diff --git a/Istio/10-PeerAuthentication/02-portLevelMtls/README.md b/Istio/10-PeerAuthentication/02-portLevelMtls/README.md
index bb8355d..255cfc0 100644
--- a/Istio/10-PeerAuthentication/02-portLevelMtls/README.md
+++ b/Istio/10-PeerAuthentication/02-portLevelMtls/README.md
@@ -20,7 +20,7 @@ Through this, we can apply multiple `mTLS` behaviors under a single deployment,
## Gateway
-Listens for `HTTP` traffic without limiting any host.
+Listens for `HTTP` traffic without limiting to any host.
```yaml
apiVersion: networking.istio.io/v1alpha3
@@ -43,15 +43,10 @@ spec:
Without limiting to any host, listens for traffic at port 80, and only has a very specific URL paths available to match.
-- /http-mTLS
-- /https-mTLS
-- /http-no-mTLS
-- /https-no-mTLS
+The path `/http` will be routed to the `HTTP` service set in our backend.
-Depending on the path used, the traffic will be distributed between 2 subsets from the same service:
+The path `/http` will be routed to the `HTTPS` service set in our backend.
-- mtls
-- nomtls
```yaml
apiVersion: networking.istio.io/v1alpha3
@@ -68,64 +63,31 @@ spec:
match:
- port: 80
uri:
- exact: "/http-mTLS"
+ exact: "/http"
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
- subset: mtls
rewrite:
uri: "/"
- name: https-mTLS
match:
- port: 80
uri:
- exact: "/https-mTLS"
+ exact: "/https"
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
- subset: mtls
- rewrite:
- uri: "/"
- - name: http-no-mTLS
- match:
- - port: 80
- uri:
- exact: "/http-no-mTLS"
- route:
- - destination:
- host: helloworld.default.svc.cluster.local
- port:
- number: 8080
- subset: nomtls
- rewrite:
- uri: "/"
- - name: https-no-mTLS
- match:
- - port: 80
- uri:
- exact: "/https-no-mTLS"
- route:
- - destination:
- host: helloworld.default.svc.cluster.local
- port:
- number: 8443
- subset: nomtls
rewrite:
uri: "/"
```
## Destination Rule
-Interfering with the service URL `helloworld.default.svc.cluster.local`, it specifies 2 subsets:
-
-- mtls
-- nomtls
-
-Additionally, specifies that the traffic with port destination 8443, will attempt to proceed with TLS termination, as it is required to connect with an `HTTPS` backend.
+Interfering with the service URL `helloworld.default.svc.cluster.local`, the traffic with port destination `8443`, will attempt to proceed with TLS termination, as it is required to connect with an `HTTPS` backend.
```yaml
apiVersion: networking.istio.io/v1alpha3
@@ -134,15 +96,6 @@ metadata:
name: helloworld.default.svc.cluster.local
spec:
host: helloworld.default.svc.cluster.local
- subsets:
- - name: mtls
- labels:
- mtls: "true"
-
- - name: nomtls
- labels:
- mtls: "false"
-
trafficPolicy:
portLevelSettings:
- port:
@@ -182,36 +135,29 @@ spec:
app: helloworld
```
-## Deployments
+## Deployment
-There's been configured 2 deployments with the same service and settings, besides the label `mtls`, which will contain `true` or `false` based on the deployment.
-
-This label is used for the [Destination Rule](#destination-rule) to distribute the traffic between the 2 deployments under the same service.
+The deployment listen to the port `80` and `443`, hosting an `HTTP` and `HTTPS` service respectively to the aforementioned ports.
> **Note:**\
> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
-### helloworld-mtls
-
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
- name: helloworld-mtls
+ name: helloworld
labels:
app: helloworld
- mtls: "true"
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
- mtls: "true"
template:
metadata:
labels:
app: helloworld
- mtls: "true"
spec:
containers:
- name: helloworld
@@ -225,84 +171,34 @@ spec:
- containerPort: 443
```
-### helloworld-nomtls
+## PeerAuthentication
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: helloworld-nomtls
- labels:
- app: helloworld
- mtls: "false"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: helloworld
- mtls: "false"
- template:
- metadata:
- labels:
- app: helloworld
- mtls: "false"
- spec:
- containers:
- - name: helloworld-nomtls
- image: oriolfilter/https-nginx-demo
- resources:
- requests:
- cpu: "100m"
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 80
- - containerPort: 443
-```
-## PeerAuthentications
+Deployed a rule that sets a "global" mTLS mode to `STRICT`, meaning that the traffic require mTLS termination in order to proceed further with the request.
