Task 14: Configure mTLS with Workload Selector

Step 1: Switch to Correct Context

kubectl config use-context cluster3-admin@cluster3

Step 2: Create PeerAuthentication with Workload Selector

kubectl apply -f - <<'EOF'
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: mtls-space
  namespace: crimson
spec:
  selector:
    matchLabels:
      app: space
  mtls:
    mode: STRICT
EOF

Step 3: Verify Configuration

# Check PeerAuthentication
kubectl get peerauthentication -n crimson
kubectl describe peerauthentication mtls-space -n crimson

# Verify it has the correct selector
kubectl get peerauthentication mtls-space -n crimson -o jsonpath='{.spec.selector.matchLabels}'

Testing

# Check that pods with app=space label exist and have sidecars
kubectl get pods -n crimson -l app=space

# Verify mTLS is enforced (communication from pod without sidecar should fail)
# This PeerAuthentication only affects pods with app=space label
kubectl exec -n crimson sleep-crimson -- curl -sS http://space.crimson.svc.cluster.local

# Expected: Should work if sleep pod has sidecar, fail if it doesn't

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Task 14: Configure mTLS with Workload Selector

Step 1: Switch to Correct Context

Step 2: Create PeerAuthentication with Workload Selector

Step 3: Verify Configuration

Testing

FilesExpand file tree

14.MD

Latest commit

History

14.MD

File metadata and controls

Task 14: Configure mTLS with Workload Selector

Step 1: Switch to Correct Context

Step 2: Create PeerAuthentication with Workload Selector

Step 3: Verify Configuration

Testing