Beginning with Anthos Service Mesh version 1.4.5, Anthos Service Mesh certificate authority (Mesh CA) manages the issuance and rotation of mTLS certificates and keys for GKE Pods. Open source Istio and earlier versions of Anthos Service Mesh use Citadel as the certificate authority.
If you are upgrading from Istio or an earlier version of Anthos Service Mesh, and you
have existing
authorization policies
that use a custom trust domain,
you must update your authorization policies to use cluster.local
to refer to
your local trust domain. If your existing authorization policies already use
cluster.local
, you don't need to do anything.
To update your authorization policies:
Grep your authorization policies to find all the occurrences of your custom trust domain. In the following example,
old-td
is the name of a custom trust domain.apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: service-httpbin.default.svc.cluster.local namespace: default spec: rules: - from: - source: principals: - old-td/ns/sleep-allow/sa/sleep to: - operation: methods: - GET selector: matchLabels: app: httpbin
Change the custom trust domain to
cluster.local
, and apply the updated policy.kubectl apply -f - <<EOF apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: service-httpbin.default.svc.cluster.local namespace: default spec: rules: - from: - source: principals: - cluster.local/ns/sleep-allow/sa/sleep to: - operation: methods: - GET selector: matchLabels: app: httpbin --- EOF