istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/help/faq/security/auth-mix-and-match.md

1.0 KiB
Raw Blame History

title weight
Can I enable Istio Auth with some services while disable others in the same cluster? 30

Starting with Istio 0.8, you can use authentication policy to enable (or disable) mutual TLS per service. For example, the policy below will disable mutual TLS on port 9080 for service details

cat <<EOF | istioctl create -f -
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "example"
spec:
  targets:
  - name: details
    ports:
    - number: 9080
  peers:
EOF

For older versions of Istio (but newer than 0.3), you can use service-level annotations to disable (or enable) Istio Auth for a particular service and port pair. The annotation key should be auth.istio.io/{port_number}, and the value should be NONE (to disable), or MUTUAL_TLS (to enable).

Example: disable Istio Auth on port 9080 for service details.

kind: Service
metadata:
name: details
labels:
  app: details
annotations:
  auth.istio.io/9080: NONE