Module 7 of 16

Service Mesh Security

Envoy, Istio, and Linkerd — transparent mTLS, identity propagation, and authorization policies

3.5 hours2 labsFree

Watch as Slides Course overview Lab code

Start here

Learning objectives

Understand service mesh architecture and security capabilities
Deploy Istio with mTLS enforcement
Configure identity-aware authorization policies
Integrate SPIRE as the mesh identity provider

A service mesh adds a sidecar proxy (typically Envoy) to every pod. The proxy handles mTLS, load balancing, retries, and observability — transparently, without application code changes. For security, this means automatic encryption and authentication for all service-to-service traffic.

Service Mesh Security Capabilities

Automatic mTLS: All traffic encrypted and mutually authenticated without application changes
Identity propagation: SPIFFE IDs flow through the proxy chain for end-to-end verification
Authorization policies: Fine-grained rules based on service identity, method, path
Traffic policies: Rate limiting, circuit breaking, fault injection for resilience

Istio Security Model

Istio enforces mTLS via PeerAuthentication resources and authorization via AuthorizationPolicy resources. When combined with SPIRE as the identity provider, you get stronger attestation than Istio default CA provides.

# Enforce strict mTLS on all services in production namespace
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: strict-mtls
  namespace: production
spec:
  mtls:
    mode: STRICT
---
# Only allow orders-api to access the database
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: allow-orders-to-db
  namespace: production
spec:
  selector:
    matchLabels:
      app: database
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/production/sa/orders-api"]
      to:
        - operation:
            methods: ["GET", "POST"]

Real world

Where this shows up

Transparent mTLS for all east-west traffic
Identity-based authorization in Istio
Service mesh migration from permissive to strict mTLS
Envoy SDS integration with SPIRE

Common mistakes

What usually breaks

Enabling permissive mTLS instead of strict — allows plaintext fallback
Not testing AuthorizationPolicies before enforcing — blocks legitimate traffic
Running service mesh without understanding resource overhead (CPU, memory per sidecar)
Deploying mesh without SPIRE — default Istio CA uses weaker attestation

Key terms

Vocabulary used in this module

Service Mesh

Infrastructure layer of sidecar proxies handling L7 traffic between services

Envoy

High-performance proxy used as the sidecar in most service meshes

PeerAuthentication

Istio resource controlling mTLS mode (permissive/strict)

AuthorizationPolicy

Istio resource controlling which services can access which endpoints

Labs

Hands-on labs

35 minIntermediate

Deploy Istio with Strict mTLS

Enable automatic encryption for all service traffic.

Install Istio with default profile
Enable sidecar injection
Deploy sample application
Enforce strict mTLS and verify encryption

View lab on GitHub

30 minIntermediate

Configure Identity-Based Authorization

Restrict service access based on SPIFFE identities.

Create AuthorizationPolicy resources
Allow only specific services to access database
Test that unauthorized services are rejected (403)
View access logs in Envoy

View lab on GitHub

Recap

Key takeaways

Service meshes provide transparent mTLS — no application code changes
Envoy sidecars handle encryption, authentication, and authorization
Istio PeerAuthentication enforces mTLS, AuthorizationPolicy enforces access
SPIRE can replace Istio CA for stronger workload attestation
Service mesh + SPIFFE = the infrastructure layer of zero trust

Related resources