Istio mTLS# Istio mTLS 自动识别说明(Smartness Explained) Introduction Environment details Scenario 1, no sidecars on either side Scenario 2, non-injected client to injected and non-injected services Why is Istio/envoy allowing plain text? Enable STRICT mode STRICT mode filter chains FilterChain matching ALPN How client sidecar adds Istio-defined ALPNs in the TLS client hello message http traffic tcp traffic Switch back to PERMISSIVE mode PERMISSIVE mode filter chains Scenario 3 i.e injected client talking to injected and non-injected servers Injected client to injected sever Injected client to non-injected sever Summary Understanding Istio’s Secure Naming Certificates Istio Mutual TLS Authentication Example What all happens at data path? DNS Resolution mTLS Handshake with resolved address DNS Spoofing Secure Naming to rescue What about SAN validation for non-mesh services Summary