<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Mtls on marktaguiad.dev</title>
    <link>https://marktaguiad.dev/tags/mtls/</link>
    <description>Recent content in Mtls on marktaguiad.dev</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <managingEditor>marktaguiad@marktaguiad.dev (Mark Taguiad)</managingEditor>
    <webMaster>marktaguiad@marktaguiad.dev (Mark Taguiad)</webMaster>
    <copyright>marktaguiad.dev</copyright>
    <lastBuildDate>Tue, 24 Mar 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://marktaguiad.dev/tags/mtls/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Istio: mTLS and RBAC</title>
      <link>https://marktaguiad.dev/post/k8s-istio-dos/</link>
      <pubDate>Tue, 24 Mar 2026 00:00:00 +0000</pubDate><author>marktaguiad@marktaguiad.dev (Mark Taguiad)</author>
      <guid>https://marktaguiad.dev/post/k8s-istio-dos/</guid>
      <description>&lt;p&gt;Continuation of Kubernetes Istio, this time we&amp;rsquo;ll focus on Security.&lt;/p&gt;&#xA;&lt;h1 id=&#34;table-of-contents&#34;&gt;Table of Contents&lt;/h1&gt;&#xA;&lt;nav id=&#34;TableOfContents&#34;&gt;&#xA;  &lt;ol&gt;&#xA;    &lt;li&gt;&lt;a href=&#34;#security&#34;&gt;Security&lt;/a&gt;&#xA;      &lt;ol&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#mtls-mutual-tls&#34;&gt;mTLS (Mutual TLS)&lt;/a&gt;&lt;/li&gt;&#xA;        &lt;li&gt;&lt;a href=&#34;#authorizationpolicy-rbac&#34;&gt;AuthorizationPolicy (RBAC)&lt;/a&gt;&lt;/li&gt;&#xA;      &lt;/ol&gt;&#xA;    &lt;/li&gt;&#xA;  &lt;/ol&gt;&#xA;&lt;/nav&gt;&#xA;&lt;h3 id=&#34;security&#34;&gt;Security&lt;/h3&gt;&#xA;&lt;h4 id=&#34;mtls-mutual-tls&#34;&gt;mTLS (Mutual TLS)&lt;/h4&gt;&#xA;&lt;p&gt;This will ensure that service-to-service traffic is encrypted and authenticated.&lt;/p&gt;&#xA;&lt;p&gt;Istio allows you to configure three main modes per namespace, workload, or globally:&lt;/p&gt;&#xA;&lt;table&gt;&#xA;  &lt;thead&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;th&gt;Mode&lt;/th&gt;&#xA;          &lt;th&gt;Behavior&lt;/th&gt;&#xA;          &lt;th&gt;When to Use&lt;/th&gt;&#xA;      &lt;/tr&gt;&#xA;  &lt;/thead&gt;&#xA;  &lt;tbody&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;strong&gt;STRICT&lt;/strong&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Only allows &lt;strong&gt;mTLS-encrypted traffic&lt;/strong&gt;. Plain HTTP connections are rejected.&lt;/td&gt;&#xA;          &lt;td&gt;Best for production when you want &lt;strong&gt;full security&lt;/strong&gt; between services.&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;strong&gt;PERMISSIVE&lt;/strong&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Accepts both mTLS-encrypted and plain HTTP traffic.&lt;/td&gt;&#xA;          &lt;td&gt;Useful during &lt;strong&gt;gradual migration&lt;/strong&gt; to mTLS. Old workloads can still communicate without encryption.&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;strong&gt;DISABLE&lt;/strong&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Does not use mTLS at all.&lt;/td&gt;&#xA;          &lt;td&gt;For testing, legacy workloads, or non-critical traffic.&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;  &lt;/tbody&gt;&#xA;&lt;/table&gt;&#xA;&lt;p&gt;You might get confused with the HTTPS traffic, it just mean that all traffic are converted by istio envoy to mTLS. So as long as the request is going through first the sidecar then it is valid.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
