As per https://istio.io/docs/concepts/security/#mutual-tls-authentication #4 mentions that “After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.” In that case though traffic b/w sidecars is mTLS, is the traffic/communication b/w sidecar and service in the same pod is mTLS?
From what I remember it is not Mtls.
Communication between sidecars will be mTLS if you have configured it globally or configured it for the relevant services. Traffic between sidecar and the application running in the same pod currently is unencrypted if enable mTLS.
Only scenario when traffic between sidecar & application in the same pod is encrypted when you use TLS passthrough routing mode.
It’s not explicitly mentioned in the docs as far as I can tell, this page describes the Istio security architecture and TLS Route configuration is described here if you interested in exploring.
@AshishThakur - I currently do not know of an encrypted service-sidecar communication within Istio. However, I do agree that it is an interesting topic and I am thinking about potential solutions as well. can you help me with defining your need and concern in more details? would be happy to set up some time and discuss if that makes sense.
@shaul_rozen @AshishThakur @nrjpoddar
Securing application to sidecar communication has come up in the past, about a year ago.
Community feedback on https://docs.google.com/document/d/1TTl8OszfnUEkBmz5AtcUCyYRTT7O6axiHZabHdH2950/edit?usp=sharing has been that the complexity outweighs the proposal’s benefits.
Would be happy to discuss any feedback and alternatives.