Ensure envoy proxies are not configured in permissive mode in Istio Peer Authentication

MEDIUM

Description

Enabling end-to-end TLS encryption can help keep data in-transit protected from man-in-the-middle and similar attacks.

Remediation

There are several modes for using mtls in the PeerAuthentication configuration YAML file. Using a spec.mtls.mode setting of STRICT will use the strongest configuration and is considered best practice.

References:
https://istio.io/latest/docs/reference/config/security/peer_authentication/

Policy Details

Rule Reference ID: AC_K8S_0124

CSP: Kubernetes

Remediation Available: No

Domain: Infrastructure Security

Resource: kubernetes_istio_peer_authentication

Resource Category: Virtual Network

Resource Type: Istio

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0

Detections

Analytics