-Deployed 2 Peer Authentication rules, which use the `selector` field to target the deployments.
+Also, at a specific port configuration, the port `443` has the mTLS mode disabled, as the deployment contains an `HTTPS` service we required to disable it in order of the request to be successful.
-Both point to the same application, yet also specify the `mtls` label set in the deployments above, allowing the rules to target each deployment individually.
+Through the use of the `selector.matchLabels` field, we targeted our deployment pods, limiting the target of this rule.
-These rules are deployed in the `default` namespace.
-
-### disable-mtls
-
-This rule will disable `mTLS` for that deployment.
+> **Note**:\
+> In order to use the `portLevelMtls` field, the selector field is required, otherwise it won't take effect.\
+> For more information regarding this behavior, refer to the [official Istio documentation regarding PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/#PeerAuthentication)
```yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
- name: disable-mtls
+ name: helloworld-mtls
namespace: default
spec:
selector:
matchLabels:
app: helloworld
- mtls: "false"
- mtls:
- mode: DISABLE
-```
-
-### force-mtls
-
-This rule forces the deployment to communicate exclusively through `mTLS`, in case this rule is not endorsed, the traffic won't be allowed to proceed further.
-
-```yaml
-apiVersion: security.istio.io/v1beta1
-kind: PeerAuthentication
-metadata:
- name: force-mtls
- namespace: default
-spec:
- selector:
- matchLabels:
- app: helloworld
- mtls: "true"
mtls:
mode: STRICT
+ portLevelMtls:
+ 443:
+ mode: DISABLE
```
# Walkthrough
@@ -333,9 +229,13 @@ istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/
## Test resources and analyze behaviors
-> **DISCLAIMER**:\
-> For some reason, during the packet captures, I required to execute the curl 2 times in order for the output to be updated.\
-> During the tests, feel free to perform the curl twice in a row.
+
+
+[//]: # (> **DISCLAIMER**:\)
+
+[//]: # (> For some reason, during the packet captures, I required to execute the curl 2 times in order for the output to be updated.\)
+
+[//]: # (> During the tests, feel free to perform the curl twice in a row.)
### HTTP
@@ -344,7 +244,7 @@ istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/
Start the packet capture and proceed with another shell or browser to send traffic requests to the right destination.
```shell
-PORT=80 && MTLS="false" && kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -l mtls=${MTLS} -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port ${PORT} -A
+PORT=80 && kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port ${PORT} -A
```
```text
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
@@ -356,7 +256,7 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Nothing to higlight so far, we can access the service.
```shell
-curl 192.168.1.50/http-no-mTLS
+curl 192.168.1.50/http
```
```text
Howdy
@@ -364,29 +264,37 @@ curl 192.168.1.50/http-no-mTLS
##### Reviewing pcap output
-Due to having the mTLS disabled, the traffic is not encrypted, and for such we can see its context in plain text.
-
-This scenario should be avoided unless it is required due the application being used, as mTLS allows an extra layer of security.
+As we can observe, the traffic is encrypted, proving that the mTLS is taking effect terminating the connection with the `HTTP` backend.
```text
-04:25:47.757900 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.60966 > helloworld-nomtls-66d8499c5c-298vw.http: Flags [P.], seq 3134140617:3134142280, ack 2649160847, win 501, options [nop,nop,TS val 1425864700 ecr 2534833629], length 1663: HTTP: GET / HTTP/1.1
-E....t@.?.....yX..yx.&.P..0.........Q......
