tencent cloud

Tencent Cloud Mesh

Release Notes and Announcements

Announcements

Tencent Cloud Mesh Billing Notifications

Product Introduction

Purchase Guide

Billing Overview

Mesh Types and Quotas

Version Support Policies

Getting Started

Demo Application Deployment

Application Configuration

Configuring Public Network Access

Traffic Control

Multi-version Routing

Service HA

Fault Injection Testing

Service Timeout Configuration

Session Persistence

Connection Pool-based Concurrency Limiting

Multi-cluster Disaster Recovery and Multi-active

Cross-Cluster Disaster Recovery

Locality Load Balancing

Security Reinforcement

Operation Guide

Mesh Instance Management

Creating a Mesh

Upgrading a Mesh

Updating Mesh Configurations

Sidecar Injection and Configuration

Deleting a Mesh

Service Discovery Management

Automatic Service Discovery

Manual Service Registration

Gateway

Gateway Management

Gateway Configuration

Traffic Management

Using VirtualService to Configure Routing Rules

Using DestinationRule to Configure Service Versions and Traffic Policies

Observability

Monitoring Metrics

Security

Authentication Policy Configuration

Authorization Policy Configuration

Access Management

CAM Service Role Authorization

CAM Preset Policy Authorization

CAM Custom Policy Authorization

Extended Features

Using a Wasm Filter o Extend the Data Plane

FAQs

Permissions

How to Add Mesh Permissions to a Cluster

Cluster Management by Sub-account Fails

Pod Startup Fails Because the Envoy Sidecar Is Unready

Envoy Converts Headers to Lowercase

Headless Service-related FAQs

Istio-init Crashes

VirtualService Does Not Take Effect

Inappropriate VirtualService Route Matching Order

Failed to Access an Ingress Gateway from the Public Network

Parsing Fails After Smart DNS Is Enabled

Locality Load Balancing Does Not Take Effect

Sidecars Are Not Automatically Injected

Circuit Breaking Does Not Take Effect

Service Is Abnormal Due to a Retry Policy

Incomplete Call Tracing Information

TCM Policy

Data Processing And Security Agreement

DocumentationTencent Cloud MeshGetting StartedSecurity ReinforcementAuthentication

Authentication

Last updated: 2023-12-26 11:37:49

Authentication

Last updated: 2023-12-26 11:37:49

Overview
This document describes how to implement mutual authentication of mTLS for all service accesses in the production environment (base namespace) to prevent man-in-the-middle attacks.
Directions
The mTLS mode defaults to PERMISSIVE, that is, both mTLS encryption and plaintext connection can be used for service communications.
Log in to the istio-proxy container in the TKE console and use plaintext connection to send the curl http://product.base.svc.cluster.local:7000/product request to the product service in the production environment (base namespace). In this case, the product service can be accessed via plaintext connection, as shown below:
﻿

The access via plaintext connection is successful as shown below:
﻿
﻿
Implement the mTLS mode for service communications in the base namespace by setting the mTLS mode to STRICT in the PeerAuthentication policy:
﻿
﻿
Or submit the following YAML file to the primary cluster via kubectl:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: base-strict
  namespace: base
spec:
  mtls:
    mode: STRICT
After the configuration, log in to the istio-proxy container in the TKE console and use plaintext connection to send the curl http://product.base.svc.cluster.local:7000/product request to the product service in the production environment (base namespace). In this case, the product service cannot be accessed via plaintext connection, as shown below:
﻿
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

No

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 available.

7x24 Phone Support