I understand envoy proxy can encrypt the traffic leaving the pod and decrypt the traffic coming in to the pod. Also my understanding is the traffic from the envoy to my service (on the same pod) is not encrypted. If this is true can a sidecar in the same pod intercept the traffic? is this a security issue? If so how can this be mitigated
Afaik, Istio only encrypts the traffic between 2 envoy sidecars.
The traffic towards the local sidecar is captured by iptables rules, and then forwarded to the sidecar instead of its destination. So that part, Istio has no control over. Then the traffic from the Istio sidecar towards the service, uses the service’s transport protocol (for example http), Istio can’t encrypt that, as there’s nothing on the other side to decrypt it (as it just left the sidecar). Unless of course, your workload uses an encrypted transport (https for example).
So it would be impossible to encrypt traffic between 2 services on a single pod, as there’s no two sidecars in between. It enters and exists from the same sidecar.
As for a way around that, I think there is none. If you can’t trust your pod’s local network, then you can use networking at all. As you would always have to use that network to get to your sidecar.
You’d have to use in-memory transports, like IPC or something.
To be clear, your service’s network chatter will never leave the pod, as in, it’s captured by iptables before it does.
Afaik, Istio only encrypts the traffic between 2 envoy sidecars
Not quite. It’s traffic between any two Envoy proxies, which includes ingress and egress gateway controller services (which are Envoy proxies) as well as Envoy proxies in sidecars.