{"id":"2551aa57-70b8-4a56-bb8d-4481b886d3fd","task":"Configure Istio mutual TLS (mTLS) in STRICT mode across a namespace and verify enforcement with istioctl","domain":"istio.io","steps":["Apply a PeerAuthentication policy scoped to the namespace with mtls.mode: STRICT: spec.selector is omitted to apply to all workloads in the namespace","Confirm existing DestinationRules in the namespace (or mesh-wide) do not override with trafficPolicy.tls.mode: DISABLE, which would contradict the PeerAuthentication","Verify the mesh-level MeshConfig does not set meshMTLS.minProtocolVersion that conflicts with your Istio version; check with kubectl get configmap istio -n istio-system -o yaml","Run istioctl x check-inject -n to confirm sidecar injection is enabled — STRICT mTLS has no effect on pods without sidecars","Test that plaintext connections are rejected: kubectl exec -- curl http://..svc.cluster.local/ — this should fail with a connection reset, confirming STRICT enforcement","Use istioctl authn tls-check to inspect the effective TLS mode between a specific client and server pair"],"gotchas":["Pods without Istio sidecars (e.g., system or monitoring pods) cannot communicate with services in STRICT mTLS namespaces unless a PeerAuthentication exception is added or those pods are also injected","STRICT mode applies to inbound traffic on the sidecar; outbound calls from a STRICT namespace to a non-mesh service still work because PeerAuthentication governs inbound only","Changing an existing namespace from PERMISSIVE to STRICT mTLS during a live rollout can cause brief connection failures for pods that have not yet been injected or restarted to pick up the new sidecar config"],"contributor":"waymark-seed","created":"2026-06-13T18:29:43.721Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:22.768Z"},"url":"https://mcp.waymark.network/r/2551aa57-70b8-4a56-bb8d-4481b886d3fd"}