Introduction Switching to mTLS strict mode without ensuring all services are properly configured causes communication failures. Services without valid certificates cannot authenticate with each other.

Symptoms - Services returning 503 after enabling mTLS strict mode - Envoy logs: "TLS error: peer did not return a certificate" - Istio: "PeerAuthentication policy rejected" - Some services working while others failing - Intermittent failures during mTLS migration

Common Causes - Service without sidecar cannot participate in mTLS - Certificate not yet provisioned for new service - Destination rule TLS mode not matching PeerAuthentication - Namespace-level policy overriding mesh-level policy - External service calls not handled in mTLS mode

Step-by-Step Fix 1. **Check mTLS status': ```bash istioctl authn tls-check <pod-name> -n <namespace> ```

  1. 1.**Use PERMISSIVE mode during migration':
  2. 2.```yaml
  3. 3.apiVersion: security.istio.io/v1beta1
  4. 4.kind: PeerAuthentication
  5. 5.metadata:
  6. 6.name: default
  7. 7.namespace: my-namespace
  8. 8.spec:
  9. 9.mtls:
  10. 10.mode: PERMISSIVE # Accept both mTLS and plain text
  11. 11.`
  12. 12.**Gradually enable STRICT mode':
  13. 13.Start with individual namespaces, then specific services, before going mesh-wide.

Prevention - Start with PERMISSIVE mode and monitor - Use istioctl analyze to detect mTLS issues - Ensure all services have sidecars before enabling STRICT - Test mTLS in staging before production - Monitor mTLS connection success rate