li role=none><a role=treeitem title="Install an Istio mesh across primary and remote clusters on different networks." href=/v1.12/docs/setup/install/multicluster/primary-remote_multi-network/>Install Primary-Remote on different networks</a></li><li role=none><a role=treeitem title="Verify that Istio has been installed properly on multiple clusters." href=/v1.12/docs/setup/install/multicluster/verify/>Verify the installation</a></li></ul></li><li role=none><a role=treeitem title="Install Istio with an external control plane and a remote cluster data plane." href=/v1.12/docs/setup/install/external-controlplane/>Install Istio with an External Control Plane</a></li><li role=none><a role=treeitem title="Deploy Istio and connect a workload running within a virtual machine to it." href=/v1.12/docs/setup/install/virtual-machine/>Virtual Machine Installation</a></li><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster using the Istio operator (Beta)" href=/v1.12/docs/setup/install/operator/>Istio Operator Install *</a></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Upgrade, downgrade, and manage Istio accross multiple control plane revisions." href=/v1.12/docs/setup/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Upgrade Istio by first running a canary deployment of a new control plane." href=/v1.12/docs/setup/upgrade/canary/>Canary Upgrades</a></li><li role=none><a role=treeitem title="Upgrade or downgrade Istio in place." href=/v1.12/docs/setup/upgrade/in-place/>In-place Upgrades</a></li><li role=none><a role=treeitem title="Upgrade and configure Istio for in-depth evaluation." href=/v1.12/docs/setup/upgrade/helm/>Upgrade with Helm</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.12/docs/setup/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.12/docs/setup/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install and customize Istio Gateways." href=/v1.12/docs/setup/additional-setup/gateway/>Installing Gateways</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.12/docs/setup/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Describes how to customize installation configuration options." href=/v1.12/docs/setup/additional-setup/customize-installation/>Customizing the installation configuration</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.12/docs/setup/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li></ul></li></ul></li><li role=treeitem aria-label=Tasks><a class=main title="How to do single specific targeted activities with the Istio system." href=/v1.12/docs/tasks/>Tasks</a><ul role=group aria-expanded=true><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.12/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.12/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.12/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.12/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.12/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.12/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.12/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.12/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label="Locality Load Balancing"><button aria-hidden=true></button><a title="This series of tasks demonstrate how to configure locality load balancing in Istio." href=/v1.12/docs/tasks/traffic-management/locality-load-balancing/>Locality Load Balancing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Initial steps before configuring locality load balancing." href=/v1.12/docs/tasks/traffic-management/locality-load-balancing/before-you-begin/>Before you begin</a></li><li role=none><a role=treeitem title="This task demonstrates how to configure your mesh for locality failover." href=/v1.12/docs/tasks/traffic-management/locality-load-balancing/failover/>Locality failover</a></li><li role=none><a role=treeitem title="This guide demonstrates how to configure locality distribution." href=/v1.12/docs/tasks/traffic-management/locality-load-balancing/distribute/>Locality weighted distribution</a></li><li role=none><a role=treeitem title="Cleanup steps for locality load balancing." href=/v1.12/docs/tasks/traffic-management/locality-load-balancing/cleanup/>Cleanup</a></li></ul></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.12/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.12/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS." href=/v1.12/docs/tasks/traffic-management/ingress/secure-ingress/>Secure Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.12/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Describes how to configure a Kubernetes Ingress object to expose a service outside of the service mesh." href=/v1.12/docs/tasks/traffic-management/ingress/kubernetes-ingress/>Kubernetes Ingress</a></li><li role=none><a role=treeitem title="Describes how to configure the Kubernetes Gateway API with Istio." href=/v1.12/docs/tasks/traffic-management/ingress/gateway-api/>Kubernetes Gateway API</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.12/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.12/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.12/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.12/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.12/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.12/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Shows how to configure Istio for Kubernetes External Services." href=/v1.12/docs/tasks/traffic-management/egress/egress-kubernetes-services/>Kubernetes Services for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.12/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.12/docs/tasks/security/>Security</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Certificate Management"><button aria-hidden=true></button><a title="Management of the certificates in Istio." href=/v1.12/docs/tasks/security/cert-management/>Certificate Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how system administrators can configure Istio's CA with a root certificate, signing certificate and key." href=/v1.12/docs/tasks/security/cert-management/plugin-ca-cert/>Plug in CA Certificates</a></li><li role=none><a role=treeitem title="Shows how to provision and manage DNS certificates in Istio." href=/v1.12/docs/tasks/security/cert-management/dns-cert/>Istio DNS Certificate Management</a></li><li role=none><a role=treeitem title="Shows how to use a Custom Certificate Authority (that integrates with the Kubernetes CSR API) to provision Istio workload certificates (Experimental)" href=/v1.12/docs/tasks/security/cert-management/custom-ca-k8s/>Custom CA Integration using Kubernetes CSR *</a></li></ul></li><li role=treeitem aria-label=Authentication><button aria-hidden=true></button><a title="Controlling mutual TLS and end-user authentication for mesh services." href=/v1.12/docs/tasks/security/authentication/>Authentication</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.12/docs/tasks/security/authentication/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to route requests based on JWT claims (Experimental)" href=/v1.12/docs/tasks/security/authentication/jwt-route/>JWT claim based routing *</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.12/docs/tasks/security/authentication/mtls-migration/>Mutual TLS Migration</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Shows how to control access to Istio services." href=/v1.12/docs/tasks/security/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how to set up access control for HTTP traffic." href=/v1.12/docs/tasks/security/authorization/authz-http/>HTTP Traffic</a></li><li role=none><a role=treeitem title="Shows how to set up access control for TCP traffic." href=/v1.12/docs/tasks/security/authorization/authz-tcp/>TCP Traffic</a></li><li role=none><a role=treeitem title="Shows how to set up access control for JWT token." href=/v1.12/docs/tasks/security/authorization/authz-jwt/>JWT Token</a></li><li role=none><a role=treeitem title="Shows how to integrate and delegate access control to an external authorization system." href=/v1.12/docs/tasks/security/authorization/authz-custom/>External Authorization</a></li><li role=none><a role=treeitem title="Shows how to set up access control to deny traffic explicitly." href=/v1.12/docs/tasks/security/authorization/authz-deny/>Explicit Deny</a></li><li role=none><a role=treeitem title="Shows how to set up access control on an ingress gateway." href=/v1.12/docs/tasks/security/authorization/authz-ingress/>Ingress Gateway</a></li><li role=none><a role=treeitem title="Shows how to migrate from one trust domain to another without changing authorization policy." href=/v1.12/docs/tasks/security/authorization/authz-td-migration/>Trust Domain Migration</a></li><li role=none><a role=treeitem title="Shows how to dry-run an authorization policy without enforcing it (Experimental)" href=/v1.12/docs/tasks/security/authorization/authz-dry-run/>Dry Run *</a></li></ul></li></ul></li><li role=treeitem aria-label="Policy Enforcement"><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.12/docs/tasks/policy-enforcement/>Policy Enforcement</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to dynamically limit the traffic to a service." href=/v1.12/docs/tasks/policy-enforcement/rate-limit/>Enabling Rate Limits using Envoy</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.12/docs/tasks/observability/>Observability</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure the Telemetry API." href=/v1.12/docs/tasks/observability/telemetry/>Telemetry API</a></li><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the collection and querying of metrics within Istio." href=/v1.12/docs/tasks/observability/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.12/docs/tasks/observability/metrics/tcp-metrics/>Collecting Metrics for TCP Services</a></li><li role=none><a role=treeitem title="This task shows you how to customize the Istio metrics." href=/v1.12/docs/tasks/observability/metrics/customize-metrics/>Customizing Istio Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to improve telemetry by grouping requests and responses by their type." href=/v1.12/docs/tasks/observability/metrics/classify-metrics/>Classifying Metrics Based on Request or Response</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.12/docs/tasks/observability/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.12/docs/tasks/observability/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the collection of logs within Istio." href=/v1.12/docs/tasks/observability/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access logs to their standard output." href=/v1.12/docs/tasks/observability/logs/access-log/>Envoy Access Logs</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.12/docs/tasks/observability/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.12/docs/tasks/observability/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.12/docs/tasks/observability/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.12/docs/tasks/observability/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure tracing options using MeshConfig and pod annotations (Beta/Experimental)" href=/v1.12/docs/tasks/observability/distributed-tracing/mesh-and-proxy-config/>Configure tracing using MeshConfig and Pod annotations *</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to Lightstep." href=/v1.12/docs/tasks/observability/distributed-tracing/lightstep/>Lightstep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.12/docs/tasks/observability/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.12/docs/tasks/observability/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></li><li role=treeitem aria-label=Examples><a class=main title="A variety of fully working example uses for Istio that you can experiment with." href=/v1.12/docs/examples/>Examples</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.12/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh." href=/v1.12/docs/examples/virtual-machines/>Bookinfo with a Virtual Machine</a></li><li role=treeitem aria-label="Learn Microservices using Kubernetes and Istio"><button aria-hidden=true></button><a title="This modular tutorial provides new users with hands-on experience using Istio for common microservices scenarios, one step at a time." href=/v1.12/docs/examples/microservices-istio/>Learn Microservices using Kubernetes and Istio</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/prereq/>Prerequisites</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/setup-kubernetes-cluster/>Setup a Kubernetes Cluster</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/setup-local-computer/>Setup a Local Computer</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/single/>Run a Microservice Locally</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/package-service/>Run ratings in Docker</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/bookinfo-kubernetes/>Run Bookinfo with Kubernetes</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/production-testing/>Test in production</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/add-new-microservice-version/>Add a new version of reviews</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/add-istio/>Enable Istio on productpage</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/enable-istio-all-microservices/>Enable Istio on all the microservices</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/istio-ingress-gateway/>Configure Istio Ingress Gateway</a></li><li role=none><a role=treeitem href=/v1.12/docs/examples/microservices-istio/logs-istio/>Monitoring with Istio</a></li></ul></li></ul></li><li role=treeitem aria-label=Operations><a class=main title="Concepts, tools, and techniques to deploy and manage an Istio mesh." href=/v1.12/docs/ops/>Operations</a><ul role=group aria-expanded=true><li role=treeitem aria-label=Deployment><button aria-hidden=true></button><a title="Requirements, concepts, and considerations for setting up an Istio deployment." href=/v1.12/docs/ops/deployment/>Deployment</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes Istio's high-level architecture and design goals." href=/v1.12/docs/ops/deployment/architecture/>Architecture</a></li><li role=none><a role=treeitem title="Describes the options and considerations when configuring your Istio deployment." href=/v1.12/docs/ops/deployment/deployment-models/>Deployment Models</a></li><li role=none><a role=treeitem title="Describes Istio's high-level architecture for virtual machines." href=/v1.12/docs/ops/deployment/vm-architecture/>Virtual Machine Architecture</a></li><li role=none><a role=treeitem title="Istio performance and scalability summary." href=/v1.12/docs/ops/deployment/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Requirements of applications deployed in an Istio-enabled cluster." href=/v1.12/docs/ops/deployment/requirements/>Application Requirements</a></li></ul></li><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Advanced concepts and features for configuring a running Istio mesh." href=/v1.12/docs/ops/configuration/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Mesh Configuration"><button aria-hidden=true></button><a title="Helps you manage the global mesh configuration." href=/v1.12/docs/ops/configuration/mesh/>Mesh Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.12/docs/ops/configuration/mesh/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes how to wait until a resource reaches a given status of readiness." href=/v1.12/docs/ops/configuration/mesh/config-resource-ready/>Wait on Resource Status for Applied Configuration</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.12/docs/ops/configuration/mesh/injection-concepts/>Automatic Sidecar Injection</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.12/docs/ops/configuration/mesh/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.12/docs/ops/configuration/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to specify protocols." href=/v1.12/docs/ops/configuration/traffic-management/protocol-selection/>Protocol Selection</a></li><li role=none><a role=treeitem title="How to configure TLS settings to secure network traffic." href=/v1.12/docs/ops/configuration/traffic-management/tls-configuration/>TLS Configuration</a></li><li role=none><a role=treeitem title="How Istio routes traffic through the mesh." href=/v1.12/docs/ops/configuration/traffic-management/traffic-routing/>Traffic Routing</a></li><li role=none><a role=treeitem title="How to configure gateway network topology (Alpha)" href=/v1.12/docs/ops/configuration/traffic-management/network-topologies/>Configuring Gateway Network Topology *</a></li><li role=none><a role=treeitem title="How to configure DNS proxying." href=/v1.12/docs/ops/configuration/traffic-management/dns-proxy/>DNS Proxying</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.12/docs/ops/configuration/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows common examples of using Istio security policy." href=/v1.12/docs/ops/configuration/security/security-policy-examples/>Security policy examples</a></li><li role=none><a role=treeitem title="Use hardened container images to reduce Istio's attack surface." href=/v1.12/docs/ops/configuration/security/harden-docker-images/>Harden Docker Container Images</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.12/docs/ops/configuration/telemetry/>Observability</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.12/docs/ops/configuration/telemetry/envoy-stats/>Envoy Statistics</a></li><li role=none><a role=treeitem title="Configure Prometheus to monitor multicluster Istio." href=/v1.12/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/>Monitoring Multicluster Istio with Prometheus</a></li></ul></li><li role=treeitem aria-label=Extensibility><button aria-hidden=true></button><a title="Helps you manage extensions to the service mesh." href=/v1.12/docs/ops/configuration/extensibility/>Extensibility</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to make remote WebAssembly modules available in the mesh (Alpha)" href=/v1.12/docs/ops/configuration/extensibility/wasm-module-distribution/>Distributing WebAssembly Modules *</a></li></ul></li></ul></li><li role=treeitem aria-label="Best Practices"><button class=show aria-hidden=true></button><a title="Best practices for setting up and managing an Istio service mesh." href=/v1.12/docs/ops/best-practices/>Best Practices</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="General best practices when setting up an Istio service mesh." href=/v1.12/docs/ops/best-practices/deployment/>Deployment Best Practices</a></li><li role=none><a role=treeitem title="Configuration best practices to avoid networking or traffic management issues." href=/v1.12/docs/ops/best-practices/traffic-management/>Traffic Management Best Practices</a></li><li role=none><a role=treeitem title="Best practices for securing applications using Istio." href=/v1.12/docs/ops/best-practices/security/>Security Best Practices</a></li><li role=none><a role=treeitem title="Best practices for observing applications using Istio." href=/v1.12/docs/ops/best-practices/observability/>Observability Best Practices</a></li></ul></li><li role=treeitem aria-label="Common Problems"><button aria-hidden=true></button><a title="Describes how to identify and resolve common problems in Istio." href=/v1.12/docs/ops/common-problems/>Common Problems</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Techniques to address common Istio traffic management and network problems." href=/v1.12/docs/ops/common-problems/network-issues/>Traffic Management Problems</a></li><li role=none><a role=treeitem title="Techniques to address common Istio authentication, authorization, and general security-related problems." href=/v1.12/docs/ops/common-problems/security-issues/>Security Problems</a></li><li role=none><a role=treeitem title="Dealing with telemetry collection issues." href=/v1.12/docs/ops/common-problems/observability-issues/>Observability Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.12/docs/ops/common-problems/injection/>Sidecar Injection Problems</a></li><li role=none><a role=treeitem title="Describes how to resolve configuration validation problems." href=/v1.12/docs/ops/common-problems/validation/>Configuration Validation Problems</a></li></ul></li><li role=treeitem aria-label="Diagnostic Tools"><button aria-hidden=true></button><a title="Tools and techniques to help troubleshoot an Istio mesh." href=/v1.12/docs/ops/diagnostic-tools/>Diagnostic Tools</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.12/docs/ops/diagnostic-tools/istioctl/>Using the Istioctl Command-line Tool</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.12/docs/ops/diagnostic-tools/proxy-cmd/>Debugging Envoy and Istiod</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl describe to verify the configurations of a pod in your mesh." href=/v1.12/docs/ops/diagnostic-tools/istioctl-describe/>Understand your Mesh with Istioctl Describe</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl analyze to identify potential issues with your configuration." href=/v1.12/docs/ops/diagnostic-tools/istioctl-analyze/>Diagnose your Configuration with Istioctl Analyze</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into a running istiod component." href=/v1.12/docs/ops/diagnostic-tools/controlz/>Istiod Introspection</a></li><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.12/docs/ops/diagnostic-tools/component-logging/>Component Logging</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose issues with Virtual Machines." href=/v1.12/docs/ops/diagnostic-tools/virtual-machines/>Debugging Virtual Machines</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose issues with multicluster and multi-network installations." href=/v1.12/docs/ops/diagnostic-tools/multicluster/>Troubleshooting Multicluster</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose issues using Istio with the CNI plugin." href=/v1.12/docs/ops/diagnostic-tools/cni/>Troubleshooting the Istio CNI plugin</a></li></ul></li><li role=treeitem aria-label=Integrations><button aria-hidden=true></button><a title="Other software that Istio can integrate with to provide additional functionality." href=/v1.12/docs/ops/integrations/>Integrations</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to integrate with cert-manager." href=/v1.12/docs/ops/integrations/certmanager/>cert-manager</a></li><li role=none><a role=treeitem title="Information on how to integrate with Grafana to set up Istio