1# Within the istio-system namespace, we have a control plane component with a DR 2# that would normally violate policy. However the istio control plane is 3# not controlled via Policy declarations, and is therefore exempt. We don't 4# expect the validator to complain about this either. 5apiVersion: authentication.istio.io/v1alpha1 6kind: MeshPolicy 7metadata: 8 name: default 9spec: 10 peers: 11 - mtls: {} 12--- 13apiVersion: networking.istio.io/v1alpha3 14kind: DestinationRule 15metadata: 16 name: default 17 namespace: istio-system 18spec: 19 host: "*.local" 20 trafficPolicy: 21 tls: 22 mode: ISTIO_MUTUAL 23--- 24apiVersion: v1 25kind: Service 26metadata: 27 name: istio-telemetry 28 namespace: istio-system 29 labels: 30 app: mixer 31 istio: mixer 32spec: 33 selector: 34 app: istio-telemetry 35 ports: 36 - protocol: TCP 37 port: 8080 38 targetPort: 8080 39 - protocol: TCP 40 port: 8081 41 targetPort: 8081 42--- 43apiVersion: v1 44kind: Pod 45metadata: 46 name: istio-telemetry-pod 47 namespace: istio-system 48 labels: 49 app: istio-telemetry 50spec: 51 containers: 52 - name: istio-proxy 53--- 54# This destination rule would normally break mtls, but it doesn't in practice 55# due to the control plane having its own setup. 56apiVersion: networking.istio.io/v1alpha3 57kind: DestinationRule 58metadata: 59 name: istio-telemetry 60 namespace: istio-system 61spec: 62 host: istio-telemetry.istio-system.svc.cluster.local 63 trafficPolicy: 64 connectionPool: 65 http: 66 http2MaxRequests: 10000 67 maxRequestsPerConnection: 10000