Skip to content

Latest commit

 

History

History
70 lines (54 loc) · 1.63 KB

03.MD

File metadata and controls

70 lines (54 loc) · 1.63 KB

Task 03: Configure mTLS

Step 1: Switch to Correct Context

kubectl config use-context cluster3-admin@cluster3

Step 2: Check Current State

# Check if there are any existing PeerAuthentication resources
kubectl get peerauthentication -n red

Step 3: Create PeerAuthentication Resource

Create a PeerAuthentication resource to enforce STRICT mTLS mode in the red namespace:

kubectl apply -f - <<'EOF'
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: red
spec:
  mtls:
    mode: STRICT
EOF

Step 4: Verify Configuration

# Check that PeerAuthentication was created
kubectl get peerauthentication -n red

Test 1: Verify mTLS is enforced between services in red namespace

Test communication (should work with mTLS)

kubectl exec -n red sleep-red -- curl -s http://echo-red.red.svc.cluster.local:8080/sun
{"pod_name":"sleep-red","version":"v1","namespace":"red"}

Test 2: Verify plain connections are rejected

kubectl run curl --image=curlimages/curl -- sleep 3600
kubectl exec curl -- curl -v -s http://echo-red.red.svc.cluster.local:8080/sun
* Host echo-red.red.svc.cluster.local:8080 was resolved.
* IPv6: (none)
* IPv4: 10.109.200.7
*   Trying 10.109.200.7:8080...
* Established connection to echo-red.red.svc.cluster.local (10.109.200.7 port 8080) from 10.0.156.67 port 42556 
* using HTTP/1.x
> GET /sun HTTP/1.1
> Host: echo-red.red.svc.cluster.local:8080
> User-Agent: curl/8.16.0
> Accept: */*
> 
* Recv failure: Connection reset by peer
* closing connection #0
command terminated with exit code 56