dashboards." href=/v1.12/docs/ops/integrations/grafana/>Grafana</a></li><li role=none><a role=treeitem title="How to integrate with Jaeger." href=/v1.12/docs/ops/integrations/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Information on how to integrate with Kiali." href=/v1.12/docs/ops/integrations/kiali/>Kiali</a></li><li role=none><a role=treeitem title="How to integrate with Prometheus." href=/v1.12/docs/ops/integrations/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="How to integrate with Zipkin." href=/v1.12/docs/ops/integrations/zipkin/>Zipkin</a></li></ul></li></ul></li><li role=treeitem aria-label=Releases><a class=main title="Information relating to Istio releases." href=/v1.12/docs/releases/>Releases</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="List of features and their release stages." href=/v1.12/docs/releases/feature-stages/>Feature Status</a></li><li role=none><a role=treeitem title="What to do if you find a bug." href=/v1.12/docs/releases/bugs/>Reporting Bugs</a></li><li role=none><a role=treeitem title="How we handle security vulnerabilities." href=/v1.12/docs/releases/security-vulnerabilities/>Security Vulnerabilities</a></li><li role=none><a role=treeitem title="The currently supported Istio releases." href=/v1.12/docs/releases/supported-releases/>Supported Releases</a></li><li role=treeitem aria-label="Contribute Documentation"><button aria-hidden=true></button><a title="Details how to create and maintain Istio documentation pages." href=/v1.12/docs/releases/contribute/>Contribute Documentation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use GitHub to contribute to the Istio documentation." href=/v1.12/docs/releases/contribute/github/>Work with GitHub</a></li><li role=none><a role=treeitem title="Details how to contribute new documentation to Istio." href=/v1.12/docs/releases/contribute/add-content/>Add New Documentation</a></li><li role=none><a role=treeitem title="Details how to contribute retired documentation to Istio." href=/v1.12/docs/releases/contribute/remove-content/>Remove Retired Documentation</a></li><li role=none><a role=treeitem title="Explains how to locally build, test, serve, and preview the website." href=/v1.12/docs/releases/contribute/build/>Build and serve the website locally</a></li><li role=none><a role=treeitem title="Explains the front matter used in our documentation and the fields available." href=/v1.12/docs/releases/contribute/front-matter/>Front matter</a></li><li role=none><a role=treeitem title="Shows you how changes to the Istio documentation and website are reviewed and approved." href=/v1.12/docs/releases/contribute/review/>Documentation Review Process</a></li><li role=none><a role=treeitem title="Explains how to include code in your documentation." href=/v1.12/docs/releases/contribute/code-blocks/>Add Code Blocks</a></li><li role=none><a role=treeitem title="Explains the shortcodes available and how to use them." href=/v1.12/docs/releases/contribute/shortcodes/>Use Shortcodes</a></li><li role=none><a role=treeitem title="Explains the standard markup used to format Istio documentation." href=/v1.12/docs/releases/contribute/formatting/>Follow Formatting Standards</a></li><li role=none><a role=treeitem title="Explains the style conventions used in the Istio documentation." href=/v1.12/docs/releases/contribute/style-guide/>Style Guide</a></li><li role=none><a role=treeitem title="Explains the terminology standards used in the Istio documentation." href=/v1.12/docs/releases/contribute/terminology/>Terminology Standards</a></li><li role=none><a role=treeitem title="Provides assets and instructions to create diagrams for the Istio documentation." href=/v1.12/docs/releases/contribute/diagrams/>Diagram Creation Guidelines</a></li></ul></li><li role=none><a role=treeitem title="List of recent changes to this website." href=/v1.12/docs/releases/log/>Website Content Changes</a></li></ul></li><li role=treeitem aria-label=Reference><a class=main title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." href=/v1.12/docs/reference/>Reference</a><ul role=group aria-expanded=true><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.12/docs/reference/config/>Configuration</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Telemetry configuration for workloads." href=/v1.12/docs/reference/config/telemetry/>Telemetry</a></li><li role=none><a role=treeitem title="Configuration affecting Istio control plane installation version and shape." href=/v1.12/docs/reference/config/istio.operator.v1alpha1/>IstioOperator Options</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.12/docs/reference/config/istio.mesh.v1alpha1/>Global Mesh Options</a></li><li role=none><a role=treeitem title="Describes the structure of messages generated by Istio analyzers." href=/v1.12/docs/reference/config/istio.analysis.v1alpha1/>Analysis Messages</a></li><li role=none><a role=treeitem title="Describes the role of the `status` field in configuration workflow." href=/v1.12/docs/reference/config/config-status/>Configuration Status Field</a></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.12/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.12/docs/reference/config/networking/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.12/docs/reference/config/networking/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.12/docs/reference/config/networking/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting VMs onboarded into the mesh." href=/v1.12/docs/reference/config/networking/workload-entry/>Workload Entry</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.12/docs/reference/config/networking/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.12/docs/reference/config/networking/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.12/docs/reference/config/networking/virtual-service/>Virtual Service</a></li><li role=none><a role=treeitem title="Describes a collection of workload instances." href=/v1.12/docs/reference/config/networking/workload-group/>Workload Group</a></li></ul></li><li role=treeitem aria-label="Proxy Extensions"><button aria-hidden=true></button><a title="Describes how to configure Istio proxy extensions." href=/v1.12/docs/reference/config/proxy_extensions/>Proxy Extensions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Extend the functionality provided by the Istio proxy through WebAssembly filters." href=/v1.12/docs/reference/config/proxy_extensions/wasm-plugin/>Wasm Plugin</a></li><li role=none><a role=treeitem title="Configuration for Metadata Exchange Filter." href=/v1.12/docs/reference/config/proxy_extensions/metadata_exchange/>Metadata Exchange Config</a></li><li role=none><a role=treeitem title="Configuration for Stackdriver filter." href=/v1.12/docs/reference/config/proxy_extensions/stackdriver/>Stackdriver Config</a></li><li role=none><a role=treeitem title="Configuration for Stats Filter." href=/v1.12/docs/reference/config/proxy_extensions/stats/>Stats Config</a></li><li role=none><a role=treeitem title="Configuration for AccessLogPolicy Filter." href=/v1.12/docs/reference/config/proxy_extensions/accesslogpolicy/>AccessLogPolicy Config</a></li><li role=none><a role=treeitem title="Configuration for Attribute Generation plugin." href=/v1.12/docs/reference/config/proxy_extensions/attributegen/>AttributeGen Config</a></li><li role=none><a role=treeitem title="How to enable telemetry generation with the Wasm runtime (Experimental)" href=/v1.12/docs/reference/config/proxy_extensions/wasm_telemetry/>Wasm-based Telemetry *</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Describes how to configure Istio's security features." href=/v1.12/docs/reference/config/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration to validate JWT." href=/v1.12/docs/reference/config/security/jwt/>JWTRule</a></li><li role=none><a role=treeitem title="Peer authentication configuration for workloads." href=/v1.12/docs/reference/config/security/peer_authentication/>PeerAuthentication</a></li><li role=none><a role=treeitem title="Request authentication configuration for workloads." href=/v1.12/docs/reference/config/security/request_authentication/>RequestAuthentication</a></li><li role=none><a role=treeitem title="Configuration for access control on workloads." href=/v1.12/docs/reference/config/security/authorization-policy/>Authorization Policy</a></li><li role=none><a role=treeitem title="Describes the supported conditions in authorization policies." href=/v1.12/docs/reference/config/security/conditions/>Authorization Policy Conditions</a></li><li role=none><a role=treeitem title="Describes the supported normalizations in authorization policies." href=/v1.12/docs/reference/config/security/normalization/>Authorization Policy Normalization</a></li></ul></li><li role=none><a role=treeitem title="Istio standard metrics exported by Istio telemetry." href=/v1.12/docs/reference/config/metrics/>Istio Standard Metrics</a></li><li role=treeitem aria-label="Common Types"><button aria-hidden=true></button><a title="Describes common types in Istio API." href=/v1.12/docs/reference/config/type/>Common Types</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Definition of a workload selector." href=/v1.12/docs/reference/config/type/workload-selector/>Workload Selector</a></li></ul></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.12/docs/reference/config/annotations/>Resource Annotations</a></li><li role=none><a role=treeitem title="Resource labels used by Istio." href=/v1.12/docs/reference/config/labels/>Resource Labels</a></li><li role=treeitem aria-label="Configuration Analysis Messages"><button aria-hidden=true></button><a title="Documents the individual error and warning messages produced during configuration analysis." href=/v1.12/docs/reference/config/analysis/>Configuration Analysis Messages</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/message-format/>Analyzer Message