New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ambient: Document that PeerAuthentication mTLS.Mode = DISABLE is a no… #14852
Conversation
😊 Welcome! This is either your first contribution to the Istio documentation repo, or
Thanks for contributing! Courtesy of your friendly welcome wagon. |
@@ -32,6 +32,7 @@ Sidecar traffic has a variety of associated connections. Let's break them down o | |||
By default, the sidecar will be configured to accept both mTLS and non-mTLS traffic, known as `PERMISSIVE` mode. | |||
The mode can alternatively be configured to `STRICT`, where traffic must be mTLS, or `DISABLE`, where traffic must be plaintext. | |||
The mTLS mode is configured using a [`PeerAuthentication` resource](/docs/reference/config/security/peer_authentication/). | |||
In ambient, you can still create `PeerAuthentication` policy at the mesh or namespace level that uses DISABLE, but it will be ignored. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I expect this comment would likely be missed as it's about ambient mode and it's inside a Sidecars
section. It might be better to include a ambient
section that refers to the sidecar section and then has differences noted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After I saw https://github.com/istio/istio.io/tree/master/content/en/docs/ambient/install
It seems like PeerAuthentication not belongs to base installation in our official guide.
I think user must know this feature when they try to open this for their cluster.
In that situation, he will search mTLS related configuration so that this part will not be missed.
I'll pull that into the new policy page I'm working on at the moment, so I'll close this. Thanks for raising it though as I would have missed it otherwise! |
…-op in ambient
Description
resolve: #14789
clarify In ambient, you can still create
PeerAuthentication
policy at the mesh or namespace level that uses DISABLE, but it will be ignored.Reviewers