Verify MTLS enabled in Istio through wireshark

Question

I am running services on Kubernetes cluster and for security purpose, I came to know about service-mesh named istio. Currently, I have enabled the Mtls in istio-system namespace and I can see Sidecars is running inside the pod in bookinfo service. But while capturing traffic through Wireshark between pod I can see my context route in Wireshark is still in HTTP. I supposed that it should be in TLS and encrypted.

Note : I am using istio-1.6.3 and Defined Gateway and ingress (Kubernetes ingress) to the service.

Here is the screen shot : Wireshark image

Answer 1

As I mentioned in comment, AFAIK it´s working as designed, if you want to see tls you could try that what mentioned in this tutorial.

Seeing that unencrypted communication to the QOTM service is only occurring over the loopback adapter is only one part of the TLS verification process. You ideally want to see the encrypted traffic flowing around your cluster. You can do this by removing the “http” filter, and instead adding a display filter to only show TCP traffic with a destination IP address of your QOTM Pod and a target port of 20000, which you can see that the Envoy sidecar is listening on via the earlier issued kubectl describe command.

---

Hi @jt97 I can see lock badge in kiali dashboard, I read somewhere that this is a representation of encryption is happening over there.

Exactly, there is github issue about that.

Hope you find this useful.