Format</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0109/>ConflictingMeshGatewayVirtualServiceHosts</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0110/>ConflictingSidecarWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0116/>DeploymentAssociatedToMultipleServices</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0137/>DeploymentConflictingPorts</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0117/>DeploymentRequiresServiceAssociated</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0002/>Deprecated</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0135/>DeprecatedAnnotation</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0104/>GatewayPortNotOnWorkload</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0001/>InternalError</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0125/>InvalidAnnotation</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0144/>InvalidApplicationUID</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0122/>InvalidRegexp</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0105/>IstioProxyImageMismatch</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0119/>JwtFailureDueToInvalidServicePortPrefix</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0143/>LocalhostListener</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0107/>MisplacedAnnotation</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0136/>AlphaAnnotation</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0111/>MultipleSidecarsWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0123/>NamespaceMultipleInjectionLabels</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0102/>NamespaceNotInjected</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0127/>NoMatchingWorkloadsFound</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0128/>NoServerCertificateVerificationDestinationLevel</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0129/>NoServerCertificateVerificationPortLevel</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0113/>MTLSPolicyConflict</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0103/>PodMissingProxy</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0118/>PortNameIsNotUnderNamingConvention</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0101/>ReferencedResourceNotFound</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0134/>ServiceEntryAddressesRequired</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0108/>UnknownAnnotation</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0112/>VirtualServiceDestinationPortSelectorRequired</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0132/>VirtualServiceHostNotFoundInGateway</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0131/>VirtualServiceIneffectiveMatch</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0106/>SchemaValidationError</a></li><li role=none><a role=treeitem href=/v1.12/docs/reference/config/analysis/ist0130/>VirtualServiceUnreachableRule</a></li></ul></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.12/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install and configure Istio CNI plugin on a node, detect and repair pod which is broken by race condition." href=/v1.12/docs/reference/commands/install-cni/>install-cni</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.12/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.12/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.12/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.12/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.12/docs/reference/glossary/>Glossary</a></li></ul></li></ul></div></div></div></nav></div><div class=article-container><button id=sidebar-toggle class=main-navigation-toggle aria-label="Open sidebar"><svg class="icon hamburger-sidebar"><use xlink:href="/v1.12/img/icons.svg#hamburger-sidebar"/></svg>
Contents</button><article aria-labelledby=title><nav aria-label=Breadcrumb><ol><li><a href=/v1.12/docs/ title="Learn how to deploy, use, and operate Istio.">Documentation</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.12/img/icons.svg#breadcrumb-arrow"/></svg></li><li><a href=/v1.12/docs/ops/ title="Concepts, tools, and techniques to deploy and manage an Istio mesh.">Operations</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.12/img/icons.svg#breadcrumb-arrow"/></svg></li><li><a href=/v1.12/docs/ops/best-practices/ title="Best practices for setting up and managing an Istio service mesh.">Best Practices</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.12/img/icons.svg#breadcrumb-arrow"/></svg></li><li>Security Best Practices</li></ol></nav><div class=title-area><div style=width:100%><h1 id=title>Security Best Practices</h1><p class=byline><span class=reading-time title="4647 words"><svg class="icon clock"><use xlink:href="/v1.12/img/icons.svg#clock"/></svg><span>&nbsp;</span>22 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class="toc-inlined toc-forced" aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Mutual TLS"><a href=#mutual-tls>Mutual TLS</a><li role=none aria-label="Authorization policies"><a href=#authorization-policies>Authorization policies</a><ol><li role=none aria-label="Safer Authorization Policy Patterns"><a href=#safer-authorization-policy-patterns>Safer Authorization Policy Patterns</a><ol><li role=none aria-label="Use default-deny patterns"><a href=#use-default-deny-patterns>Use default-deny patterns</a><li role=none aria-label="Use ALLOW-with-positive-matching and DENY-with-negative-match patterns"><a href=#use-allow-with-positive-matching-and-deny-with-negative-match-patterns>Use <code>ALLOW-with-positive-matching</code> and <code>DENY-with-negative-match</code> patterns</a></ol></li><li role=none aria-label="Understand path normalization in authorization policy"><a href=#understand-path-normalization-in-authorization-policy>Understand path normalization in authorization policy</a><li role=none aria-label="Guideline on configuring the path normalization option"><a href=#guideline-on-configuring-the-path-normalization-option>Guideline on configuring the path normalization option</a><ol><li role=none aria-label="Case 1: You do not need normalization at all"><a href=#case-1-you-do-not-need-normalization-at-all>Case 1: You do not need normalization at all</a><li role=none aria-label="Case 2: You need normalization but not sure which normalization option to use"><a href=#case-2-you-need-normalization-but-not-sure-which-normalization-option-to-use>Case 2: You need normalization but not sure which normalization option to use</a><li role=none aria-label="Case 3: You need an unsupported normalization option"><a href=#case-3-you-need-an-unsupported-normalization-option>Case 3: You need an unsupported normalization option</a></ol></li><li role=none aria-label="Customize your system on path normalization"><a href=#customize-your-system-on-path-normalization>Customize your system on path normalization</a><ol><li role=none aria-label="Examples of configuration"><a href=#examples-of-configuration>Examples of configuration</a><li role=none aria-label="How to configure"><a href=#how-to-configure>How to configure</a></ol></li><li role=none aria-label="Mitigation for unsupported normalization"><a href=#mitigation-for-unsupported-normalization>Mitigation for unsupported normalization</a><ol><li role=none aria-label="Custom normalization logic"><a href=#custom-normalization-logic>Custom normalization logic</a><ol><li role=none aria-label="Example custom normalization (case normalization)"><a href=#example-custom-normalization-case-normalization>Example custom normalization (case normalization)</a></ol></li><li role=none aria-label="Writing Host Match Policies"><a href=#writing-host-match-policies>Writing Host Match Policies</a><li role=none aria-label="Specialized Web Application Firewall (WAF)"><a href=#specialized-web-application-firewall-waf>Specialized Web Application Firewall (WAF)</a><li role=none aria-label="Feature request to Istio"><a href=#feature-request-to-istio>Feature request to Istio</a></ol></li><li role=none aria-label="Known limitations"><a href=#known-limitations>Known limitations</a><ol><li role=none aria-label="Server-first TCP protocols are not supported"><a href=#server-first-tcp-protocols-are-not-supported>Server-first TCP protocols are not supported</a></ol></li></ol></li><li role=none aria-label="Understand traffic capture limitations"><a href=#understand-traffic-capture-limitations>Understand traffic capture limitations</a><ol><li role=none aria-label="Defense in depth with NetworkPolicy"><a href=#defense-in-depth-with-networkpolicy>Defense in depth with <code>NetworkPolicy</code></a><li role=none aria-label="Securing egress traffic"><a href=#securing-egress-traffic>Securing egress traffic</a></ol></li><li role=none aria-label="Configure TLS verification in Destination Rule when using TLS origination"><a href=#configure-tls-verification-in-destination-rule-when-using-tls-origination>Configure TLS verification in Destination Rule when using TLS origination</a><li role=none aria-label=Gateways><a href=#gateways>Gateways</a><ol><li role=none aria-label="Restrict Gateway creation privileges"><a href=#restrict-gateway-creation-privileges>Restrict <code>Gateway</code> creation privileges</a><li role=none aria-label="Avoid overly broad hosts configurations"><a href=#avoid-overly-broad-hosts-configurations>Avoid overly broad <code>hosts</code> configurations</a><li role=none aria-label="Isolate sensitive services"><a href=#isolate-sensitive-services>Isolate sensitive services</a><li role=none aria-label="Explicitly disable all the sensitive http host under relaxed SNI host matching"><a href=#explicitly-disable-all-the-sensitive-http-host-under-relaxed-sni-host-matching>Explicitly disable all the sensitive http host under relaxed SNI host matching</a></ol></li><li role=none aria-label="Protocol detection"><a href=#protocol-detection>Protocol detection</a><li role=none aria-label=CNI><a href=#cni>CNI</a><li role=none aria-label="Use hardened docker images"><a href=#use-hardened-docker-images>Use hardened docker images</a><li role=none aria-label="Release and security policy"><a href=#release-and-security-policy>Release and security policy</a><li role=none aria-label="Detect invalid configurations"><a href=#detect-invalid-configurations>Detect invalid configurations</a><li role=none aria-label="Avoid alpha and experimental features"><a href=#avoid-alpha-and-experimental-features>Avoid alpha and experimental features</a><li role=none aria-label="Lock down ports"><a href=#lock-down-ports>Lock down ports</a><ol><li role=none aria-label="Control Plane"><a href=#control-plane>Control Plane</a><li role=none aria-label="Data Plane"><a href=#data-plane>Data Plane</a></ol></li><li role=none aria-label="Configure third party service account tokens"><a href=#configure-third-party-service-account-tokens>Configure third party service account tokens</a><li role=none aria-label="Configure a limit on downstream connections"><a href=#configure-a-limit-on-downstream-connections>Configure a limit on downstream connections</a></ol><hr></div></nav><p>Istio security features provide strong identity, powerful policy, transparent TLS encryption, and authentication, authorization and audit (AAA) tools to protect your services and data.
However, to fully make use of these features securely, care must be taken to follow best practices. It is recommended to review the <a href=/v1.12/docs/concepts/security/>Security overview</a> before proceeding.</p><h2 id=mutual-tls>Mutual TLS</h2><p>Istio will <a href=/v1.12/docs/ops/configuration/traffic-management/tls-configuration/#auto-mtls>automatically</a> encrypt traffic using <a href=/v1.12/docs/concepts/security/#mutual-tls-authentication>Mutual TLS</a> whenever possible.
However, proxies are configured in <a href=/v1.12/docs/concepts/security/#permissive-mode>permissive mode</a> by default, meaning they will accept both mutual TLS and plaintext traffic.</p><p>While this is required for incremental adoption or allowing traffic from clients without an Istio sidecar, it also weakens the security stance.
It is recommended to <a href=/v1.12/docs/tasks/security/authentication/mtls-migration/>migrate to strict mode</a> when possible, to enforce that mutual TLS is used.</p><p>Mutual TLS alone is not always enough to fully secure traffic, however, as it provides only authentication, not authorization.
This means that anyone with a valid certificate can still access a service.</p><p>To fully lock down traffic, it is recommended to configure <a href=/v1.12/docs/tasks/security/authorization/>authorization policies</a>.