-T.....}.GET / HTTP/1.1
-host: 192.168.1.50
-user-agent: curl/8.0.1
-accept: */*
-x-forwarded-for: 192.168.1.10
-x-forwarded-proto: http
-x-envoy-internal: true
-x-request-id: 65b60be7-da98-48f3-9ed6-13112cdd14f0
-x-envoy-decorator-operation: helloworld.default.svc.cluster.local:8080/http-no-mTLS
-x-envoy-peer-metadata: ChQKDkFQUF9DT05UQUlORVJTEgIaAAoaCgpDTFVTVEVSX0lEEgwaCkt1YmVybmV0ZXMKHwoMSU5TVEFOQ0VfSVBTEg8aDTE3Mi4xNy4xMjEuODgKGQoNSVNUSU9fVkVSU0lPThIIGgYxLjE3LjIKnAMKBkxBQkVMUxKRAyqOAwodCgNhcHASFhoUaXN0aW8taW5ncmVzc2dhdGV3YXkKEwoFY2hhcnQSChoIZ2F0ZXdheXMKFAoIaGVyaXRhZ2USCBoGVGlsbGVyCjYKKWluc3RhbGwub3BlcmF0b3IuaXN0aW8uaW8vb3duaW5nLXJlc291cmNlEgkaB3Vua25vd24KGQoFaXN0aW8SEBoOaW5ncmVzc2dhdGV3YXkKGQoMaXN0aW8uaW8vcmV2EgkaB2RlZmF1bHQKMAobb3BlcmF0b3IuaXN0aW8uaW8vY29tcG9uZW50EhEaD0luZ3Jlc3NHYXRld2F5cwoSCgdyZWxlYXNlEgcaBWlzdGlvCjkKH3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLW5hbWUSFhoUaXN0aW8taW5ncmVzc2dhdGV3YXkKLwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SCBoGbGF0ZXN0CiIKF3NpZGVjYXIuaXN0aW8uaW8vaW5qZWN0EgcaBWZhbHNlChoKB01FU0hfSUQSDxoNY2x1c3Rlci5sb2NhbAovCgROQU1FEicaJWlzdGlvLWluZ3Jlc3NnYXRld2F5LTg2NGRiOTZjNDctZjZscWQKGwoJTkFNRVNQQUNFEg4aDGlzdGlvLXN5c3RlbQpdCgVPV05FUhJUGlJrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvaXN0aW8tc3lzdGVtL2RlcGxveW1lbnRzL2lzdGlvLWluZ3Jlc3NnYXRld2F5ChcKEVBMQVRGT1JNX01FVEFEQVRBEgIqAAonCg1XT1JLTE9BRF9OQU1FEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5
-x-envoy-peer-metadata-id: router~172.17.121.88~istio-ingressgateway-864db96c47-f6lqd.istio-system~istio-system.svc.cluster.local
-x-envoy-attempt-count: 1
-x-envoy-original-path: /http-no-mTLS
-x-b3-traceid: 36e7d48757f2ce26eaa6e1959f3b1221
-x-b3-spanid: eaa6e1959f3b1221
-x-b3-sampled: 0
+02:00:10.511593 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [S], seq 3999274711, win 64800, options [mss 1440,sackOK,TS val 2646430461 ecr 0,nop,wscale 7], length 0
+E..<..@.>..I..yX...=.|.P.`......... .z.........
+..R.........
+02:00:10.512773 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [.], ack 134781521, win 507, options [nop,nop,TS val 2646430462 ecr 2887117842], length 0
+E..4..@.>..P..yX...=.|.P.`.....Q...........
+..R.....
+02:00:10.512988 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [P.], seq 0:517, ack 1, win 507, options [nop,nop,TS val 2646430462 ecr 2887117842], length 517: HTTP
+E..9..@.>..J..yX...=.|.P.`.....Q...........
+..R.................a7.i..v{
+.Nr.0.Yex..C7..k.6...d .......z._ikW3.C.H.....5..Yk.&.c.........+.../...,.0.......;.9..6outbound_.8080_._.helloworld.default.svc.cluster.local..........
+...............#..... ...istio-http/1.1.istio.http/1.1.........................3.&.$... .....M4...^9V........d_..+J."..Z.-.....+.......................................................................................................................................................................................................................
+02:00:10.530088 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [.], ack 2164, win 499, options [nop,nop,TS val 2646430479 ecr 2887117859], length 0
+E..4..@.>..N..yX...=.|.P.`...........3.....
+..S....#
+02:00:10.551166 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [P.], seq 517:2501, ack 2164, win 501, options [nop,nop,TS val 2646430500 ecr 2887117859], length 1984: HTTP
+E.....@.>.....yX...=.|.P.`.................
