1.9 KiB
| title | overview | order | layout | type |
|---|---|---|---|---|
| FAQ | Common issues, known limitations and work arounds, and other frequently asked questions on this topic. | 100 | docs | markdown |
{% include home.html %}
-
How can I enable/disable mTLS encryption after I installed Istio?
The most straightforward way to enable/disable mTLS is by entirely uninstalling and re-installing Istio.
If you are an advanced user and understand the risks you can also do the following:
kubectl edit configmap -n istio-system istiocomment out or uncomment out
authPolicy: MUTUAL_TLSto toggle mTLS and thenkubectl delete pods -n istio-system -l istio=pilotto restart Pilot, after a few seconds (depending on your
*RefreshDelay) your Envoy proxies will have picked up the change from Pilot. During that time your services may be unavailable.We are working on a smoother solution.
-
Can a service with Istio Auth enabled communicate with a service without Istio?
This is not supported currently, but will be in the near future.
-
Can I enable Istio Auth with some services while disable others in the same cluster?
This is not supported currently, but will be in the near future.
-
How can I use Kubernetes liveness and readiness for service health check with Istio Auth enabled?
If Istio Auth is enabled, http and tcp health check from kubelet will not work since they do not have Istio Auth issued certs. A workaround is to use command option for health check, e.g., one can install curl in the service pod and curl itself within the pod. The Istio team is actively working on a solution.
-
Can I access the Kubernetes API Server with Auth enabled?
The Kubernetes API server does not support mutual TLS authentication. Hence, when Istio mTLS authentication is enabled, it is currently not possible to communicate from a pod with Istio sidecar to the Kubernetes API server.