These allow creating fine-grained policies to allow or deny traffic. For example, you can allow only requests from the <code>app</code> namespace to access the <code>hello-world</code> service.</p><h2 id=authorization-policies>Authorization policies</h2><p>Istio <a href=/v1.12/docs/concepts/security/#authorization>authorization</a> plays a critical part in Istio security.
It takes effort to configure the correct authorization policies to best protect your clusters.
It is important to understand the implications of these configurations as Istio cannot determine the proper authorization for all users.
Please follow this section in its entirety.</p><h3 id=safer-authorization-policy-patterns>Safer Authorization Policy Patterns</h3><h4 id=use-default-deny-patterns>Use default-deny patterns</h4><p>We recommend you define your Istio authorization policies following the default-deny pattern to enhance your cluster&rsquo;s security posture.
The default-deny authorization pattern means your system denies all requests by default, and you define the conditions in which the requests are allowed.
In case you miss some conditions, traffic will be unexpectedly denied, instead of traffic being unexpectedly allowed.
The latter typically being a security incident while the former may result in a poor user experience, a service outage or will not match your SLO/SLA.</p><p>For example, in the <a href=/v1.12/docs/tasks/security/authorization/authz-http/>authorization for HTTP traffic task</a>,
the authorization policy named <code>allow-nothing</code> makes sure all traffic is denied by default.
From there, other authorization policies allow traffic based on specific conditions.</p><h4 id=use-allow-with-positive-matching-and-deny-with-negative-match-patterns>Use <code>ALLOW-with-positive-matching</code> and <code>DENY-with-negative-match</code> patterns</h4><p>Use the <code>ALLOW-with-positive-matching</code> or <code>DENY-with-negative-matching</code> patterns whenever possible. These authorization policy
patterns are safer because the worst result in the case of policy mismatch is an unexpected 403 rejection instead of
an authorization policy bypass.</p><p>The <code>ALLOW-with-positive-matching</code> pattern is to use the <code>ALLOW</code> action only with <strong>positive</strong> matching fields (e.g. <code>paths</code>, <code>values</code>)
and do not use any of the <strong>negative</strong> matching fields (e.g. <code>notPaths</code>, <code>notValues</code>).</p><p>The <code>DENY-with-negative-matching</code> pattern is to use the <code>DENY</code> action only with <strong>negative</strong> matching fields (e.g. <code>notPaths</code>, <code>notValues</code>)
and do not use any of the <strong>positive</strong> matching fields (e.g. <code>paths</code>, <code>values</code>).</p><p>For example, the authorization policy below uses the <code>ALLOW-with-positive-matching</code> pattern to allow requests to path <code>/public</code>:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: foo
spec:
action: ALLOW
rules:
- to:
- operation:
paths: [&#34;/public&#34;]
</code></pre><p>The above policy explicitly lists the allowed path (<code>/public</code>). This means the request path must be exactly the same as
<code>/public</code> to allow the request. Any other requests will be rejected by default eliminating the risk
of unknown normalization behavior causing policy bypass.</p><p>The following is an example using the <code>DENY-with-negative-matching</code> pattern to achieve the same result:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: foo
spec:
action: DENY
rules:
- to:
- operation:
notPaths: [&#34;/public&#34;]
</code></pre><h3 id=understand-path-normalization-in-authorization-policy>Understand path normalization in authorization policy</h3><p>The enforcement point for authorization policies is the Envoy proxy instead of the usual resource access point in the backend application. A policy mismatch happens when the Envoy proxy and the backend application interpret the request
differently.</p><p>A mismatch can lead to either unexpected rejection or a policy bypass. The latter is usually a security incident that needs to be
fixed immediately, and it&rsquo;s also why we need path normalization in the authorization policy.</p><p>For example, consider an authorization policy to reject requests with path <code>/data/secret</code>. A request with path <code>/data//secret</code> will
not be rejected because it does not match the path defined in the authorization policy due to the extra forward slash <code>/</code> in the path.</p><p>The request goes through and later the backend application returns the same response that it returns for the path <code>/data/secret</code>
because the backend application normalizes the path <code>/data//secret</code> to <code>/data/secret</code> as it considers the double forward slashes
<code>//</code> equivalent to a single forward slash <code>/</code>.</p><p>In this example, the policy enforcement point (Envoy proxy) had a different understanding of the path than the resource access
point (backend application). The different understanding caused the mismatch and subsequently the bypass of the authorization policy.</p><p>This becomes a complicated problem because of the following factors:</p><ul><li><p>Lack of a clear standard for the normalization.</p></li><li><p>Backends and frameworks in different layers have their own special normalization.</p></li><li><p>Applications can even have arbitrary normalizations for their own use cases.</p></li></ul><p>Istio authorization policy implements built-in support of various basic normalization options to help you to better address
the problem:</p><ul><li><p>Refer to <a href=/v1.12/docs/ops/best-practices/security/#guideline-on-configuring-the-path-normalization-option>Guideline on configuring the path normalization option</a>
to understand which normalization options you may want to use.</p></li><li><p>Refer to <a href=/v1.12/docs/ops/best-practices/security/#customize-your-system-on-path-normalization>Customize your system on path normalization</a> to
understand the detail of each normalization option.</p></li><li><p>Refer to <a href=/v1.12/docs/ops/best-practices/security/#mitigation-for-unsupported-normalization>Mitigation for unsupported normalization</a> for
alternative solutions in case you need any unsupported normalization options.</p></li></ul><h3 id=guideline-on-configuring-the-path-normalization-option>Guideline on configuring the path normalization option</h3><h4 id=case-1-you-do-not-need-normalization-at-all>Case 1: You do not need normalization at all</h4><p>Before diving into the details of configuring normalization, you should first make sure that normalizations are needed.</p><p>You do not need normalization if you don&rsquo;t use authorization policies or if your authorization policies don&rsquo;t
use any <code>path</code> fields.</p><p>You may not need normalization if all your authorization policies follow the <a href=/v1.12/docs/ops/best-practices/security/#safer-authorization-policy-patterns>safer authorization pattern</a>
which, in the worst case, results in unexpected rejection instead of policy bypass.</p><h4 id=case-2-you-need-normalization-but-not-sure-which-normalization-option-to-use>Case 2: You need normalization but not sure which normalization option to use</h4><p>You need normalization but you have no idea of which option to use. The safest choice is the strictest normalization option
that provides the maximum level of normalization in the authorization policy.</p><p>This is often the case due to the fact that complicated multi-layered systems make it practically impossible to figure
out what normalization is actually happening to a request beyond the enforcement point.</p><p>You could use a less strict normalization option if it already satisfies your requirements and you are sure of its implications.</p><p>For either option, make sure you write both positive and negative tests specifically for your requirements to verify the
normalization is working as expected. The tests are useful in catching potential bypass issues caused by a misunderstanding
or incomplete knowledge of the normalization happening to your request.</p><p>Refer to <a href=/v1.12/docs/ops/best-practices/security/#customize-your-system-on-path-normalization>Customize your system on path normalization</a>
for more details on configuring the normalization option.</p><h4 id=case-3-you-need-an-unsupported-normalization-option>Case 3: You need an unsupported normalization option</h4><p>If you need a specific normalization option that is not supported by Istio yet, please follow
<a href=/v1.12/docs/ops/best-practices/security/#mitigation-for-unsupported-normalization>Mitigation for unsupported normalization</a>
for customized normalization support or create a feature request for the Istio community.</p><h3 id=customize-your-system-on-path-normalization>Customize your system on path normalization</h3><p>Istio authorization policies can be based on the URL paths in the HTTP request.
<a href=https://en.wikipedia.org/wiki/URI_normalization>Path normalization (a.k.a., URI normalization)</a> modifies and standardizes the incoming requests&rsquo; paths,
so that the normalized paths can be processed in a standard way.
