diff --git a/pkg/ingress/kube/annotations/upstreamtls.go b/pkg/ingress/kube/annotations/upstreamtls.go
index f4745c7c7..68b9681a9 100644
--- a/pkg/ingress/kube/annotations/upstreamtls.go
+++ b/pkg/ingress/kube/annotations/upstreamtls.go
@@ -170,6 +170,9 @@ func processMTLS(config *Ingress) *networking.ClientTLSSettings {
 func processSimple(config *Ingress) *networking.ClientTLSSettings {
 	tls := &networking.ClientTLSSettings{
 		Mode: networking.ClientTLSSettings_SIMPLE,
+		InsecureSkipVerify: &wrappers.BoolValue{
+			Value: true,
+		},
 	}
 
 	if config.UpstreamTLS.EnableSNI && config.UpstreamTLS.SNI != "" {
diff --git a/pkg/ingress/kube/annotations/upstreamtls_test.go b/pkg/ingress/kube/annotations/upstreamtls_test.go
index 61d909b31..8f78c668d 100644
--- a/pkg/ingress/kube/annotations/upstreamtls_test.go
+++ b/pkg/ingress/kube/annotations/upstreamtls_test.go
@@ -17,8 +17,10 @@ package annotations
 import (
 	"testing"
 
+	"github.com/golang/protobuf/ptypes/wrappers"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"google.golang.org/protobuf/testing/protocmp"
 	networking "istio.io/api/networking/v1alpha3"
 )
 
@@ -129,6 +131,9 @@ func TestApplyTrafficPolicy(t *testing.T) {
 				Tls: &networking.ClientTLSSettings{
 					Mode: networking.ClientTLSSettings_SIMPLE,
 					Sni:  "SNI",
+					InsecureSkipVerify: &wrappers.BoolValue{
+						Value: true,
+					},
 				},
 			},
 		},
@@ -158,7 +163,9 @@ func TestApplyTrafficPolicy(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run("", func(t *testing.T) {
 			parser.ApplyTrafficPolicy(nil, testCase.input, testCase.config)
-			if diff := cmp.Diff(testCase.expect, testCase.input, cmpopts.IgnoreUnexported(unexportedIgnoredTypes...)); diff != "" {
+			if diff := cmp.Diff(testCase.expect, testCase.input, protocmp.Transform(),
+				cmpopts.IgnoreUnexported(unexportedIgnoredTypes...),
+			); diff != "" {
 				t.Fatalf("TestApplyTrafficPolicy() mismatch (-want +got): \n%s", diff)
 			}
 		})