+..S$...#...........D.W_....+..v{..Q.3....^..m~..aU.+~t..%b....O.X|.).....=.w.z...'....`.2._...7.N..9.y..V.y.&..*vBx..z)B.g.D...1...x....V.J.*!....5.......#.......9.....V.Y..kes.&:+..j;.X5C.I...h+.SO0V....A..b,?.d.@YOy.`x.......o.EcTf}n.0....!N..Qh?.uK#?.Nx..q.&..9|?.)".qpg.]..O2.;O.x...J...$0.......I......1.X2.......2..=.UG.h'pA.CKX........
+. . 7W.v...q..?IW.M:..'d....!2..Y......I.P..).Y..~..>.:k..y..Z?....w.D.Y..M.B.MXH.HDa...(.].B......k...{..c&.0...S3..]..2.a\.......?.#..........]3...~...Q|w...l."Z;.4..!.1..,X.>YE..3Yw..9.....#|.....[`...qq..@v.m..1.|V.j$t.C..&.Ww...5e....?.|Q."..obR.a...^...D8;...=.1.....S[.90...ss....-.@..q.JI........$.8..)skW.....G....3:.qb..#/....#...'/n.~F...(Y[.k..EEz}...cgR..6...P..)'.X..e..z....Tv0>....l.t.O=D.vc..}.a.ct.....E/.*..]-`.....O.hY..j..u...."(QZ.^.......f.1.LZ.O.L.9}..m.1_sC....x.*`D..ny.......):.V.."n..t.0....T.S..u[._v%...q`._.....W.w_.q...........O.:J.....[S.a$...l.[. ..cP..zF..~..+..|.....l.. [.l.."/
+.....D6f....9:..i............N........o.....;...%v.0@...n^..."OSN.o*.:ap.C#C.Hc..r..MD.
+.-..2....
+..`...."..I...Wh9.L...r:.4M...b+q
+...8f...*.^.K.k.?7:.\..O... ..cD..c........jM....;......k....
+02:00:10.551752 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [P.], seq 2501:4170, ack 2164, wi
```
#### HTTPS
@@ -394,7 +302,7 @@ x-b3-sampled: 0
##### Start the packet capture for the port 443
```shell
-PORT=443 && MTLS="false" && kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -l mtls=${MTLS} -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port ${PORT} -A
+PORT=443 && kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port ${PORT} -A
```
```text
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
@@ -404,10 +312,10 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
##### Curl
-So good so far.
+Even tho, we have set in the [PeerAuthentication configuration](#peerauthentication) mode to `STRICT`, unlike in the [previous example](../01-disable-mTLS/#https-1), where the mode was also set to `STRICT`, in this example we configured the `portLevelMtls` field for the port `443`, successfully disabling `mTLS` for this port, and allowing to proceed with the request towards the `HTTPS` backend; which was performed without the need of disabling `mTLS` for the whole deployment.
```shell
-curl 192.168.1.50/https-no-mTLS
+curl 192.168.1.50/https
```
```text
Howdy
@@ -422,34 +330,38 @@ For such, the traffic captured is encrypted, even tho we displayed the `mTLS` co
Yet, there are still a couple readable lines, where we can see that the request was initialized by the host `stio-ingressgateway.istio-system.svc.cluster.local`, through the egress port `39884`, using as destination `helloworld-nomtls-66d8499c5c-298vw`, and the port defined with name `https`, which, if we reviewed the configuration from the [Service](#service), we would observe that it was the port `8443`.
```text
-k 496, win 505, options [nop,nop,TS val 1425943341 ecr 2534945802], length 0
-E..4..@.?.....yX..yx.......;........K......
-T.+-..4
-
-04:27:06.400101 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.39884 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [.], ack 809, win 503, options [nop,nop,TS val 1425943342 ecr 2534945803], length 0
-E..4..@.?.....yX..yx.......;........K......
-T.+...4.
-04:27:13.439290 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.39826 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [P.], seq 1997:3684, ack 2200, win 501, options [nop,nop,TS val 1425950381 ecr 2534942622], length 1687
-E.....@.?..+..yX..yx....pI.+,U+.....Q......