Syntactically different paths may be equivalent after path normalization.</p><p>Istio supports the following normalization schemes on the request paths,
before evaluating against the authorization policies and routing the requests:</p><table><thead><tr><th>Option</th><th>Description</th><th>Example</th></tr></thead><tbody><tr><td><code>NONE</code></td><td>No normalization is done. Anything received by Envoy will be forwarded exactly as-is to any backend service.</td><td><code>../%2Fa../b</code> is evaluated by the authorization policies and sent to your service.</td></tr><tr><td><code>BASE</code></td><td>This is currently the option used in the <em>default</em> installation of Istio. This applies the <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path><code>normalize_path</code></a> option on Envoy proxies, which follows <a href=https://tools.ietf.org/html/rfc3986>RFC 3986</a> with extra normalization to convert backslashes to forward slashes.</td><td><code>/a/../b</code> is normalized to <code>/b</code>. <code>\da</code> is normalized to <code>/da</code>.</td></tr><tr><td><code>MERGE_SLASHES</code></td><td>Slashes are merged after the <em>BASE</em> normalization.</td><td><code>/a//b</code> is normalized to <code>/a/b</code>.</td></tr><tr><td><code>DECODE_AND_MERGE_SLASHES</code></td><td>The most strict setting when you allow all traffic by default. This setting is recommended, with the caveat that you will need to thoroughly test your authorization policies routes. <a href=https://tools.ietf.org/html/rfc3986#section-2.1>Percent-encoded</a> slash and backslash characters (<code>%2F</code>, <code>%2f</code>, <code>%5C</code> and <code>%5c</code>) are decoded to <code>/</code> or <code>\</code>, before the <code>MERGE_SLASHES</code> normalization.</td><td><code>/a%2fb</code> is normalized to <code>/a/b</code>.</td></tr></tbody></table><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg></div><div class=content>The configuration is specified via the <a href=/v1.12/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ProxyPathNormalization><code>pathNormalization</code></a>
field in the the <a href=/v1.12/docs/reference/config/istio.mesh.v1alpha1/>mesh config</a>.</div></aside></div><p>To emphasize, the normalization algorithms are conducted in the following order:</p><ol><li>Percent-decode <code>%2F</code>, <code>%2f</code>, <code>%5C</code> and <code>%5c</code>.</li><li>The <a href=https://tools.ietf.org/html/rfc3986>RFC 3986</a> and other normalization implemented by the <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path><code>normalize_path</code></a> option in Envoy.</li><li>Merge slashes</li></ol><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg></div><div class=content>While these normalization options represent recommendations from HTTP standards and common industry practices,
applications may interpret a URL in any way it chooses to. When using denial policies, ensure that you understand how your application behaves.</div></aside></div><p>For a complete list of supported normalizations, please refer to <a href=/v1.12/docs/reference/config/security/normalization/>authorization policy normalization</a>.</p><h4 id=examples-of-configuration>Examples of configuration</h4><p>Ensuring Envoy normalizes request paths to match your backend services&rsquo; expectation is critical to the security of your system.
The following examples can be used as reference for you to configure your system.
The normalized URL paths, or the original URL paths if <em>NONE</em> is selected, will be:</p><ol><li>Used to check against the authorization policies</li><li>Forwarded to the backend application</li></ol><table><thead><tr><th>Your application&mldr;</th><th>Choose&mldr;</th></tr></thead><tbody><tr><td>Relies on the proxy to do normalization</td><td><code>BASE</code>, <code>MERGE_SLASHES</code> or <code>DECODE_AND_MERGE_SLASHES</code></td></tr><tr><td>Normalizes request paths based on <a href=https://tools.ietf.org/html/rfc3986>RFC 3986</a> and does not merge slashes</td><td><code>BASE</code></td></tr><tr><td>Normalizes request paths based on <a href=https://tools.ietf.org/html/rfc3986>RFC 3986</a>, merges slashes but does not decode <a href=https://tools.ietf.org/html/rfc3986#section-2.1>percent-encoded</a> slashes</td><td><code>MERGE_SLASHES</code></td></tr><tr><td>Normalizes request paths based on <a href=https://tools.ietf.org/html/rfc3986>RFC 3986</a>, decodes <a href=https://tools.ietf.org/html/rfc3986#section-2.1>percent-encoded</a> slashes and merges slashes</td><td><code>DECODE_AND_MERGE_SLASHES</code></td></tr><tr><td>Processes request paths in a way that is incompatible with <a href=https://tools.ietf.org/html/rfc3986>RFC 3986</a></td><td><code>NONE</code></td></tr></tbody></table><h4 id=how-to-configure>How to configure</h4><p>You can use <code>istioctl</code> to update the <a href=/v1.12/docs/reference/config/istio.mesh.v1alpha1/>mesh config</a>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl upgrade --set meshConfig.pathNormalization.normalization=DECODE_AND_MERGE_SLASHES
</code></pre><p>or by altering your operator overrides file</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF &gt; iop.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
pathNormalization:
normalization: DECODE_AND_MERGE_SLASHES
EOF
$ istioctl install -f iop.yaml
</code></pre><p>Alternatively, if you want to directly edit the mesh config,
you can add the <a href=/v1.12/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ProxyPathNormalization><code>pathNormalization</code></a>
to the <a href=/v1.12/docs/reference/config/istio.mesh.v1alpha1/>mesh config</a>, which is the <code>istio-&lt;REVISION_ID></code> configmap in the <code>istio-system</code> namespace.
For example, if you choose the <code>DECODE_AND_MERGE_SLASHES</code> option, you modify the mesh config as the following:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
data:
mesh: |-
...
pathNormalization:
normalization: DECODE_AND_MERGE_SLASHES
...
</code></pre><h3 id=mitigation-for-unsupported-normalization>Mitigation for unsupported normalization</h3><p>This section describes various mitigations for unsupported normalization. These could be useful when you need a specific
normalization that is not supported by Istio.</p><p>Please make sure you understand the mitigation thoroughly and use it carefully as some mitigations rely on things that are
out the scope of Istio and also not supported by Istio.</p><h4 id=custom-normalization-logic>Custom normalization logic</h4><p>You can apply custom normalization logic using the WASM or Lua filter. It is recommended to use the WASM filter because
it&rsquo;s officially supported and also used by Istio. You could use the Lua filter for a quick proof-of-concept DEMO but we do
not recommend using the Lua filter in production because it is not supported by Istio.</p><h5 id=example-custom-normalization-case-normalization>Example custom normalization (case normalization)</h5><p>In some environments, it may be useful to have paths in authorization policies compared in a case insensitive manner.
For example, treating <code>https://myurl/get</code> and <code>https://myurl/GeT</code> as equivalent.</p><p>In those cases, the <code>EnvoyFilter</code> shown below can be used to insert a Lua filter to normalize the path to lower case.
This filter will change both the path used for comparison and the path presented to the application.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingress-case-insensitive
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: &#34;envoy.filters.network.http_connection_manager&#34;
patch:
operation: INSERT_FIRST
value:
name: envoy.lua
typed_config:
&#34;@type&#34;: &#34;type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua&#34;
inlineCode: |
function envoy_on_request(request_handle)
local path = request_handle:headers():get(&#34;:path&#34;)
request_handle:headers():replace(&#34;:path&#34;, string.lower(path))
end
</code></pre><h4 id=writing-host-match-policies>Writing Host Match Policies</h4><p>Istio generates hostnames for both the hostname itself and all matching ports. For instance, a virtual service or Gateway
for a host of <code>example.com</code> generates a config matching <code>example.com</code> and <code>example.com:*</code>. However, exact match authorization
policies only match the exact string given for the <code>hosts</code> or <code>notHosts</code> fields.</p><p><a href=/v1.12/docs/reference/config/security/authorization-policy/#Rule>Authorization policy rules</a> matching hosts should be written using
prefix matches instead of exact matches. For example, for an <code>AuthorizationPolicy</code> matching the Envoy configuration generated
for a hostname of <code>example.com</code>, you would use <code>hosts: ["example.com", "example.com:*"]</code> as shown in the below <code>AuthorizationPolicy</code>.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-host
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- to:
- operation:
hosts: [&#34;example.com&#34;, &#34;example.com:*&#34;]
</code></pre><p>Additionally, the <code>host</code> and <code>notHosts</code> fields should generally only be used on gateway for external traffic entering the mesh
and not on sidecars for traffic within the mesh. This is because the sidecar on server side (where the authorization policy is enforced)
does not use the <code>Host</code> header when redirecting the request to the application. This makes the <code>host</code> and <code>notHost</code> meaningless
on sidecar because a client could reach out to the application using explicit IP address and arbitrary <code>Host</code> header instead of
the service name.</p><p>If you really need to enforce access control based on the <code>Host</code> header on sidecars for any reason, follow with the <a href=/v1.12/docs/ops/best-practices/security/#use-default-deny-patterns>default-deny patterns</a>
which would reject the request if the client uses an arbitrary <code>Host</code> header.</p><h4 id=specialized-web-application-firewall-waf>Specialized Web Application Firewall (WAF)</h4><p>Many specialized Web Application Firewall (WAF) products provide additional normalization options. They can be deployed in
front of the Istio ingress gateway to normalize requests entering the mesh. The authorization policy will then be enforced
on the normalized requests. Please refer to your specific WAF product for configuring the normalization options.</p><h4 id=feature-request-to-istio>Feature request to Istio</h4><p>If you believe Istio should officially support a specific normalization, you can follow the <a href=/v1.12/docs/releases/security-vulnerabilities/#reporting-a-vulnerability>reporting a vulnerability</a>
page to send a feature request about the specific normalization to the Istio Product Security Work Group for initial evaluation.</p><p>Please do not open any issues in public without first contacting the Istio Product Security Work Group because the
issue might be considered a security vulnerability that needs to be fixed in private.</p><p>If the Istio Product Security Work Group evaluates the feature request as not a security vulnerability, an issue will
be opened in public for further discussions of the feature request.</p><h3 id=known-limitations>Known limitations</h3><p>This section lists known limitations of the authorization policy.</p><h4 id=server-first-tcp-protocols-are-not-supported>Server-first TCP protocols are not supported</h4><p>Server-first TCP protocols mean the server application will send the first bytes right after accepting the TCP connection
before receiving any data from the client.</p><p>Currently, the authorization policy only supports enforcing access control on inbound traffic and not the outbound traffic.</p><p>It also does not support server-first TCP protocols because the first bytes are sent by the server application even before
it received any data from the client. In this case, the initial first bytes sent by the server are returned to the client
directly without going through the access control check of the authorization policy.</p><p>You should not use the authorization policy if the first bytes sent by the server-first TCP protocols include any sensitive
data that need to be protected by proper authorization.</p><p>You could still use the authorization policy in this case if the first bytes does not include any sensitive data, for example,
the first bytes are used for negotiating the connection with data that are publicly accessible to any clients. The authorization
policy will work as usual for the following requests sent by the client after the first bytes.</p><h2 id=understand-traffic-capture-limitations>Understand traffic capture limitations</h2><p>The Istio sidecar works by capturing both inbound traffic and outbound traffic and directing them through the sidecar proxy.</p><p>However, not <em>all</em> traffic is captured:</p><ul><li>Redirection only handles TCP based traffic. Any UDP or ICMP packets will not be captured or modified.</li><li>Inbound capture is disabled on many <a href=/v1.12/docs/ops/deployment/requirements/#ports-used-by-istio>ports used by the sidecar</a> as well as port 22. This list can be expanded by options like <code>traffic.sidecar.istio.io/excludeInboundPorts</code>.</li><li>Outbound capture may similarly be reduced through settings like <code>traffic.sidecar.istio.io/excludeOutboundPorts</code> or other means.</li></ul><p>In general, there is minimal security boundary between an application and its sidecar proxy. Configuration of the sidecar is allowed on a per-pod basis, and both run in the same network/process namespace.
