Kubernetes Peer Authentication
Provision an Istio PeerAuthentication -- the mesh primitive that sets mutual TLS
(mTLS) requirements for incoming connections to your workloads. Enforce
encrypted, authenticated service-to-service traffic across a namespace or the
whole mesh, ease workloads onto the mesh with permissive mode, and override
specific ports as needed.
What Gets Created
- A namespaced
security.istio.io/v1PeerAuthenticationcustom resource. - An optional workload
selector, a workload-levelmtls.mode, and optional per-portport_level_mtlsoverrides.
Prerequisites
- Istio CRDs installed on the cluster (
KubernetesIstioBaseCrds). - A running Istio control plane, istiod (
KubernetesIstio), to enforce the policy. - The target namespace (
KubernetesNamespace).
Quick Start
apiVersion: kubernetes.openmcf.org/v1
kind: KubernetesPeerAuthentication
metadata:
name: default
spec:
namespace:
value: finance
mtls:
mode: STRICT
openmcf apply -f peerauthentication.yaml
Configuration Reference
Required Fields
| Field | Type | Description |
|---|---|---|
namespace | reference | Namespace the policy is created in. |
Optional Fields
| Field | Type | Description |
|---|---|---|
selector.match_labels | map | Pod labels selecting target workloads; omit for namespace-wide scope. |
mtls.mode | string | UNSET, DISABLE, PERMISSIVE, or STRICT; omit to inherit. |
port_level_mtls | map | Per-workload-port mode overrides; requires a selector. |
Stack Outputs
| Output | Description |
|---|---|
peer_authentication_name | Name of the created PeerAuthentication (equals metadata.name). |
namespace | Namespace the PeerAuthentication was created in. |
Related Components
Next article
Kubernetes Percona Mongo Operator
Kubernetes Percona Mongo Operator Deploys the Percona Operator for MongoDB on a Kubernetes cluster using its official Helm chart. The operator runs in cluster-wide mode, watching all namespaces for PerconaServerMongoDB custom resources, enabling declarative MongoDB lifecycle management across the cluster. What Gets Created When you deploy a KubernetesPerconaMongoOperator resource, OpenMCF provisions: Namespace — created only when createNamespace is true Helm Release — installs the...