How does Istio validate the service account of a service before providing Envoy proxy a x.509 certificate. Where can I find more information related Istiod service discovery and service naming mapping for a Kubernetes cluster.
The secure naming of Istio at Istio / Security includes information on the mapping of the server identities to the service names.
Thanks, I went through this documentation but it does not state how the istio-agent knows about the service identity when initiating a CSR to Istiod(Citadel).
The SPIFFE identity in a CSR is built in BuildSubjectAltNameExtension() at istio/generate_csr.go at 8fc8e4b45996a50565cc883362e403116760d329 · istio/istio · GitHub based on options.Host at istio/generate_csr.go at 8fc8e4b45996a50565cc883362e403116760d329 · istio/istio · GitHub. The options.Host is from the service account name in a service deployment.