mirror of https://github.com/istio/istio.io.git
69 lines
2.3 KiB
Markdown
69 lines
2.3 KiB
Markdown
---
|
|
title: FAQ
|
|
overview: Common issues, known limitations and work arounds, and other frequently asked questions on this topic.
|
|
|
|
order: 100
|
|
|
|
layout: docs
|
|
type: markdown
|
|
---
|
|
{% include home.html %}
|
|
|
|
* _How can I enable/disable mTLS encryption after I installed Istio?_
|
|
|
|
The most straightforward way to enable/disable mTLS is by entirely
|
|
uninstalling and re-installing Istio.
|
|
|
|
If you are an advanced user and understand the risks you can also do the following:
|
|
```
|
|
kubectl edit configmap -n istio-system istio
|
|
```
|
|
comment out or uncomment out `authPolicy: MUTUAL_TLS` to toggle mTLS and then
|
|
```
|
|
kubectl delete pods -n istio-system -l istio=pilot
|
|
```
|
|
to restart Pilot, after a few seconds (depending on your `*RefreshDelay`) your
|
|
Envoy proxies will have picked up the change from Pilot. During that time your
|
|
services may be unavailable.
|
|
|
|
We are working on a smoother solution.
|
|
|
|
* _Can a service with Istio Auth enabled communicate with a service without
|
|
Istio?_
|
|
|
|
This is not supported currently, but will be in the near future.
|
|
|
|
* _Can I enable Istio Auth with some services while disable others in the
|
|
same cluster?_
|
|
|
|
This is not supported currently, but will be in the near future.
|
|
|
|
* _How can I use Kubernetes liveness and readiness for service health check
|
|
with Istio Auth enabled?_
|
|
|
|
If Istio Auth is enabled, http and tcp health check from kubelet will not
|
|
work since they do not have Istio Auth issued certs. A workaround is to
|
|
use a [liveness command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command)
|
|
for health check, e.g., one can install curl in the service pod and curl itself
|
|
within the pod. The Istio team is actively working on a solution.
|
|
|
|
An example of readinessProbe:
|
|
|
|
```
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- curl
|
|
- -f
|
|
- http://localhost:8080/healthz # Replace port and URI by your actual health check
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 5
|
|
```
|
|
|
|
* _Can I access the Kubernetes API Server with Auth enabled?_
|
|
|
|
The Kubernetes API server does not support mutual TLS
|
|
authentication. Hence, when Istio mTLS authentication is enabled, it is
|
|
currently not possible to communicate from a pod with Istio sidecar to
|
|
the Kubernetes API server.
|