Comments (5)
Not always, think about your browser, if you are accessing a website that has no cacertin your local host, it will warn.
This is to verify the server you access is really the true one. Not a pretending one
from istio.
The error is as: #50997
from istio.
Thanks @hzxuzhonghu
After insecureSkipVerify set to false, it works.
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: originate-tls
namespace: istio-system
spec:
host: httpbin.org
trafficPolicy:
tls:
mode: SIMPLE
insecureSkipVerify: true
from istio.
Just want to discuss more, whether set insecureSkipVerify is true
is safe enough for production usage.
Let us say, is it possible for some hacker to manipulate our cluster external request to a fake server without server certificate.
- If verify ssl certificate, it is secure to find this, and we will cancel the request.
- If not verify ssl certificate, you may send your token/info to it. The fake server will get all info.
Just FYI. Thanks very much for discussion.
from istio.
Thanks @hzxuzhonghu , closed this.
from istio.
Related Issues (20)
- Ambient DNS auto allocation
- Support for the aggression parameter within the LoadBalancerSettings configuration.
- istio is sending request of application to node on which application is no scheduled in its lifetime and getting 504 HOT 3
- Kubernetes Gateway ignored by default revision if not injected HOT 5
- Use `serving` property instead of `ready` to determine endpoint health HOT 8
- istioctl fancy icons may not render on all terminals
- Rendering of gateway-api Gateways may use wrong Kubernetes version in 1.22.0 HOT 2
- [release-1.21] Fix data race in discovery filter HOT 1
- Add more platform-specific cni bindir/confdir autodetect in `istio-cni` Helm chart HOT 1
- Centralized Wasm caching HOT 10
- ZTunnel Safe Upgrade HOT 3
- [release-1.22] Explicitly fail when we are asked to add a duplicate ip to the ipset HOT 1
- Telemetry API: disableSpanReporting breaks context propagation HOT 3
- In multi-cluster mode, adding topology.kubernetes.io/region label to a new nodes does not trigger the update of envoy cluster endpoints. HOT 3
- How is the `localityLbSetting` of DR works in envoy config? HOT 2
- High memory usage in the ingress gateway
- Istio-cni getting in an infinite loop with ambient HOT 1
- `istio-proxy` taking a long time to get ready HOT 4
- IstioEndpoint Record ResourceVersion HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from istio.