> For the complete documentation index, see [llms.txt](https://doc.cncf.vip/istio-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.cncf.vip/istio-handbook/pei-zhi/index-1/peer-authentication.md). # PeerAuthentication ## PeerAuthentication `PeerAuthentication`(对等认证)定义了流量将如何被隧道化(或不被隧道化)到 sidecar。 ### 示例 策略允许命名空间 `foo` 下所有工作负载的 mTLS 流量。 ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: foo spec: mtls: mode: STRICT ``` 对于网格级别,根据你的 Istio 安装,将策略放在根命名空间。 策略允许命名空间 `foo` 下的所有工作负载的 mTLS 和明文流量,但 `finance` 的工作负载需要 mTLS。 ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: foo spec: mtls: mode: PERMISSIVE --- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: foo spec: selector: matchLabels: app: finance mtls: mode: STRICT ``` 政策允许所有工作负载严格 mTLS,但 8080 端口保留为明文。 ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: foo spec: selector: matchLabels: app: finance mtls: mode: STRICT portLevelMtls: 8080: mode: DISABLE ``` 从命名空间(或网格)设置中继承 mTLS 模式的策略,并覆盖 8080 端口的设置。 ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: foo spec: selector: matchLabels: app: finance mtls: mode: UNSET portLevelMtls: 8080: mode: DISABLE ``` 关于 `PeerAuthentication` 配置的详细用法请参考 [Istio 官方文档](https://preliminary.istio.io/latest/docs/reference/config/security/peer_authentication/)。 ## 参考 * [PeerAuthentication- istio.io](https://istio.io/latest/docs/reference/config/security/peer_authentication/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.cncf.vip/istio-handbook/pei-zhi/index-1/peer-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.