1

Turning the mtls mode to Strict in Istio is giving error : msg="Error performing http GET at http://172.xx.xx.xx:xxxx read: connection reset by peer" But turning the mtls mode to Permissive works fine.

Is there any solution so that the error can be resolved in Strict mode

Sample of PeerAuthentication:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "default"
spec:
  mtls:
    mode: STRICT
kr_devops
  • 117
  • 3
  • 14
  • The communication is taking place between which parts? from one pod to another? can you elaborate a bit on your use case and add some more details about what are you trying to do? – pkaramol Feb 01 '22 at 17:21
  • Yes, the communication is between pods. A cronjob pod communicates with application pod – kr_devops Feb 02 '22 at 05:17
  • do both pods have istio sidecar injected? – pkaramol Feb 02 '22 at 06:56
  • Only the application pod has sidecar injected. – kr_devops Feb 02 '22 at 07:16
  • 1
    if you enable strict `mtls` all communicating parties must have sidecars – pkaramol Feb 02 '22 at 10:27
  • Okay, the cronjob manifest yaml has istio-injection set to false. I guess earlier when cronjob pod had sidecar injected, there was same connection reset by peer error. So any idea how this can be resolved? – kr_devops Feb 02 '22 at 11:19

1 Answers1

1

To resolve, ensure that istio-injection is turned on for all pods that are trying to communicate with each other so that they have the istio sidecar proxy running. This is because when the Istio Envoy proxies talk with each other they will automatically encrypt their communication. An Istio sidecar proxy will reject traffic if it doesn't come from another Istio sidecar that it trusts.

Alternatively, you could lower the security by changing your mutual TLS setting in your PeerAuthentication to PERMISSIVE.

Seafish
  • 2,081
  • 2
  • 24
  • 41