►
From YouTube: Istio Auto mTLS and JWT (Istio 1.5) Part One
Description
Istio 1.5 recently released. In these two videos, we take a look at the PeerAuthentication and RequestAuthentication APIs, new in 1.5, to control mTLS and JWT authentication.
A
This
is
Christian
poster
from
solo
vo
and
in
this
series
of
short
videos,
we're
gonna
take
a
look
at
some
of
the
new
security
features
that
came
out
with
sto
1.5
release.
Actually,
if
you
go
to
is
steel
and
click
on
news
and
some
of
the
release
announcements,
you
can
see
that
not
only
was
1.5
released
recently
when
dot
5.1
was
released
today,
and
that
comes
with
some
fixes
for
multi
cluster
and
helm
3
and
some
other
bugs
that
that
were
discovered,
including
a
security
advisory.
A
Well,
we're
going
to
take
a
look
at
today
is
the
security,
the
new
security
API
that
was
introduced
around
automatic
MT
LS
for
the
service
mesh
and
explicitly
setting
mt
LS
authentication
and
using
jot
tokens
to
to
build
authorization
policies
around
and
so
forth.
So
without
more
ado,
let's
take
a
look
at
our
demo
here,
so
this
is
a
live
demo
and
I
have
a
little
script
here
to
help
me
type,
as
you
may
notice,
from
some
of
my
demos.
A
But
this
is
a
live
demo.
We're
going
to
look
at
is
a
set
of
services
chain
of
services,
really
where
web
calls
a
recommendation
service,
which
then
calls
a
purchase
history
service,
and
we
can
see
some
of
those
workloads
here
now
when
we
call
the
is
to
ingress
gateway.
In
this
case,
we
can
see
the
chain
of
services.
A
Now,
let's
take
a
look
at
how
this
auto
empty
lists
kind
of
works
and
how
we
can
use
it
to
slowly
move
workloads
over
into
is
do
without
requiring
TLS
and
M
TLS
if
those
workloads
are
not
ready
for
it.
So
let's
take
a
look
at
this
demo
so
again,
we'll
take
a
look
at
the
workloads
that
we
have
here
and
what
we're
gonna
do
is
from
a
sleep
pod.
Actually,
that's
Kentucky
I
went
too
fast
from
the
sleep
pod.
A
What
we're
gonna
see
here
is
that
we
don't
have
an
sto
sidecar
running
next
to
that
one
okay.
So
if
we
make
a
call
from
sleep
to
recommendation,
we're
not
participating
in
the
mutual
TLS
because
we're
not
going
through
the
sto
sidecars,
but
you
can
see
when
we
execute
this
against
and
you
know,
go
into
the
sleep
container
called
recommendation.
You
can
see
the
call
still
succeeds
and
you
might
be
wondering
well
how's
that
how's
that
possible.
A
A
If
we
look
in
here,
we
see
that
we
can
tell.
We
can't
see
the
HTTP
requests
here
and
they're
in
plain
text,
and
so
what
we
know
out
of
this
is
one
of
the
features
is
that
by
default,
the
auto
M
TLS
will
create
M
TLS
connections
where
it
can,
but
it
will
not
block
plaintext
connections,
and
that
is
very
handy
when
you're
migrating
more
clothes
over
into
the
service
mesh.
A
Now
you
might
find
that
once
you
have
the
workloads
that
moved
into
and
migrated
over
the
service
mesh
that
you
want
to
enforce,
TLS
and
M
TLS,
and
you
don't
want
anybody
to
be
able
to
talk
plaintext.
So
what
we're
going
to
do
here
is
we're
going
to
look
at
the
new
peer
authentication
API,
which
allows
us
to
be
very
fine-grain
about
how
we
apply
the
strictness,
the
the
TLS
requirement.
We
can
do
it
by
specific
workload.
We
can
do
it
by
namespace
or
we
can
do
it
by
the
full
mesh.
A
So
let's
apply
this
peer
authentication
policy
and
then
what
we're
going
to
try
to
do
now
is
from
the
sleep
container
call
recommendation
and
now
we're
in
strict
MPLS
mode
and
the
sleep
container
doesn't
have
and
part
of
the
service
mesh
doesn't
have
the
sidecar
proxy.
So
now,
when
we
call
it,
we
should
see
that
it
fails
there
we
go
now.
What
we
could
do
is
migrate.
This
workload
over
in
this
case,
we'll
inject
the
sto
sidecar
proxy.
A
A
A
A
A
Let's
try
calling
recommendation
and
it
succeeds,
and
that
is
because
we're
going
through
the
sto
sidecut
proxy
on
the
sleep
side,
which
is
then
you
know
now
even
in
enforced,
strict
M,
TLS
and
now
we're
calling
the
recommendation
service
and
it's
all
it's
all
good
stay
tuned
for
the
next
video
feel
it
was
shorter.
When
we
look
at
the
jot
authentication.