istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/help/faq/security/auth-mix-and-match.md

1.1 KiB
Raw Blame History

title weight
Can I enable Istio Auth with some services while disable others in the same cluster? 30

Starting with Istio 0.8, you can use authentication policy to enable (or disable) mutual TLS per service. For example, the policy below will disable mutual TLS on port 9080 for service details

{{< text bash >}} $ cat <<EOF | istioctl create -f - apiVersion: "authentication.istio.io/v1alpha1" kind: "Policy" metadata: name: "example" spec: targets:

  • name: details ports:
    • number: 9080 peers: EOF {{< /text >}}

For older versions of Istio (but newer than 0.3), you can use service-level annotations to disable (or enable) Istio Auth for a particular service and port pair. The annotation key should be auth.istio.io/{port_number}, and the value should be NONE (to disable), or MUTUAL_TLS (to enable).

For example:

{{< text yaml >}} kind: Service metadata: name: details labels: app: details annotations: auth.istio.io/9080: NONE {{< /text >}}

The above disables Istio Auth on port 9080 for service details.