Sidecar to Service communication


#1

As per https://istio.io/docs/concepts/security/#mutual-tls-authentication #4 mentions that “After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.” In that case though traffic b/w sidecars is mTLS, is the traffic/communication b/w sidecar and service in the same pod is mTLS?


#2

From what I remember it is not Mtls.


#3

Communication between sidecars will be mTLS if you have configured it globally or configured it for the relevant services. Traffic between sidecar and the application running in the same pod currently is unencrypted if enable mTLS.

Only scenario when traffic between sidecar & application in the same pod is encrypted when you use TLS passthrough routing mode.


#4

Thanks @ nrjpoddar. Can you help me with link which explains this…i am not able to find one.


#5

It’s not explicitly mentioned in the docs as far as I can tell, this page describes the Istio security architecture and TLS Route configuration is described here if you interested in exploring.