As such, the application may have the ability to remove redirection rules and remove, alter, terminate, or replace the sidecar proxy.
This allows a pod to intentionally bypass its sidecar for outbound traffic or intentionally allow inbound traffic to bypass its sidecar.</p><p>As a result, it is not secure to rely on all traffic being captured unconditionally by Istio.
Instead, the security boundary is that a client may not bypass <em>another</em> pod&rsquo;s sidecar.</p><p>For example, if I run the <code>reviews</code> application on port <code>9080</code>, I can assume that all traffic from the <code>productpage</code> application will be captured by the sidecar proxy,
where Istio authentication and authorization policies may apply.</p><h3 id=defense-in-depth-with-networkpolicy>Defense in depth with <code>NetworkPolicy</code></h3><p>To further secure traffic, Istio policies can be layered with Kubernetes <a href=https://kubernetes.io/docs/concepts/services-networking/network-policies/>Network Policies</a>.
This enables a strong <a href=https://en.wikipedia.org/wiki/Defense_in_depth_(computing)>defense in depth</a> strategy that can be used to further strengthen the security of your mesh.</p><p>For example, you may choose to only allow traffic to port <code>9080</code> of our <code>reviews</code> application.
In the event of a compromised pod or security vulnerability in the cluster, this may limit or stop an attackers progress.</p><p>Depending on the actual implementation, changes to network policy may not affect existing connections in the Istio proxies.
You may need to restart the Istio proxies after applying the policy so that existing connections will be closed and
new connections will be subject to the new policy.</p><h3 id=securing-egress-traffic>Securing egress traffic</h3><p>A common misconception is that options like <a href=/v1.12/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services><code>outboundTrafficPolicy: REGISTRY_ONLY</code></a> acts as a security policy preventing all access to undeclared services.
However, this is not a strong security boundary as mentioned above, and should be considered best-effort.</p><p>While this is useful to prevent accidental dependencies, if you want to secure egress traffic, and enforce all outbound traffic goes through a proxy, you should instead rely on an <a href=/v1.12/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateway</a>.
When combined with a <a href=/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#apply-kubernetes-network-policies>Network Policy</a>, you can enforce all traffic, or some subset, goes through the egress gateway.
This ensures that even if a client accidentally or maliciously bypasses their sidecar, the request will be blocked.</p><h2 id=configure-tls-verification-in-destination-rule-when-using-tls-origination>Configure TLS verification in Destination Rule when using TLS origination</h2><p>Istio offers the ability to <a href=/v1.12/docs/tasks/traffic-management/egress/egress-tls-origination/>originate TLS</a> from a sidecar proxy or gateway.
This enables applications that send plaintext HTTP traffic to be transparently &ldquo;upgraded&rdquo; to HTTPS.</p><p>Care must be taken when configuring the <code>DestinationRule</code>&rsquo;s <code>tls</code> setting to specify the <code>caCertificates</code>, <code>subjectAltNames</code>, and <code>sni</code> fields.
The <code>caCertificate</code> can be automatically set from the system&rsquo;s certificate store&rsquo;s CA certificate by enabling the environment variable <code>VERIFY_CERTIFICATE_AT_CLIENT=true</code> on Istiod.
If the Operating System CA certificate being automatically used is only desired for select host(s), the environment variable <code>VERIFY_CERTIFICATE_AT_CLIENT=false</code> on Istiod, <code>caCertificates</code> can be set to <code>system</code> in the desired <code>DestinationRule</code>(s).
Specifying the <code>caCertificates</code> in a <code>DestinationRule</code> will take priority and the OS CA Cert will not be used.
By default, egress traffic does not send SNI during the TLS handshake.
SNI must be set in the <code>DestinationRule</code> to ensure the host properly handle the request.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg></div><div class=content><p>In order to verify the server&rsquo;s certificate it is important that both <code>caCertificates</code> and <code>subjectAltNames</code> be set.</p><p>Verification of the certificate presented by the server against a CA is not sufficient, as the Subject Alternative Names must also be validated.</p><p>If <code>VERIFY_CERTIFICATE_AT_CLIENT</code> is set, but <code>subjectAltNames</code> is not set then you are not verifying all credentials.</p><p>If no CA certificate is being used, <code>subjectAltNames</code> will not be used regardless of it being set or not.</p></div></aside></div><p>For example:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: google-tls
spec:
host: google.com
trafficPolicy:
tls:
mode: SIMPLE
caCertificates: /etc/ssl/certs/ca-certificates.crt
subjectAltNames:
- &#34;google.com&#34;
sni: &#34;google.com&#34;
</code></pre><h2 id=gateways>Gateways</h2><p>When running an Istio <a href=/v1.12/docs/tasks/traffic-management/ingress/>gateway</a>, there are a few resources involved:</p><ul><li><code>Gateway</code>s, which controls the ports and TLS settings for the gateway.</li><li><code>VirtualService</code>s, which control the routing logic. These are associated with <code>Gateway</code>s by direct reference in the <code>gateways</code> field and a mutual agreement on the <code>hosts</code> field in the <code>Gateway</code> and <code>VirtualService</code>.</li></ul><h3 id=restrict-gateway-creation-privileges>Restrict <code>Gateway</code> creation privileges</h3><p>It is recommended to restrict creation of Gateway resources to trusted cluster administrators. This can be achieved by <a href=https://kubernetes.io/docs/reference/access-authn-authz/rbac/>Kubernetes RBAC policies</a> or tools like <a href=https://www.openpolicyagent.org/>Open Policy Agent</a>.</p><h3 id=avoid-overly-broad-hosts-configurations>Avoid overly broad <code>hosts</code> configurations</h3><p>When possible, avoid overly broad <code>hosts</code> settings in <code>Gateway</code>.</p><p>For example, this configuration will allow any <code>VirtualService</code> to bind to the <code>Gateway</code>, potentially exposing unexpected domains:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- &#34;*&#34;
</code></pre><p>This should be locked down to allow only specific domains or specific namespaces:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- &#34;foo.example.com&#34; # Allow only VirtualServices that are for foo.example.com
- &#34;default/bar.example.com&#34; # Allow only VirtualServices in the default namespace that are for bar.example.com
- &#34;route-namespace/*&#34; # Allow only VirtualServices in the route-namespace namespace for any host
</code></pre><h3 id=isolate-sensitive-services>Isolate sensitive services</h3><p>It may be desired to enforce stricter physical isolation for sensitive services. For example, you may want to run a
<a href=/v1.12/docs/setup/install/istioctl/#configure-gateways>dedicated gateway instance</a> for a sensitive <code>payments.example.com</code>, while utilizing a single
shared gateway instance for less sensitive domains like <code>blog.example.com</code> and <code>store.example.com</code>.
This can offer a stronger defense-in-depth and help meet certain regulatory compliance guidelines.</p><h3 id=explicitly-disable-all-the-sensitive-http-host-under-relaxed-sni-host-matching>Explicitly disable all the sensitive http host under relaxed SNI host matching</h3><p>It is reasonable to use multiple <code>Gateway</code>s to define mutual TLS and simple TLS on different hosts.
