Mutual TLS TroubleShooting
If you suspect auto mTLS is not working as expected, please first read the documentation.
Auto mTLS has a known limitation with workload level peer authentication. When workload level peer authentication is used, you need to configure a corresponding destination rule configuration to let client sidecar send mTLS or plaintext traffic correctly.
If you still think there's an issue, follow the instructions below for investigation.
-
Get the client envoy cluster configuration to ensure auto mTLS is configured. You should see
transportSocketMatches
configured for the given Envoy cluster.$ istioctl proxy-config clusters ${POD}.foo -ojson | grep 'name.*outbound.*httpbin' -A130 "name": "outbound|8000||httpbin.default.svc.cluster.local", ... "transportSocketMatches": [ { "name": "tlsMode-istio", "match": { "tlsMode": "istio" }, "transportSocket": { "name": "envoy.transport_sockets.tls", "typedConfig": { "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", "commonTlsContext": ... } { "name": "tlsMode-disabled", "match": {}, "transportSocket": { "name": "envoy.transport_sockets.raw_buffer" } }
-
Check the destination pod to see if the destination endpoint has the label
tlsMode
equals toistio
. For example, in the EDS response received by sleep pod, we seehttpbin
pod endpoint has thetlsMode
label.$ IP=$(kubectl get pod -lapp=sleep -o jsonpath="{.items[*].status.podIP}") $ kubectl exec -it ${POD} -c istio-proxy -- curl 'localhost:15000/config_dump?include_eds=true' | grep ${IP} -A15 -B5 "endpoint": { "address": { "socket_address": { "address": "10.32.28.136", "port_value": 80 } ... "metadata": { "filter_metadata": { "envoy.transport_socket_match": { "tlsMode": "istio" } },
-
Check Envoy upstream debug log to confirm what transport socket configuration is being used. This requires to change Envoy upstream log to debug level.
$ istioctl pc log ${POD} --level debug $ kubectl logs -f ${POD} -c istio-proxy 2021-04-08T22:35:22.650478Z debug envoy upstream transport socket match, socket tlsMode-istio selected for host with address 10.32.28.136:80
The log line above indicates that mTLS socket is selected for the connection to the corresponding host. Please note that the connection creation might be done in advance of the actual request, if you don't see such log line, try to recreate destination side endpoint.
Visit istio.io to learn how to use Istio.
- Preparing for Development Mac
- Preparing for Development Linux
- Troubleshooting Development Environment
- Repository Map
- GitHub Workflow
- Github Gmail Filters
- Using the Code Base
- Developing with Minikube
- Remote Debugging
- Verify your Docker Environment
- Istio Test Framework
- Working with Prow
- Test Grid
- Code Coverage FAQ
- Writing Good Integration Tests
- Test Flakes
- Release Manager Expectations
- Preparing Istio Releases
- 1.5 Release Information
- 1.6 Release Information
- 1.7 Release Information
- 1.8 Release Information
- 1.9 Release Information
- 1.10 Release Information
- 1.11 Release Information
- 1.12 Release Information
- 1.13 Release Information
- 1.14 Release Information
- 1.15 Release Information
- 1.16 Release Information
- 1.17 Release Information
- 1.18 Release Information
- 1.19 Release Information
- 1.20 Release Information
- 1.21 Release Information
- 1.22 Release Information
- Collecting Logs and Debug Info
- Dependency FAQ
- Working with discuss.istio.io
- Developing with and hosting upon OpenShift
- Adapter Dev Guide
- Adapter Walkthrough
- Attribute Generating Adapter Walkthrough
- Route Directive Adapter Development Guide
- Out of Tree Adapter Walkthrough
- Running a Local Instance
- Template Dev Guide
- Using a Custom Adapter
- Publishing Adapters and Templates to istio.io
- Enabling Envoy Authorization Service and gRPC Access Log Service With Mixer