我的书签
添加书签
移除书签Istio Workload Minimum TLS Version Configuration
After configuring the minimum TLS version of Istio workloads, you can verify that the minimum TLS version was configured and works as expected.
Deploy two workloads:
httpbinand . Deploy these into a single namespace, for examplefoo. Both workloads run with an Envoy proxy in front of each.$ kubectl create ns foo$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
Verify that successfully communicates with
httpbinusing this command:
If you don’t see the expected output, retry after a few seconds. Caching and propagation can cause a delay.
In the example, the minimum TLS version was configured to be 1.3. To check that TLS 1.3 is allowed, you can run the following command:
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_3 -connect httpbin.foo:8000 | grep "TLSv1.3"
To check that TLS 1.2 is not allowed, you can run the following command:
$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_2 -connect httpbin.foo:8000 | grep "Cipher is (NONE)"
The text output should include:
To remove the foo and namespaces:
