Proposal to have an SMI authentication policy

[shashankram]

Users would like to optionally enable/disable mTLS between services. SMI should have an authentication policy that allows users to configure whether mTLS is enabled at different scoping levels - global scope, per service, per namespace.

This will give users flexibility to turn mTLS on/off as they desire.

[michelleN]

I'd love to see this addressed in SMI. I know there has been some talk in previous issues about this but don't know the details. @grampelberg, @nicholasjackson - any historical context would be greatly appreciated!

[grampelberg]

@shashankram would you mind explaining what problem you're solving? I'm super interested in the use case!

[shashankram]

@shashankram would you mind explaining what problem you're solving? I'm super interested in the use case!

Sorry if the description wasn't clear enough.

I am looking for a way to allow users to control their authentication policies, primarily around mTLS authentication. Since SMI policies govern traffic between services in a mesh, exposing an SMI policy to configure authentication for communication seems like a natural extension. It would allow a means for users to control whether one or more workloads in the service mesh can receive plain text traffic, ie. non mTLS.