Istio Workload Minimum TLS Version Configuration

 2 minute read     page test

This task shows how to configure the minimum TLS version for Istio workloads. The maximum TLS version for Istio workloads is 1.3.

Configuration of minimum TLS version for Istio workloads

  • Install Istio through istioctl with the minimum TLS version configured. The IstioOperator custom resource used to configure Istio in the istioctl install command contains a field for the minimum TLS version for Istio workloads. The minProtocolVersion field specifies the minimum TLS version for the TLS connections among Istio workloads. In the following example, the minimum TLS version for Istio workloads is configured to be 1.3.

    $ cat <<EOF > ./istio.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    meshMTLS:
      minProtocolVersion: TLSV1_3
EOF
$ istioctl install -f ./istio.yaml

Check the TLS configuration of Istio workloads

After configuring the minimum TLS version of Istio workloads, you can verify that the minimum TLS version was configured and works as expected.

  • Deploy two workloads: httpbin and curl. Deploy these into a single namespace, for example foo. Both workloads run with an Envoy proxy in front of each.

    ZipZip
    $ kubectl create ns foo
$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
$ kubectl apply -f <(istioctl kube-inject -f @samples/curl/curl.yaml@) -n foo

  • Verify that curl successfully communicates with httpbin using this command:

    $ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n"
200

In the example, the minimum TLS version was configured to be 1.3. To check that TLS 1.3 is allowed, you can run the following command:

$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_3 -connect httpbin.foo:8000 | grep "TLSv1.3"

The text output should include:

TLSv1.3

To check that TLS 1.2 is not allowed, you can run the following command:

$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_2 -connect httpbin.foo:8000 | grep "Cipher is (NONE)"

The text output should include:

Cipher is (NONE)

Cleanup

Delete sample applications curl and httpbin from the foo namespace:

$ kubectl delete -f samples/httpbin/httpbin.yaml -n foo
$ kubectl delete -f samples/curl/curl.yaml -n foo

Uninstall Istio from the cluster:

$ istioctl uninstall --purge -y

To remove the foo and istio-system namespaces:

$ kubectl delete ns foo istio-system
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!