| apiVersion: networking.istio.io/v1alpha3 |
| kind: Sidecar |
| metadata: |
| name: default-sidecar-scope |
| namespace: istio-config |
| spec: |
| egress: |
| - hosts: |
| - "./*" |
| --- |
| # Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh. |
| apiVersion: security.istio.io/v1beta1 |
| kind: PeerAuthentication |
| metadata: |
| name: default |
| namespace: istio-config |
| spec: |
| mtls: |
| mode: STRICT |
| --- |
| # Corresponding destination rule to configure client side to use mutual TLS when talking to |
| # any service (host) in the mesh. |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: DestinationRule |
| metadata: |
| name: default |
| namespace: istio-config |
| spec: |
| host: "*.local" |
| trafficPolicy: |
| tls: |
| mode: ISTIO_MUTUAL |
| --- |
| # Services and configs in ns1 namespace |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: http1 |
| namespace: ns1 |
| spec: |
| hosts: |
| - http1.ns1.svc.cluster.local |
| addresses: |
| - 2.1.1.1 |
| ports: |
| - number: 8081 |
| name: http |
| protocol: HTTP2 |
| location: MESH_INTERNAL |
| resolution: STATIC |
| endpoints: |
| - address: 100.1.1.1 |
| labels: |
| version: v1 |
| ports: |
| http: 8080 |
| --- |
| # Services and configs in ns1 namespace |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: http2 |
| namespace: ns2 |
| spec: |
| hosts: |
| - http2.ns2.svc.cluster.local |
| addresses: |
| - 2.1.1.2 |
| ports: |
| - number: 8082 |
| name: http |
| protocol: HTTP2 |
| location: MESH_INTERNAL |
| resolution: STATIC |
| endpoints: |
| - address: 100.2.1.1 |
| ports: |
| http: 8080 |
| --- |
| # The sidecar for the consumer only application |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: Sidecar |
| metadata: |
| name: consumerapp |
| namespace: consumerns |
| spec: |
| egress: |
| - hosts: |
| - "ns1/*" |
| ingress: |
| - port: |
| number: 9080 |
| protocol: HTTP |
| name: http-admin |
| defaultEndpoint: 127.0.0.1:8080 |
| captureMode: IPTABLES |
| workloadSelector: |
| labels: |
| app: consumeronly |