L12. Service Mesh and mTLS with Istio
Video generating
Check back soon for the video lesson on Service Mesh and mTLS with Istio
A service mesh provides mutual TLS between all services, L7 traffic policies, and observability without changing application code. Learn how Istio implements zero-trust networking in Kubernetes.
Why a Service Mesh?
Network Policies operate at L3/L4 (IP addresses and ports). But modern applications need L7 controls: allow GET /health but block POST /admin. They also need encryption in transit, identity-based authorization, and observability.
A service mesh provides all of this by injecting a sidecar proxy (Envoy) into every pod.
How Istio Works
Istio consists of two parts:
- Data plane: Envoy sidecar proxies injected into every pod that intercept all network traffic
- Control plane: istiod, which configures the proxies with routing rules, security policies, and certificates
When you enable sidecar injection for a namespace, Istio automatically injects an Envoy proxy container into every new pod:
kubectl label namespace production istio-injection=enabledMutual TLS (mTLS)
mTLS means both the client and server present certificates and verify each other's identity. Istio automates this entirely:
- istiod acts as a Certificate Authority and issues short-lived certificates to every sidecar
- Sidecars automatically encrypt all pod-to-pod traffic
- Certificates are rotated automatically (default every 24 hours)
Enable strict mTLS for a namespace:
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: strict-mtls
namespace: production
spec:
mtls:
mode: STRICTIn STRICT mode, plaintext connections are rejected. PERMISSIVE mode allows both plaintext and mTLS (useful during migration).
Authorization Policies
Istio authorization policies provide L7 access control based on service identity:
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: api-policy
namespace: production
spec:
selector:
matchLabels:
app: api
rules:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">from:</li>
<li class="text-slate-300">source:</li>
</ul>
principals: ["cluster.local/ns/production/sa/web"]
to:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">operation:</li>
</ul>
methods: ["GET", "POST"]
paths: ["/api/v1/*"]This allows only the web service account to call GET and POST on /api/v1/* paths of the api service. The identity is cryptographically verified through mTLS certificates.
Ambient Mesh
Istio's Ambient mode (GA in Istio 1.24) eliminates sidecar proxies by using per-node ztunnel agents for L4 mTLS and optional waypoint proxies for L7 policies. This reduces resource overhead and operational complexity.
Alternatives
| Mesh | Key Feature |
|---|---|
| Istio | Most feature-rich, large community |
| Linkerd | Lightweight, Rust-based proxy, easier to operate |
| Cilium Service Mesh | eBPF-based, no sidecars needed, built into the CNI |
- ✓Service meshes provide L7 policies, mTLS encryption, and observability that Network Policies cannot
- ✓Istio uses Envoy sidecar proxies injected into every pod to intercept and secure all traffic
- ✓Strict mTLS mode rejects all plaintext connections: use Permissive mode during migration
- ✓Authorization policies use service identity (verified by mTLS certificates) for cryptographic access control
- ✓Ambient mesh (Istio 1.24+) eliminates sidecars using per-node ztunnel agents for lower overhead
1. What does STRICT mTLS mode in Istio do to plaintext connections?
2. How does Istio verify service identity in authorization policies?
3. What advantage does Cilium Service Mesh have over sidecar-based meshes?