Merge pull request #70849 from gwynnemonahan/OSSM-5816

kelbrown20 · web-flow · commit 22d138e8d60c · 2024-02-05T12:15:10.000-05:00
OSSM-5816 Clarify circumstances to use strict mTLS
diff --git a/modules/ossm-security-mtls.adoc b/modules/ossm-security-mtls.adoc
@@ -8,6 +8,6 @@
 
 Mutual Transport Layer Security (mTLS) is a protocol that enables two parties to authenticate each other. It is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS). You can use mTLS without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies.
 
-By default, mTLS in {SMProductName} is enabled and set to permissive mode, where the sidecars in {SMProductShortName} accept both plain-text traffic and connections that are encrypted using mTLS. If a service in your mesh is communicating with a service outside the mesh, strict mTLS could break communication between those services. Use permissive mode while you migrate your workloads to {SMProductShortName}. Then, you can enable strict mTLS across your mesh, namespace, or application.
+By default, mTLS in {SMProductName} is enabled and set to permissive mode, where the sidecars in {SMProductShortName} accept both plain-text traffic and connections that are encrypted using mTLS. If a service in your mesh configured to use strict mTLS is communicating with a service outside the mesh, communication might break between those services because strict mTLS requires both the client and the server to be able to verify the identify of each other. Use permissive mode while you migrate your workloads to {SMProductShortName}. Then, you can enable strict mTLS across your mesh, namespace, or application.
 
 Enabling mTLS across your mesh at the {SMProductShortName} control plane level secures all the traffic in your service mesh without rewriting your applications and workloads. You can secure namespaces in your mesh at the data plane level in the `ServiceMeshControlPlane` resource. To customize traffic encryption connections, configure namespaces at the application level with `PeerAuthentication` and `DestinationRule` resources.
