istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/index.md

3.2 KiB
Raw Blame History

title description weight keywords aliases owner test
Istio Workload Minimum TLS Version Configuration Shows how to configure the minimum TLS version for Istio workloads. 90
security
TLS
/docs/tasks/security/workload-min-tls-version/
istio/wg-security-maintainers yes

This task shows how to configure the minimum TLS version for Istio workloads. The maximum TLS version for Istio workloads is 1.3.

Configuration of minimum TLS version for Istio workloads

  • Install Istio through istioctl with the minimum TLS version configured. The IstioOperator custom resource used to configure Istio in the istioctl install command contains a field for the minimum TLS version for Istio workloads. The minProtocolVersion field specifies the minimum TLS version for the TLS connections among Istio workloads. In the following example, the minimum TLS version for Istio workloads is configured to be 1.3.

    {{< text bash >}} $ cat < ./istio.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: meshMTLS: minProtocolVersion: TLSV1_3 EOF $ istioctl install -f ./istio.yaml {{< /text >}}

Check the TLS configuration of Istio workloads

After configuring the minimum TLS version of Istio workloads, you can verify that the minimum TLS version was configured and works as expected.

  • Deploy two workloads: httpbin and sleep. Deploy these into a single namespace, for example foo. Both workloads run with an Envoy proxy in front of each.

    {{< text bash >}} $ kubectl create ns foo $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo $ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n foo {{< /text >}}

  • Verify that sleep successfully communicates with httpbin using this command:

    {{< text bash >}} kubectl exec "(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n" 200 {{< /text >}}

{{< warning >}} If you dont see the expected output, retry after a few seconds. Caching and propagation can cause a delay. {{< /warning >}}

In the example, the minimum TLS version was configured to be 1.3. To check that TLS 1.3 is allowed, you can run the following command:

{{< text bash >}} kubectl exec "(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_3 -connect httpbin.foo:8000 | grep "TLSv1.3" {{< /text >}}

The text output should include:

{{< text plain >}} TLSv1.3 {{< /text >}}

To check that TLS 1.2 is not allowed, you can run the following command:

{{< text bash >}} kubectl exec "(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_2 -connect httpbin.foo:8000 | grep "Cipher is (NONE)" {{< /text >}}

The text output should include:

{{< text plain >}} Cipher is (NONE) {{< /text >}}

Cleanup

To remove the foo and istio-system namespaces:

{{< text bash >}} $ kubectl delete ns foo istio-system {{< /text >}}