For example, use mutual TLS for SNI host <code>admin.example.com</code> and simple TLS for SNI host <code>*.example.com</code>.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>kind: Gateway
metadata:
name: guestgateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- &#34;*.example.com&#34;
tls:
mode: SIMPLE
---
kind: Gateway
metadata:
name: admingateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- admin.example.com
tls:
mode: MUTUAL
</code></pre><p>If the above is necessary, it&rsquo;s highly recommended to explicitly disable the http host <code>admin.example.com</code> in the <code>VirtualService</code> that attaches to <code>*.example.com</code>. The reason is that currently the underlying <a href=https://github.com/envoyproxy/envoy/issues/6767>envoy proxy does not require</a> the http 1 header <code>Host</code> or the http 2 pseudo header <code>:authority</code> following the SNI constraints, an attacker can reuse the guest-SNI TLS connection to access admin <code>VirtualService</code>. The http response code 421 is designed for this <code>Host</code> SNI mismatch and can be used to fulfill the disable.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: disable-sensitive
spec:
hosts:
- &#34;admin.example.com&#34;
gateways:
- guestgateway
http:
- match:
- uri:
prefix: /
fault:
abort:
percentage:
value: 100
httpStatus: 421
route:
- destination:
port:
number: 8000
host: dest.default.cluster.local
</code></pre><h2 id=protocol-detection>Protocol detection</h2><p>Istio will <a href=/v1.12/docs/ops/configuration/traffic-management/protocol-selection/#automatic-protocol-selection>automatically determine the protocol</a> of traffic it sees.
To avoid accidental or intentional miss detection, which may result in unexpected traffic behavior, it is recommended to <a href=/v1.12/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection>explicitly declare the protocol</a> where possible.</p><h2 id=cni>CNI</h2><p>In order to transparently capture all traffic, Istio relies on <code>iptables</code> rules configured by the <code>istio-init</code> <code>initContainer</code>.
This adds a <a href=/v1.12/docs/ops/deployment/requirements/>requirement</a> for the <code>NET_ADMIN</code> and <code>NET_RAW</code> <a href=https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container>capabilities</a> to be available to the pod.</p><p>To reduce privileges granted to pods, Istio offers a <a href=/v1.12/docs/setup/additional-setup/cni/>CNI plugin</a> which removes this requirement.</p><h2 id=use-hardened-docker-images>Use hardened docker images</h2><p>Istio&rsquo;s default docker images, including those run by the control plane, gateway, and sidecar proxies, are based on <code>ubuntu</code>.
This provides various tools such as <code>bash</code> and <code>curl</code>, which trades off convenience for an increase attack surface.</p><p>Istio also offers a smaller image based on <a href=/v1.12/docs/ops/configuration/security/harden-docker-images/>distroless images</a> that reduces the dependencies in the image.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg></div><div class=content>Distroless images are currently an alpha feature.</div></aside></div><h2 id=release-and-security-policy>Release and security policy</h2><p>In order to ensure your cluster has the latest security patches for known vulnerabilities, it is important to stay on the latest patch release of Istio and ensure that you are on a <a href=/v1.12/docs/releases/supported-releases>supported release</a> that is still receiving security patches.</p><h2 id=detect-invalid-configurations>Detect invalid configurations</h2><p>While Istio provides validation of resources when they are created, these checks cannot catch all issues preventing configuration being distributed in the mesh.
This could result in applying a policy that is unexpectedly ignored, leading to unexpected results.</p><ul><li>Run <code>istioctl analyze</code> before or after applying configuration to ensure it is valid.</li><li>Monitor the control plane for rejected configurations. These are exposed by the <code>pilot_total_xds_rejects</code> metric, in addition to logs.</li><li>Test your configuration to ensure it gives the expected results.
For a security policy, it is useful to run positive and negative tests to ensure you do not accidentally restrict too much or too few traffic.</li></ul><h2 id=avoid-alpha-and-experimental-features>Avoid alpha and experimental features</h2><p>All Istio features and APIs are assigned a <a href=/v1.12/docs/releases/feature-stages/>feature status</a>, defining its stability, deprecation policy, and security policy.</p><p>Because alpha and experimental features do not have as strong security guarantees, it is recommended to avoid them whenever possible.
Security issues found in these features may not be fixed immediately or otherwise not follow our standard <a href=/v1.12/docs/releases/security-vulnerabilities/>security vulnerability</a> process.</p><p>To determine the feature status of features in use in your cluster, consult the <a href=/v1.12/docs/releases/feature-stages/#istio-features>Istio features</a> list.</p><h2 id=lock-down-ports>Lock down ports</h2><p>Istio configures a <a href=/v1.12/docs/ops/deployment/requirements/#ports-used-by-istio>variety of ports</a> that may be locked down to improve security.</p><h3 id=control-plane>Control Plane</h3><p>Istiod exposes a few unauthenticated plaintext ports for convenience by default. If desired, these can be closed:</p><ul><li>Port <code>8080</code> exposes the debug interface, which offers read access to a variety of details about the clusters state.
This can be disabled by set the environment variable <code>ENABLE_DEBUG_ON_HTTP=false</code> on Istiod. Warning: many <code>istioctl</code> commands
depend on this interface and will not function if it is disabled.</li><li>Port <code>15010</code> exposes the XDS service over plaintext. This can be disabled by adding the <code>--grpcAddr=""</code> flag to the Istiod Deployment.
Note: highly sensitive services, such as the certificate signing and distribution services, are never served over plaintext.</li></ul><h3 id=data-plane>Data Plane</h3><p>The proxy exposes a variety of ports. Exposed externally are port <code>15090</code> (telemetry) and port <code>15021</code> (health check).
Ports <code>15020</code> and <code>15000</code> provide debugging endpoints. These are exposed over <code>localhost</code> only.
As a result, the applications running in the same pod as the proxy have access; there is no trust boundary between the sidecar and application.</p><h2 id=configure-third-party-service-account-tokens>Configure third party service account tokens</h2><p>To authenticate with the Istio control plane, the Istio proxy will use a Service Account token. Kubernetes supports two forms of these tokens:</p><ul><li>Third party tokens, which have a scoped audience and expiration.</li><li>First party tokens, which have no expiration and are mounted into all pods.</li></ul><p>Because the properties of the first party token are less secure, Istio will default to using third party tokens. However, this feature is not enabled on all Kubernetes platforms.</p><p>If you are using <code>istioctl</code> to install, support will be automatically detected. This can be done manually as well, and configured by passing <code>--set values.global.jwtPolicy=third-party-jwt</code> or <code>--set values.global.jwtPolicy=first-party-jwt</code>.</p><p>To determine if your cluster supports third party tokens, look for the <code>TokenRequest</code> API. If this returns no response, then the feature is not supported:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get --raw /api/v1 | jq &#39;.resources[] | select(.name | index(&#34;serviceaccounts/token&#34;))&#39;
{
&#34;name&#34;: &#34;serviceaccounts/token&#34;,
&#34;singularName&#34;: &#34;&#34;,
&#34;namespaced&#34;: true,
&#34;group&#34;: &#34;authentication.k8s.io&#34;,
&#34;version&#34;: &#34;v1&#34;,
&#34;kind&#34;: &#34;TokenRequest&#34;,
&#34;verbs&#34;: [
&#34;create&#34;
]
}
</code></pre><p>While most cloud providers support this feature now, many local development tools and custom installations may not prior to Kubernetes 1.20. To enable this feature, please refer to the <a href=https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection>Kubernetes documentation</a>.</p><h2 id=configure-a-limit-on-downstream-connections>Configure a limit on downstream connections</h2><p>By default, Istio (and Envoy) have no limit on the number of downstream connections. This can be exploited by a malicious actor (see <a href=/v1.12/news/security/istio-security-2020-007/>security bulletin 2020-007</a>). To work around you this, you must configure an appropriate connection limit for your environment.</p><ol><li><p>Create a config map by downloading <a href=/v1.12/news/security/istio-security-2020-007/custom-bootstrap-runtime.yaml>custom-bootstrap-runtime.yaml</a>. Update <code>global_downstream_max_connections</code> in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
</code></pre></li><li><p>Patch the ingress gateway deployment to use the above configuration. Download <a href=/v1.12/news/security/istio-security-2020-007/gateway-patch.yaml>gateway-patch.yaml</a> and apply it using the following command.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch &#34;$(cat gateway-patch.yaml)&#34;
</code></pre></li><li><p>Confirm that the new limits are in place.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system -o jsonpath=&#34;{.items[0].metadata.name}&#34;)
$ kubectl --namespace istio-system exec -i -t &#34;${ISTIO_INGRESS_PODNAME}&#34; -c istio-proxy -- curl -sS http://localhost:15000/runtime
{
&#34;entries&#34;: {
&#34;overload.global_downstream_max_connections&#34;: {
&#34;layer_values&#34;: [
&#34;&#34;,
&#34;250000&#34;,
&#34;&#34;
],
&#34;final_value&#34;: &#34;250000&#34;
}
},
&#34;layers&#34;: [
&#34;static_layer_0&#34;,
&#34;admin&#34;
]
}
</code></pre></li></ol></article><nav class=pagenav><div class=left><a title="Configuration best practices to avoid networking or traffic management issues." href=/v1.12/docs/ops/best-practices/traffic-management/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.12/img/icons.svg#left-arrow"/></svg>Traffic Management Best Practices</a></div><div class=right><a title="Best practices for observing applications using Istio." href=/v1.12/docs/ops/best-practices/observability/ class=next-link>Observability Best Practices<svg class="icon right-arrow"><use xlink:href="/v1.12/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div></main><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.12/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.12/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.12/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.12/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.12/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.12/><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.12/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.12/content/en/docs/ops/best-practices/security/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2021 Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.12.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/ops\/best-practices\/security\/');return false;">current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/ops\/best-practices\/security\/');return false;">next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.12/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink