The permissive mode, allows a workload to accept both plaintext and mutual TLS traffic at the same time.

Explanation

The statement is accurate in its description of the permissive mode in the context of traffic types allowed in workloads that utilize mutual TLS (mTLS). In permissive mode, these workloads are configured to accept both encrypted (mTLS) and unencrypted (plaintext) traffic simultaneously. This allows organizations to transition incrementally to mTLS without immediately enforcing it, leading to a flexible security posture while still providing a pathway for secure communications. The supporting information from Istio confirms that in permissive mode, the workload does not enforce mutual TLS but rather allows a combination of both traffic types. This flexibility can be integral during migration processes or when integrating with legacy systems. Thus, the statement accurately reflects these operational characteristics and implications of using permissive mode in mTLS configuration.

Key Points

• Permissive mode allows both plaintext and mutual TLS traffic.
• This configuration facilitates a flexible transition to enhanced security measures.
• It is used to ease the adoption of mTLS without fully enforcing it immediately.

Sources

https://istio.io/latest/about/faq/security/

https://tetrate.io/blog/how-istios-mtls-traffic-encryption-works-as-part-of-a-zero-trust-security-posture/