-T.F...'......,.SuD..a....`..]....j..v[tF$y.<......&..m.E.p.Y.-....w..V..T.....g..a~$.Q'.c#......qj..8.|......M.J.....\".>...R...M..k|..f^,.....E.....+.Y.6..].u.g.m....Z..~o.IL.......D.]h.G.... .....F/..V......}.v.^N.P.C.G.......1..T.....w....?..]:........D...;q?...W..cI.).O......3..X14P..B.).',.N...B.../q..)\.. GW.".... .`.....[9.IS......1y.J]...d..}...B.n...C.........e6..B..[w.\.3.l.HU....5%......p.irW.@s..!1\u./.~..[.g..W.........'W..,m};._../S2\..c.9..8..rg"f..35a.A.;..T....>`..Zv.L.8....hZ".*r...0..*.%K.?.. .P]DKve/E.J.....\....t.e.9#-..3.$).....Q.Z.....m].". q. *.OW...f.=l...K.o:.D.......+.a..h?{h.?..T.....7\N.....M.`..Ob1`.....3d.aq..0...q.r.*j....KE./.O...T%..r.......'..9.W1J^^TU8.$...Y."~..~ZH.......G..?......Q4..=|.{.d/..^_....`.pjJ+p.........R."..Y-.`1....{....k...]ib.+m.....6..k...U.P.T........wU...}......`.z..#..[1.@9.z+R.3pAW).......m...Px4..9^ X..ux.EVO.o.%./+.....|4..!s......g.1...9%.... B.....{.6..].-?.../..n..y...2..sLc..|x.
-,.t..'...7.............|...........?..&}........@...=.|#.+...........u.3....m.X..... QrW?............u`-k....Q.o^{........$..h.....R.#...k...o.7~.*.tE.C...I<"......k..czN.DJ.y...R.....hx.he.r}0.82....6.J...)..3.f.G=Ky|f.L.).=.hlN!..D..J..g.V.?.......#...fQ..d.......9.9.-....j..O...Pd..E.da/..b} .}.Qx.......I..[+....>.5....p.9....K2M s(.a..K6.]..m.?...%.. helloworld-nomtls-66d8499c5c-298vw.https: Flags [.], ack 2513, win 501, options [nop,nop,TS val 1425950382 ecr 2534952843], length 0
-E..4..@.?.....yX..yx....pI..,U,.....K......
-T.F...O.
-04:27:20.932653 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.40126 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [S], seq 3645561416, win 64800, options [mss 1440,sackOK,TS val 1425957874 ecr 0,nop,wscale 7], length 0
-E..<..@.?.f>..yX..yx.....J.H....... K".........
-T.c.........
-04:27:20.933038 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.40126 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [.], ack 840930767, win 507, options [nop,nop,TS val 1425957875 ecr 2534960336], length 0
-E..4..@.?.fE..yX..yx.....J.I2.......K......
-T.c...l.
-04:27:20.933916 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.40126 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [P.], seq 0:517, ack 1, win 507, options [nop,nop,TS val 1425957876 ecr 2534960336], length 517
-E..9..@.?.d?..yX..yx.....J.I2.......M......
-T.c...l..............#.."H..\..\A*...5.../m.....wV. ;.......>..`..k.t.b.O.U
-e(?.X...........+.../...,.0..............
-...............#..... ...istio-http/1.1.istio.http/1.1.........................3.&.$... J7.y.............
-..<.Ma.v}.*3LI.-.....+........................)......./.....`.............3.. .[....N.,......i.9;.9V9A..1..J.......W.....o.%.%.#ev..f.....! ........FHc..r...6...e.'J.&..T.p
-04:27:20.937464 IP 172-17-1
+02:02:41.616839 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [S], seq 1052122243, win 64800, options [mss 1440,sackOK,TS val 2646581565 ecr 0,nop,wscale 7], length 0
+E..<.y@.>.....yX...=....>.......... ...........
+...=........
+02:02:41.618256 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [.], ack 1254443190, win 507, options [nop,nop,TS val 2646581567 ecr 2887268947], length 0
+E..4.z@.>.....yX...=....>...J.H............
+...?..:S
+02:02:41.618902 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [P.], seq 0:246, ack 1, win 507, options [nop,nop,TS val 2646581568 ecr 2887268947], length 246
+E..*.{@.>.....yX...=....>...J.H.....T......
+...@..:S............
+.B.L(....I....`O.#.$-..f..y.'. :.&.....1oX.i.J.W.CD.-.l.|...y...........+.../...,.0..............
+...............#..... ...istio-http/1.1.istio.http/1.1.........................3.&.$... .vw..q|H[6.HQp.zn[. m...M0yL..]g.-.....+.......
