NoServerCertificateVerificationDestinationLevel

Message NameNoServerCertificateVerificationDestinationLevel
Message CodeIST0128
DescriptionNo caCertificates are set in DestinationRule, this results in no verification of presented server certificate.
LevelError

This message occurs when no caCertificates are set in a destination rule, but they are needed for the traffic policy.

Example

You will receive this message:

  1. Error [IST0128] (DestinationRule db-tls.default) DestinationRule default/db-tls in namespace default has TLS mode set to SIMPLE but no caCertificates are set to validate server identity for host: mydbserver.prod.svc.cluster.local

when your cluster has the following destination rule:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: DestinationRule
  3. metadata:
  4.   name: db-tls
  5. spec:
  6.   host: mydbserver.prod.svc.cluster.local
  7.   trafficPolicy:
  8.     tls:
  9.       mode: SIMPLE
  10.       clientCertificate: /etc/certs/myclientcert.pem
  11.       privateKey: /etc/certs/client_private_key.pem
  12.       # caCertificates not set

In this example, the destination rule db-tls specifies TLS, but does not set the CA certificate file.

How to resolve

  • Supply the filename of a CA certificate
  • Change the traffic policy so that a certificate is not needed