Mtls Strict
istio.mtls-strict
Requires mesh-wide mutual TLS to be STRICT. A PeerAuthentication in the Istio root namespace must set mode STRICT, and no namespace or workload PeerAuthentication may downgrade to PERMISSIVE or DISABLE. PERMISSIVE accepts plaintext, so a workload without a sidecar (or an attacker on the pod network) can bypass mesh encryption.
Compatible Integrations
This guardrail works with the following integrations. Click to see how to use Mtls Strict with each collector.
Enable This Guardrail
Add the parent policy to your lunar-config.yml to enable this guardrail.
policies:
- uses: github://earthly/lunar-lib/policies/istio@v1.0.5
include: [mtls-strict]
# with: ...
How This Guardrail Works
This guardrail is part of the Istio Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.
When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.
Learn How Lunar Works →Configuration Options
These inputs can be configured in your lunar-config.yml to customize
how the parent policy (and this guardrail) behaves.
| Input | Required | Default | Description |
|---|---|---|---|
required_mtls_mode
|
Optional |
STRICT
|
Required mesh-wide mTLS mode for the mtls-strict check (STRICT or PERMISSIVE) |
Istio Guardrails
This guardrail is part of the Istio Guardrails policy, which includes 7 guardrails for deployment and infrastructure.
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.