+02:02:41.637813 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [.], ack 1377, win 501, options [nop,nop,TS val 2646581587 ecr 2887268967], length 0
+E..4.|@.>.....yX...=....>..zJ.N......4.....
+...S..:g
+02:02:41.641084 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [P.], seq 246:310, ack 1377, win 501, options [nop,nop,TS val 2646581590 ecr 2887268967], length 64
+E..t.}@.>..M..yX...=....>..zJ.N............
+...V..:g..........5D\..yfI.....]iyu.:........m!Ev.....*..-..`.'*.......g
+02:02:41.642627 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [.], ack 1632, win 501, options [nop,nop,TS val 2646581592 ecr 2887268972], length 0
+E..4.~@.>.....yX...=....>...J.O............
+...X..:l
+02:02:41.642884 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [.], ack 1887, win 501, options [nop,nop,TS val 2646581592 ecr 2887268972], length 0
+E..4..@.>.....yX...=....>...J.P............
+...X..:l
+02:02:41.643146 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [P.], seq 310:1981, ack 1887, win 501, options [nop,nop,TS val 2646581592 ecr 2887268972], length 1671
+E.....@.>.....yX...=....>...J.P......f.....
+...X..:l...............*t\o.....z^=.=\....cq..../.9eKL..`.C....."....q{...*..0;^n7.o:,...a..-.W8:.1..c........Z..b.......i...4....B.. .-2...+3$i.!.......7..._.T..G`...Ar.D.a.....U..^....^.Q.h.._.p.H..9.*O.5)-T_....7}8.>."...j..)e.^..-.'.L....Y9.6d...Z...<.....hygo.z\H.11...q{.*T....V.>K.9\HJ...7.....m.r:.(...s.'5|_...F..X&..>#(..]...H.6.V....(.4z..3,...e.P.r..H..A.[...[....S.YNp......C..LN.....z.r.....6.J..".H...%=T.f.O...84........(..r@O#.3C...9.G..m.D.J...a.w....).GuC?.,.].9a..4...1....MoG8l..u..hV.h.6....Z`....+..9.aAW.]..,_7.@...y..._{.....buwy).q.\L.L....E2..~....',.J............Z.._...G......4,....o.w2
+...`....qp.. .g..iP.Vdw...W9.B...q..<...F...j..-G.!\..3r+\.T....{d$....Ys..4.J....D.["..-
+(E.l..H7.iw.....?....?p..cI#qu...mK.T...qp.[g..%.2...|....7O...u.K..........?....s.......J.#%...;._.....>..Z......7DA...P.fg.......N..Oz..+....3........y..+...r..*.....[...xT...J...}..n...n...V ..P...<..y..U.^.....90.......4..'..p.E..F2.....~.GBG.....@v<....;m dd..z~..>\..T$.i..Da...M.!xR......x6.h...l...m.I.Zl ..t
+.g..c..w...EEtq.s.......8...x.E.|..%e..n..b.FA'..w..
+..
+.H.d... ...H>K.......O..#'.`....q..0.K>...".c.~.\.......N..$.
```
@@ -468,13 +380,6 @@ virtualservice.networking.istio.io "helloworld-vs" deleted
destinationrule.networking.istio.io "helloworld.default.svc.cluster.local" deleted
```
-
# Links of Interest
-- https://istio.io/latest/docs/reference/config/security/peer_authentication/#PeerAuthentication-MutualTLS-Mode
-
-- https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/
-
-- https://istio.io/latest/docs/concepts/security/#mutual-tls-authentication
-
-- https://istio.io/latest/docs/reference/config/security/peer_authentication/
+- https://istio.io/latest/docs/reference/config/security/peer_authentication/#PeerAuthentication
diff --git a/Istio/10-PeerAuthentication/02-portLevelMtls/authentication.yaml b/Istio/10-PeerAuthentication/02-portLevelMtls/authentication.yaml
index 8fe7cc9..69c6834 100644
--- a/Istio/10-PeerAuthentication/02-portLevelMtls/authentication.yaml
+++ b/Istio/10-PeerAuthentication/02-portLevelMtls/authentication.yaml
@@ -7,7 +7,6 @@ spec:
selector:
matchLabels:
app: helloworld
- mtls: "false"
mtls:
mode: STRICT
portLevelMtls: