My mental model has always been that CNI focuses on Layer 3 and 4, so I was surprised to learn that Cilium CNI supports Layer 7(L7) policies. I decided to dig in to learn more about its L7 policy support and how it compares with Istio’s L7 policies. Below are the top four things I learned:

Cilium’s Layer 7 policy is simple to use with its own Envoy filter

Installing Cilium CNI is very straightforward, I love the `cilium status` command! I installed the latest stable version, which is v1.12. I found it pretty easy to create Cilium’s L7 policy, where I can simply add HTTP rules towards the end of my existing L4 CiliumNetworkPolicy resource:

<span class="token literal-property property">apiVersion</span><span class="token operator">:</span> <span class="token string">"cilium.io/v2"</span>
<span class="token literal-property property">kind</span><span class="token operator">:</span> CiliumNetworkPolicy
<span class="token literal-property property">metadata</span><span class="token operator">:</span>
  <span class="token literal-property property">name</span><span class="token operator">:</span> <span class="token string">"service-account"</span>
<span class="token literal-property property">spec</span><span class="token operator">:</span>
  <span class="token literal-property property">endpointSelector</span><span class="token operator">:</span>
	<span class="token literal-property property">matchLabels</span><span class="token operator">:</span>
  	io<span class="token punctuation">.</span>cilium<span class="token punctuation">.</span>k8s<span class="token punctuation">.</span>policy<span class="token punctuation">.</span>serviceaccount<span class="token operator">:</span> helloworld
  <span class="token literal-property property">ingress</span><span class="token operator">:</span>
  <span class="token operator">-</span> fromEndpoints<span class="token operator">:</span>
	<span class="token operator">-</span> matchLabels<span class="token operator">:</span>
    	io<span class="token punctuation">.</span>cilium<span class="token punctuation">.</span>k8s<span class="token punctuation">.</span>policy<span class="token punctuation">.</span>serviceaccount<span class="token operator">:</span> sleep
	<span class="token literal-property property">toPorts</span><span class="token operator">:</span>
	<span class="token operator">-</span> ports<span class="token operator">:</span>
  	<span class="token operator">-</span> port<span class="token operator">:</span> <span class="token string">"5000"</span>
    	<span class="token literal-property property">protocol</span><span class="token operator">:</span> <span class="token constant">TCP</span>
  	<span class="token literal-property property">rules</span><span class="token operator">:</span>
    	<span class="token literal-property property">http</span><span class="token operator">:</span>
    	<span class="token operator">-</span> method<span class="token operator">:</span> <span class="token constant">GET</span>
      	<span class="token literal-property property">path</span><span class="token operator">:</span> <span class="token string">"/hello"</span>

It worked nicely when I tested in my local environment, my client pod (sleep) can no longer call the server pod (helloworld) on any other path other than `/hello` on port `5000`.

kubectl exec <span class="token operator">-</span>it <span class="token function">$</span><span class="token punctuation">(</span>k <span class="token keyword">get</span> po <span class="token operator">-</span>lapp<span class="token operator">=</span>sleep <span class="token operator">-</span>ojsonpath<span class="token operator">=</span><span class="token string">'{.items[0].metadata.name}'</span><span class="token punctuation">)</span> <span class="token operator">--</span> curl helloworld<span class="token operator">:</span><span class="token number">5000</span><span class="token operator">/</span>hello
kubectl exec <span class="token operator">-</span>it <span class="token function">$</span><span class="token punctuation">(</span>k <span class="token keyword">get</span> po <span class="token operator">-</span>lapp<span class="token operator">=</span>sleep <span class="token operator">-</span>ojsonpath<span class="token operator">=</span><span class="token string">'{.items[0].metadata.name}'</span><span class="token punctuation">)</span> <span class="token operator">--</span> curl helloworld<span class="token operator">:</span><span class="token number">5000</span><span class="token operator">/</span>hello3

Hello version<span class="token operator">:</span> v1<span class="token punctuation">,</span> <span class="token literal-property property">instance</span><span class="token operator">:</span> helloworld<span class="token operator">-</span>v1<span class="token operator">-</span>cross<span class="token operator">-</span>node<span class="token operator">-</span>55446d46d8<span class="token operator">-</span>d8qm5
Access denied

So, how does this work? Cilium is installed as a DaemonSet that runs on each Kubernetes worker node. Inside of the Cilium pod, there is an Envoy proxy running to mediate any traffic into the pods (on the same node as the Cilium pod) that have L7 policies. In the example above, when the sleep pod calls the helloworld pod, the Envoy proxy inside of the Cilium pod on the node where the helloworld pod runs intercepts the traffic and checks if the traffic can be allowed based on any L7 policy applied to the helloworld pod.

Digging into the Envoy configuration on the Cilium pod:

node<span class="token operator">=</span>kind<span class="token operator">-</span>worker
pod<span class="token operator">=</span><span class="token function">$</span><span class="token punctuation">(</span>kubectl <span class="token operator">-</span>n kube<span class="token operator">-</span>system <span class="token keyword">get</span> pods <span class="token operator">-</span>l k8s<span class="token operator">-</span>app<span class="token operator">=</span>cilium <span class="token operator">-</span>o json <span class="token operator">|</span> jq <span class="token operator">-</span>r <span class="token string">".items[] | select(.spec.nodeName==\"${node}\") | .metadata.name"</span> <span class="token operator">|</span> tail <span class="token operator">-</span><span class="token number">1</span><span class="token punctuation">)</span>
k exec <span class="token operator">-</span>n kube<span class="token operator">-</span>system <span class="token operator">-</span>it $pod <span class="token operator">--</span> curl <span class="token operator">-</span>s <span class="token operator">--</span>unix<span class="token operator">-</span>socket <span class="token operator">/</span><span class="token keyword">var</span><span class="token operator">/</span>run<span class="token operator">/</span>cilium<span class="token operator">/</span>envoy<span class="token operator">-</span>admin<span class="token punctuation">.</span>sock http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span>localhost<span class="token operator">/</span>config_dump

You’ll find Cilium’s own extension (Cilium.L7Policy) to its Envoy proxy, inserted as an HTTP filter in the `cilium-HTTP-ingress:11055` listener, right before the router filter.

<span class="token string-property property">"http_filters"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
            <span class="token punctuation">{</span>
             <span class="token string-property property">"name"</span><span class="token operator">:</span> <span class="token string">"cilium.l7policy"</span><span class="token punctuation">,</span>
             <span class="token string-property property">"typed_config"</span><span class="token operator">:</span> <span class="token punctuation">{</span>
              <span class="token string-property property">"@type"</span><span class="token operator">:</span> <span class="token string">"type.googleapis.com/cilium.L7Policy"</span><span class="token punctuation">,</span>
              <span class="token string-property property">"access_log_path"</span><span class="token operator">:</span> 
<span class="token string">"/var/run/cilium/access_log.sock"</span>
             <span class="token punctuation">}</span>
            <span class="token punctuation">}</span><span class="token punctuation">,</span>
            <span class="token punctuation">{</span>
             <span class="token string-property property">"name"</span><span class="token operator">:</span> <span class="token string">"envoy.filters.http.router"</span>
            <span class="token punctuation">}</span>
           <span class="token punctuation">]</span><span class="token punctuation">,</span>

In this case, Envoy proxy uses xDS to obtain its normal config and the Cilium’s L7 policies from its xDS control plane. Cilium has its own custom L7 Envoy filter in their Envoy distribution, which evaluates the policies and applies them to traffic to determine if the traffic should be allowed or disallowed. From the xDS responses from the control plane, it contains the network policy for endpointId 69 (helloworld-v1-cross-node-55446d46d8-d8qm5) with the ingress policy to only allow the `/hello` path on the GET request for pod IP 10.244.2.232 (helloworld-v1-cross-node-55446d46d8-d8qm5 pod).

<span class="token punctuation">{</span>
  <span class="token string-property property">"versionInfo"</span><span class="token operator">:</span> <span class="token string">"23"</span><span class="token punctuation">,</span>
  <span class="token string-property property">"resources"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
…
<span class="token punctuation">{</span><span class="token string-property property">"@type"</span><span class="token operator">:</span><span class="token string">"type.googleapis.com/cilium.NetworkPolicy"</span><span class="token punctuation">,</span><span class="token string-property property">"conntrackMapName"</span><span class="token operator">:</span><span class="token string">"global"</span><span class="token punctuation">,</span><span class="token string-property property">"egressPerPortPolicies"</span><span class="token operator">:</span><span class="token punctuation">[</span><span class="token punctuation">{</span><span class="token punctuation">}</span><span class="token punctuation">]</span><span class="token punctuation">,</span><span class="token string-property property">"endpointId"</span><span class="token operator">:</span><span class="token string">"69"</span><span class="token punctuation">,</span><span class="token string-property property">"ingressPerPortPolicies"</span><span class="token operator">:</span><span class="token punctuation">[</span><span class="token punctuation">{</span><span class="token string-property property">"port"</span><span class="token operator">:</span><span class="token number">5000</span><span class="token punctuation">,</span><span class="token string-property property">"rules"</span><span class="token operator">:</span><span class="token punctuation">[</span><span class="token punctuation">{</span><span class="token string-property property">"httpRules"</span><span class="token operator">:</span><span class="token punctuation">{</span><span class="token string-property property">"httpRules"</span><span class="token operator">:</span><span class="token punctuation">[</span><span class="token punctuation">{</span><span class="token string-property property">"headers"</span><span class="token operator">:</span><span class="token punctuation">[</span><span class="token punctuation">{</span><span class="token string-property property">"name"</span><span class="token operator">:</span><span class="token string">":method"</span><span class="token punctuation">,</span><span class="token string-property property">"safeRegexMatch"</span><span class="token operator">:</span><span class="token punctuation">{</span><span class="token string-property property">"googleRe2"</span><span class="token operator">:</span><span class="token punctuation">{</span><span class="token punctuation">}</span><span class="token punctuation">,</span><span class="token string-property property">"regex"</span><span class="token operator">:</span><span class="token string">"GET"</span><span class="token punctuation">}</span><span class="token punctuation">}</span><span class="token punctuation">,</span><span class="token punctuation">{</span><span class="token string-property property">"name"</span><span class="token operator">:</span><span class="token string">":path"</span><span class="token punctuation">,</span><span class="token string-property property">"safeRegexMatch"</span><span class="token operator">:</span><span class="token punctuation">{</span><span class="token string-property property">"googleRe2"</span><span class="token operator">:</span><span class="token punctuation">{</span><span class="token punctuation">}</span><span class="token punctuation">,</span><span class="token string-property property">"regex"</span><span class="token operator">:</span><span class="token string">"/hello"</span><span class="token punctuation">}</span><span class="token punctuation">}</span><span class="token punctuation">]</span><span class="token punctuation">}</span><span class="token punctuation">]</span><span class="token punctuation">}</span><span class="token punctuation">}</span><span class="token punctuation">]</span><span class="token punctuation">}</span><span class="token punctuation">]</span><span class="token punctuation">,</span><span class="token string-property property">"name"</span><span class="token operator">:</span><span class="token string">"10.244.2.232"</span><span class="token punctuation">}</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token string-property property">"typeUrl"</span><span class="token operator">:</span> <span class="token string">"type.googleapis.com/cilium.NetworkPolicy"</span><span class="token punctuation">,</span>
  <span class="token string-property property">"nonce"</span><span class="token operator">:</span> <span class="token string">"23"</span>
<span class="token punctuation">}</span>

Formatting it for an easy read, you can see it contains the HTTP rule from the L7 policy applied earlier:

<span class="token punctuation">{</span>
  <span class="token string-property property">"@type"</span><span class="token operator">:</span> <span class="token string">"type.googleapis.com/cilium.NetworkPolicy"</span><span class="token punctuation">,</span>
  <span class="token string-property property">"conntrackMapName"</span><span class="token operator">:</span> <span class="token string">"global"</span><span class="token punctuation">,</span>
  <span class="token string-property property">"egressPerPortPolicies"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
	<span class="token punctuation">{</span><span class="token punctuation">}</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token string-property property">"endpointId"</span><span class="token operator">:</span> <span class="token string">"69"</span><span class="token punctuation">,</span>
  <span class="token string-property property">"ingressPerPortPolicies"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
	<span class="token punctuation">{</span>
  	<span class="token string-property property">"port"</span><span class="token operator">:</span> <span class="token number">5000</span><span class="token punctuation">,</span>
  	<span class="token string-property property">"rules"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
    	<span class="token punctuation">{</span>
      	<span class="token string-property property">"httpRules"</span><span class="token operator">:</span> <span class="token punctuation">{</span>
        	<span class="token string-property property">"httpRules"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
          	<span class="token punctuation">{</span>
            	<span class="token string-property property">"headers"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
              	<span class="token punctuation">{</span>
                	<span class="token string-property property">"name"</span><span class="token operator">:</span> <span class="token string">":method"</span><span class="token punctuation">,</span>
                	<span class="token string-property property">"safeRegexMatch"</span><span class="token operator">:</span> <span class="token punctuation">{</span>
                  	<span class="token string-property property">"googleRe2"</span><span class="token operator">:</span> <span class="token punctuation">{</span><span class="token punctuation">}</span><span class="token punctuation">,</span>
                  	<span class="token string-property property">"regex"</span><span class="token operator">:</span> <span class="token string">"GET"</span>
                	<span class="token punctuation">}</span>
              	<span class="token punctuation">}</span><span class="token punctuation">,</span>
              	<span class="token punctuation">{</span>
                	<span class="token string-property property">"name"</span><span class="token operator">:</span> <span class="token string">":path"</span><span class="token punctuation">,</span>
                	<span class="token string-property property">"safeRegexMatch"</span><span class="token operator">:</span> <span class="token punctuation">{</span>
                  	<span class="token string-property property">"googleRe2"</span><span class="token operator">:</span> <span class="token punctuation">{</span><span class="token punctuation">}</span><span class="token punctuation">,</span>
                  	<span class="token string-property property">"regex"</span><span class="token operator">:</span> <span class="token string">"/hello"</span>
                	<span class="token punctuation">}</span>
              	<span class="token punctuation">}</span>
            	<span class="token punctuation">]</span>
          	<span class="token punctuation">}</span>
        	<span class="token punctuation">]</span>
      	<span class="token punctuation">}</span>
    	<span class="token punctuation">}</span>
  	<span class="token punctuation">]</span>
	<span class="token punctuation">}</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token string-property property">"name"</span><span class="token operator">:</span> <span class="token string">"10.244.2.232"</span>
<span class="token punctuation">}</span>

Display the endpoint ID 69 details:

kubectl <span class="token keyword">get</span> ciliumendpoint
<span class="token constant">NAME</span>                                    	<span class="token constant">ENDPOINT</span> <span class="token constant">ID</span>   <span class="token constant">IDENTITY</span> <span class="token constant">ID</span>   <span class="token constant">INGRESS</span> <span class="token constant">ENFORCEMENT</span>   <span class="token constant">EGRESS</span> <span class="token constant">ENFORCEMENT</span>   <span class="token constant">VISIBILITY</span> <span class="token constant">POLICY</span>   <span class="token constant">ENDPOINT</span> <span class="token constant">STATE</span>   <span class="token constant">IPV4</span>       	<span class="token constant">IPV6</span>
helloworld<span class="token operator">-</span>v1<span class="token operator">-</span>cross<span class="token operator">-</span>node<span class="token operator">-</span>55446d46d8<span class="token operator">-</span>d8qm5   <span class="token number">69</span>        	<span class="token number">32225</span>                                                                    	ready        	<span class="token number">10.244</span><span class="token number">.2</span><span class="token number">.232</span>

kubectl <span class="token keyword">get</span> ciliumendpoint helloworld<span class="token operator">-</span>v1<span class="token operator">-</span>cross<span class="token operator">-</span>node<span class="token operator">-</span>55446d46d8<span class="token operator">-</span>d8qm5 <span class="token operator">-</span>o yaml
<span class="token literal-property property">apiVersion</span><span class="token operator">:</span> cilium<span class="token punctuation">.</span>io<span class="token operator">/</span>v2
<span class="token literal-property property">kind</span><span class="token operator">:</span> CiliumEndpoint
<span class="token literal-property property">metadata</span><span class="token operator">:</span>
  <span class="token literal-property property">creationTimestamp</span><span class="token operator">:</span> <span class="token string">"2022-07-20T15:11:43Z"</span>
  <span class="token literal-property property">generation</span><span class="token operator">:</span> <span class="token number">1</span>
  <span class="token literal-property property">labels</span><span class="token operator">:</span>
	<span class="token literal-property property">app</span><span class="token operator">:</span> helloworld
	pod<span class="token operator">-</span>template<span class="token operator">-</span>hash<span class="token operator">:</span> 55446d46d8
	<span class="token literal-property property">version</span><span class="token operator">:</span> v1
  <span class="token literal-property property">name</span><span class="token operator">:</span> helloworld<span class="token operator">-</span>v1<span class="token operator">-</span>cross<span class="token operator">-</span>node<span class="token operator">-</span>55446d46d8<span class="token operator">-</span>d8qm5
  <span class="token literal-property property">namespace</span><span class="token operator">:</span> <span class="token keyword">default</span>
  <span class="token literal-property property">ownerReferences</span><span class="token operator">:</span>
  <span class="token operator">-</span> apiVersion<span class="token operator">:</span> v1
	<span class="token literal-property property">kind</span><span class="token operator">:</span> Pod
	<span class="token literal-property property">name</span><span class="token operator">:</span> helloworld<span class="token operator">-</span>v1<span class="token operator">-</span>cross<span class="token operator">-</span>node<span class="token operator">-</span>55446d46d8<span class="token operator">-</span>d8qm5
	<span class="token literal-property property">uid</span><span class="token operator">:</span> 684420c7<span class="token operator">-</span>db2b<span class="token operator">-</span>4a6e<span class="token operator">-</span>ab5d<span class="token operator">-</span>7fe0917fadbc
  <span class="token literal-property property">resourceVersion</span><span class="token operator">:</span> <span class="token string">"65306"</span>
  <span class="token literal-property property">uid</span><span class="token operator">:</span> 09caf26b<span class="token operator">-</span>403c<span class="token operator">-</span>4e8d<span class="token operator">-</span><span class="token number">9427</span><span class="token operator">-</span>77d2d0cb58e6
<span class="token literal-property property">status</span><span class="token operator">:</span>
  <span class="token literal-property property">encryption</span><span class="token operator">:</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
  external<span class="token operator">-</span>identifiers<span class="token operator">:</span>
	container<span class="token operator">-</span>id<span class="token operator">:</span> dce3321c28b6a67b6509cccc49d64e241ae928ea96790be574cc963d209af605
	k8s<span class="token operator">-</span>namespace<span class="token operator">:</span> <span class="token keyword">default</span>
	k8s<span class="token operator">-</span>pod<span class="token operator">-</span>name<span class="token operator">:</span> helloworld<span class="token operator">-</span>v1<span class="token operator">-</span>cross<span class="token operator">-</span>node<span class="token operator">-</span>55446d46d8<span class="token operator">-</span>d8qm5
	pod<span class="token operator">-</span>name<span class="token operator">:</span> <span class="token keyword">default</span><span class="token operator">/</span>helloworld<span class="token operator">-</span>v1<span class="token operator">-</span>cross<span class="token operator">-</span>node<span class="token operator">-</span>55446d46d8<span class="token operator">-</span>d8qm5
  <span class="token literal-property property">id</span><span class="token operator">:</span> <span class="token number">69</span>
  <span class="token literal-property property">identity</span><span class="token operator">:</span>
	<span class="token literal-property property">id</span><span class="token operator">:</span> <span class="token number">32225</span>
	<span class="token literal-property property">labels</span><span class="token operator">:</span>
	<span class="token operator">-</span> k8s<span class="token operator">:</span>app<span class="token operator">=</span>helloworld
	<span class="token operator">-</span> k8s<span class="token operator">:</span>io<span class="token punctuation">.</span>cilium<span class="token punctuation">.</span>k8s<span class="token punctuation">.</span>namespace<span class="token punctuation">.</span>labels<span class="token punctuation">.</span>kubernetes<span class="token punctuation">.</span>io<span class="token operator">/</span>metadata<span class="token punctuation">.</span>name<span class="token operator">=</span><span class="token keyword">default</span>
	<span class="token operator">-</span> k8s<span class="token operator">:</span>io<span class="token punctuation">.</span>cilium<span class="token punctuation">.</span>k8s<span class="token punctuation">.</span>policy<span class="token punctuation">.</span>cluster<span class="token operator">=</span><span class="token keyword">default</span>
	<span class="token operator">-</span> k8s<span class="token operator">:</span>io<span class="token punctuation">.</span>cilium<span class="token punctuation">.</span>k8s<span class="token punctuation">.</span>policy<span class="token punctuation">.</span>serviceaccount<span class="token operator">=</span>helloworld
	<span class="token operator">-</span> k8s<span class="token operator">:</span>io<span class="token punctuation">.</span>kubernetes<span class="token punctuation">.</span>pod<span class="token punctuation">.</span>namespace<span class="token operator">=</span><span class="token keyword">default</span>
	<span class="token operator">-</span> k8s<span class="token operator">:</span>version<span class="token operator">=</span>v1
  <span class="token literal-property property">networking</span><span class="token operator">:</span>
	<span class="token literal-property property">addressing</span><span class="token operator">:</span>
	<span class="token operator">-</span> ipv4<span class="token operator">:</span> <span class="token number">10.244</span><span class="token number">.2</span><span class="token number">.232</span>
	<span class="token literal-property property">node</span><span class="token operator">:</span> <span class="token number">172.18</span><span class="token number">.0</span><span class="token number">.3</span>
  <span class="token literal-property property">state</span><span class="token operator">:</span> ready

The above approach using the Cilium.L7Policy filter for L7 access control is quite different from how Istio enforces L7 policy. For example, Istio uses RBAC filters from Envoy upstream to authorize actions by identified clients.

Cilium vs Istio: How identities are generated?

Given Cilium supports L7 policies, if I am already using Cilium as a CNI for L3/L4 policies, can I use Cilium’s L7 policies to achieve a zero trust network? Identity is what it claims and it is critical to proving that the source and target pods have the correct identity. Let us dive into how identity is derived by comparing Cilium and Istio.

From the generated CiliumEndpoint custom resource for my helloworld-v1-cross-node pod, the identity of the pod is 32225. Use the command below to display the identity 32225 details:

kubectl <span class="token keyword">get</span> ciliumidentity <span class="token number">32225</span> <span class="token operator">-</span>o yaml
<span class="token literal-property property">apiVersion</span><span class="token operator">:</span> cilium<span class="token punctuation">.</span>io<span class="token operator">/</span>v2
<span class="token literal-property property">kind</span><span class="token operator">:</span> CiliumIdentity
<span class="token literal-property property">metadata</span><span class="token operator">:</span>
  <span class="token literal-property property">creationTimestamp</span><span class="token operator">:</span> <span class="token string">"2022-07-20T21:19:37Z"</span>
  <span class="token literal-property property">generation</span><span class="token operator">:</span> <span class="token number">1</span>
  <span class="token literal-property property">labels</span><span class="token operator">:</span>
	<span class="token literal-property property">app</span><span class="token operator">:</span> helloworld
	io<span class="token punctuation">.</span>cilium<span class="token punctuation">.</span>k8s<span class="token punctuation">.</span>policy<span class="token punctuation">.</span>cluster<span class="token operator">:</span> <span class="token keyword">default</span>
	io<span class="token punctuation">.</span>cilium<span class="token punctuation">.</span>k8s<span class="token punctuation">.</span>policy<span class="token punctuation">.</span>serviceaccount<span class="token operator">:</span> helloworld
	io<span class="token punctuation">.</span>kubernetes<span class="token punctuation">.</span>pod<span class="token punctuation">.</span>namespace<span class="token operator">:</span> <span class="token keyword">default</span>
	<span class="token literal-property property">version</span><span class="token operator">:</span> v1
  <span class="token literal-property property">name</span><span class="token operator">:</span> <span class="token string">"32225"</span>
  <span class="token literal-property property">resourceVersion</span><span class="token operator">:</span> <span class="token string">"4130"</span>
  <span class="token literal-property property">uid</span><span class="token operator">:</span> b942b33c<span class="token operator">-</span>741f<span class="token operator">-</span>48a8<span class="token operator">-</span>b294<span class="token operator">-</span>e0028501043c
security<span class="token operator">-</span>labels<span class="token operator">:</span>
  <span class="token literal-property property">k8s</span><span class="token operator">:</span>app<span class="token operator">:</span> helloworld
  <span class="token literal-property property">k8s</span><span class="token operator">:</span>io<span class="token punctuation">.</span>cilium<span class="token punctuation">.</span>k8s<span class="token punctuation">.</span>namespace<span class="token punctuation">.</span>labels<span class="token punctuation">.</span>kubernetes<span class="token punctuation">.</span>io<span class="token operator">/</span>metadata<span class="token punctuation">.</span>name<span class="token operator">:</span> <span class="token keyword">default</span>
  <span class="token literal-property property">k8s</span><span class="token operator">:</span>io<span class="token punctuation">.</span>cilium<span class="token punctuation">.</span>k8s<span class="token punctuation">.</span>policy<span class="token punctuation">.</span>cluster<span class="token operator">:</span> <span class="token keyword">default</span>
  <span class="token literal-property property">k8s</span><span class="token operator">:</span>io<span class="token punctuation">.</span>cilium<span class="token punctuation">.</span>k8s<span class="token punctuation">.</span>policy<span class="token punctuation">.</span>serviceaccount<span class="token operator">:</span> helloworld
  <span class="token literal-property property">k8s</span><span class="token operator">:</span>io<span class="token punctuation">.</span>kubernetes<span class="token punctuation">.</span>pod<span class="token punctuation">.</span>namespace<span class="token operator">:</span> <span class="token keyword">default</span>
  <span class="token literal-property property">k8s</span><span class="token operator">:</span>version<span class="token operator">:</span> v1

By default in Cilium without IPSec or Wireguard, the Kubernetes pods’ information is stored in the eBPF map, and enforcing L3/L4 policies are executed in eBPF. The map correlates pod IPs to their identities, which are essentially integers as you see above, generated from pod labels and pod properties such as namespaces, etc. When Cilium receives an incoming connection, it looks up the pod IP to find out the corresponding identity in the eBPF map, then uses that identity to check if the incoming connection is allowed based on the relevant network policies. The source of identity is not cryptographic primitive. It is based on network identity, e.g. the IP of the pod which could have issues with eventual consistency and less strong guarantees. If you are concerned with someone in the cluster spoofing your pod IP addresses or your pods may go up and down a lot where pod IP addresses are reused (which is typical in Kubernetes), you may be concerned with identity generated from the network.

Let us walk through how Istio creates service identity for pods in the Istio service mesh. A service account token that is provisioned by k8s, mounted to the pod, and Istio agent exchanges the service account token for client certificate via the Certificate Signing Request (CSR) to the Istio CA (or an external CA).

When connecting from client to server, the client asks the server to show certs and server also asks for client certs, for example:

kubectl exec <span class="token operator">-</span>it <span class="token function">$</span><span class="token punctuation">(</span>k <span class="token keyword">get</span> po <span class="token operator">-</span>lapp<span class="token operator">=</span>sleep <span class="token operator">-</span>ojsonpath<span class="token operator">=</span><span class="token string">'{.items[0].metadata.name}'</span><span class="token punctuation">)</span> <span class="token operator">-</span>c istio<span class="token operator">-</span>proxy <span class="token operator">--</span> openssl s_client <span class="token operator">-</span>connect helloworld<span class="token operator">:</span><span class="token number">5000</span> <span class="token operator">-</span>showcerts
<span class="token constant">CONNECTED</span><span class="token punctuation">(</span><span class="token number">00000003</span><span class="token punctuation">)</span>
Can't use SSL_get_servername
depth<span class="token operator">=</span><span class="token number">1</span> <span class="token constant">O</span> <span class="token operator">=</span> cluster<span class="token punctuation">.</span>local
verify error<span class="token operator">:</span>num<span class="token operator">=</span><span class="token number">19</span><span class="token operator">:</span>self signed certificate <span class="token keyword">in</span> certificate chain
verify <span class="token keyword">return</span><span class="token operator">:</span><span class="token number">1</span>
depth<span class="token operator">=</span><span class="token number">1</span> <span class="token constant">O</span> <span class="token operator">=</span> cluster<span class="token punctuation">.</span>local
verify <span class="token keyword">return</span><span class="token operator">:</span><span class="token number">1</span>
depth<span class="token operator">=</span><span class="token number">0</span>
verify <span class="token keyword">return</span><span class="token operator">:</span><span class="token number">1</span>
<span class="token operator">--</span><span class="token operator">-</span>
Certificate chain
 <span class="token number">0</span> <span class="token literal-property property">s</span><span class="token operator">:</span>
   <span class="token literal-property property">i</span><span class="token operator">:</span><span class="token constant">O</span> <span class="token operator">=</span> cluster<span class="token punctuation">.</span>local
<span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span><span class="token constant">BEGIN</span> <span class="token constant">CERTIFICATE</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span>
MIIDQzCCAiugAwIBAgIQPox<span class="token operator">+</span>VZtC7n3i<span class="token operator">+</span>B9PhHsqnzANBgkqhkiG9w0BAQsFADAY
MRYwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMB4XDTIyMDcxNDE5MTMzMVoXDTIyMDcx
NTE5MTUzMVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJTTlVl7
rtZOvyy6CVoiK1lxu9vDI19a5jT6AMMwx5SHsgWLzM<span class="token operator">/</span>PI7nbt8d3F75kMzYlk3Wi
to0El0HD<span class="token operator">/</span>LGkwZmjf5dmzmySZYS2FUVa<span class="token operator">+</span>BxgSA6n6bj6wubAQotJYi6rBIML<span class="token operator">+</span>2zr
DPi<span class="token operator">/</span>7Z9HdiUphOeLCfkxE9IlStR3<span class="token operator">/</span><span class="token number">6</span><span class="token operator">+</span>LfpOL51jH<span class="token operator">+</span>Ibnz5nR7fOkA1iyg<span class="token operator">+</span>6YA3eh
l1oesFosltHaUawPn4qKgZiyN3Lrjw3UgcJ<span class="token operator">+</span>xGgL8GSZWV09ffcRJzquazRPPy3G
LDo6isXaqNtlJoQa<span class="token operator">/</span>W3aiuGnNmeUP4G3aPJGz8adWjC2GPxQYh3vlRAbADf3W1mR
CqB6bu7S1DFJj20CAwEAAaOBoDCBnTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB<span class="token operator">/</span>wQCMAAwHwYDVR0jBBgwFoAU
<span class="token constant">TE</span><span class="token operator">+</span>MDVW7GkIT<span class="token operator">/</span>RaO8b4xmAPXCpwwPQYDVR0RAQH<span class="token operator">/</span>BDMwMYYvc3BpZmZlOi8vY2x1
c3Rlci5sb2NhbC9ucy9kZWZhdWx0L3NhL2hlbGxvd29ybGQwDQYJKoZIhvcNAQEL
BQADggEBAFlUuLMjtEKUB<span class="token operator">/</span>VbyBSPJPfLwLmVEDb<span class="token operator">/</span>lOVrM3Ny4kN2dxXFn3xmb71c
WGwlzX6dk6cF663ClXnxEpySG2qoRRDV4flF4poRgMczrhtv6BE<span class="token operator">+</span>60bfod0rvRxT
yiiQRSb8oT5xGoAWx6O6vJELdHLhdFXMxW1OrfHyFisZlysxavPTwG9<span class="token operator">+</span>0ifmS<span class="token operator">+</span>yJ
HHgl1etQZ16xuWTbpSxwuqbFBg4et7qSFi7y<span class="token operator">/</span>onJxNps1PYOpsOh1k6DWPX<span class="token operator">+</span>r<span class="token operator">+</span><span class="token operator">/</span><span class="token constant">C</span>
nCNLd<span class="token operator">/</span>3mONR5yHegHYXtHA3FFJyOo7wEJSOFT<span class="token operator">+</span>qd7JpniWSGh2smSHmITEjM3bnC
9TD<span class="token operator">+</span>Q2tAf0cMQfHcauSs8ixxeMGdmvE<span class="token operator">=</span>
<span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span><span class="token constant">END</span> <span class="token constant">CERTIFICATE</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span>
 <span class="token number">1</span> <span class="token literal-property property">s</span><span class="token operator">:</span><span class="token constant">O</span> <span class="token operator">=</span> cluster<span class="token punctuation">.</span>local
   <span class="token literal-property property">i</span><span class="token operator">:</span><span class="token constant">O</span> <span class="token operator">=</span> cluster<span class="token punctuation">.</span>local
<span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span><span class="token constant">BEGIN</span> <span class="token constant">CERTIFICATE</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span>
<span class="token constant">MIIC</span><span class="token operator">/</span>TCCAeWgAwIBAgIRAJhHLsuxTx3IFWtB8GpXH2MwDQYJKoZIhvcNAQELBQAw
GDEWMBQGA1UEChMNY2x1c3Rlci5sb2NhbDAeFw0yMjA3MTQxODQxNTJaFw0zMjA3
MTExODQxNTJaMBgxFjAUBgNVBAoTDWNsdXN0ZXIubG9jYWwwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCwvjRMrYcQM0yDisCissbwsr<span class="token operator">/</span>U72NFMWeMwM5Y
l4UuGvwqopbihcX9dujchga<span class="token operator">/</span>FXZVlZxcSbj0VHK<span class="token operator">/</span>QziklA7cSsffalS9tr7ZZxBv
uBcyN6Uyw<span class="token operator">/</span>w0UI7g<span class="token operator">+</span>lpLfL5FehnXpDXzVGZzJAqOcOLHOCE7K7z<span class="token operator">+</span>uLyIbpZlT88J
ROI6ealK0uair9yk3Y38WfPIUl3KXGioBzNub<span class="token operator">/</span>OAFjLqjEheNJbVPvyxtWXK3fIp
tK<span class="token operator">/</span>g2MGqO<span class="token operator">/</span>QvlgnuiW2ZTrY5zSX<span class="token operator">/</span>xDs<span class="token operator">+</span>LWY02KzJq0PKy<span class="token operator">+</span>0j76K8rIbeo6hJVsVZ
sAxic8<span class="token operator">/</span>Y5brRwkAzE5uxd<span class="token operator">/</span>L5IEMB9PD1NcX9CoAFyVsh6PH5AgMBAAGjQjBAMA4G
A1UdDwEB<span class="token operator">/</span>wQEAwICBDAPBgNVHRMBAf8EBTADAQH<span class="token operator">/</span>MB0GA1UdDgQWBBRMT4wNVbsa
QhP9Fo7xvjGYA9cKnDANBgkqhkiG9w0BAQsFAAOCAQEAf1JofCaG<span class="token operator">/</span>S0v1l<span class="token operator">/</span>0RlqK
3qXbm68QFJTv1blZ98f8LWRfcgTw7kxR0LLNq9L0TCeRhmfQJXqxsz8v4bqFdWqH
fTdIHJLe3uABpu00L23JV9P<span class="token operator">/</span>Xtz1edQ<span class="token operator">+</span>m<span class="token operator">/</span>gS047P7D6zaiV1R5oyyTVgm1hrWWYX
G4TPEBqyqQ53DpeIH9fvRj0sfqULkN7ZuF9Gmoc995<span class="token operator">+</span>Qc15qbiIjBOXSI0jaO0X<span class="token operator">+</span>
ESHRRiVvZBuq5ePObHReAY0wcdfmXhIDRi4P0kmq3CkcLcItDRgHL<span class="token operator">/</span>605ltl8rTE
AZ3J6CczzDtt<span class="token operator">/</span>CDMhiVNqMg8MIdU8PwYj0s3sPHjKQBeZ5WPnnDYiTYprq5kez2G
bg<span class="token operator">==</span>
<span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span><span class="token constant">END</span> <span class="token constant">CERTIFICATE</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span>
<span class="token operator">--</span><span class="token operator">-</span>
Server certificate
subject<span class="token operator">=</span>

issuer<span class="token operator">=</span><span class="token constant">O</span> <span class="token operator">=</span> cluster<span class="token punctuation">.</span>local

<span class="token operator">--</span><span class="token operator">-</span>
Acceptable client certificate <span class="token constant">CA</span> names
<span class="token constant">O</span> <span class="token operator">=</span> cluster<span class="token punctuation">.</span>local
Requested Signature Algorithms<span class="token operator">:</span> <span class="token constant">ECDSA</span><span class="token operator">+</span><span class="token constant">SHA256</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">-</span><span class="token constant">PSS</span><span class="token operator">+</span><span class="token constant">SHA256</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">+</span><span class="token constant">SHA256</span><span class="token operator">:</span><span class="token constant">ECDSA</span><span class="token operator">+</span><span class="token constant">SHA384</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">-</span><span class="token constant">PSS</span><span class="token operator">+</span><span class="token constant">SHA384</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">+</span><span class="token constant">SHA384</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">-</span><span class="token constant">PSS</span><span class="token operator">+</span><span class="token constant">SHA512</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">+</span><span class="token constant">SHA512</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">+</span><span class="token constant">SHA1</span>
Shared Requested Signature Algorithms<span class="token operator">:</span> <span class="token constant">ECDSA</span><span class="token operator">+</span><span class="token constant">SHA256</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">-</span><span class="token constant">PSS</span><span class="token operator">+</span><span class="token constant">SHA256</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">+</span><span class="token constant">SHA256</span><span class="token operator">:</span><span class="token constant">ECDSA</span><span class="token operator">+</span><span class="token constant">SHA384</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">-</span><span class="token constant">PSS</span><span class="token operator">+</span><span class="token constant">SHA384</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">+</span><span class="token constant">SHA384</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">-</span><span class="token constant">PSS</span><span class="token operator">+</span><span class="token constant">SHA512</span><span class="token operator">:</span><span class="token constant">RSA</span><span class="token operator">+</span><span class="token constant">SHA512</span>
Peer signing digest<span class="token operator">:</span> <span class="token constant">SHA256</span>
Peer signature type<span class="token operator">:</span> <span class="token constant">RSA</span><span class="token operator">-</span><span class="token constant">PSS</span>
Server Temp Key<span class="token operator">:</span> <span class="token constant">X25519</span><span class="token punctuation">,</span> <span class="token number">253</span> bits
<span class="token operator">--</span><span class="token operator">-</span>
<span class="token constant">SSL</span> handshake has read <span class="token number">2168</span> bytes and written <span class="token number">393</span> bytes
Verification error<span class="token operator">:</span> self signed certificate <span class="token keyword">in</span> certificate chain
<span class="token operator">--</span><span class="token operator">-</span>
New<span class="token punctuation">,</span> TLSv1<span class="token punctuation">.</span><span class="token number">3</span><span class="token punctuation">,</span> Cipher is <span class="token constant">TLS_AES_256_GCM_SHA384</span>
Server <span class="token keyword">public</span> key is <span class="token number">2048</span> bit
Secure Renegotiation <span class="token constant">IS</span> <span class="token constant">NOT</span> supported
<span class="token literal-property property">Compression</span><span class="token operator">:</span> <span class="token constant">NONE</span>
<span class="token literal-property property">Expansion</span><span class="token operator">:</span> <span class="token constant">NONE</span>
No <span class="token constant">ALPN</span> negotiated
Early data was not sent
Verify <span class="token keyword">return</span> <span class="token literal-property property">code</span><span class="token operator">:</span> <span class="token number">19</span> <span class="token punctuation">(</span>self signed certificate <span class="token keyword">in</span> certificate chain<span class="token punctuation">)</span>
<span class="token operator">--</span><span class="token operator">-</span>
<span class="token number">140555461989696</span><span class="token operator">:</span>error<span class="token operator">:</span>1409445C<span class="token operator">:</span><span class="token constant">SSL</span> <span class="token literal-property property">routines</span><span class="token operator">:</span>ssl3_read_bytes<span class="token operator">:</span>tlsv13 alert certificate required<span class="token operator">:</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token operator">/</span>ssl<span class="token operator">/</span>record<span class="token operator">/</span>rec_layer_s3<span class="token punctuation">.</span>c<span class="token operator">:</span><span class="token number">1543</span><span class="token operator">:</span><span class="token constant">SSL</span> alert number <span class="token number">116</span>
command terminated <span class="token keyword">with</span> exit code <span class="token number">1</span>

If you step through the first certificate, you can see the client x509 certificate contains the issuer, SAN, SPIFFE ID, and validity (expires in 24 hours!):

echo "<span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span><span class="token constant">BEGIN</span> <span class="token constant">CERTIFICATE</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span>
MIIDQzCCAiugAwIBAgIQPox<span class="token operator">+</span>VZtC7n3i<span class="token operator">+</span>B9PhHsqnzANBgkqhkiG9w0BAQsFADAY
MRYwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMB4XDTIyMDcxNDE5MTMzMVoXDTIyMDcx
NTE5MTUzMVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJTTlVl7
rtZOvyy6CVoiK1lxu9vDI19a5jT6AMMwx5SHsgWLzM<span class="token operator">/</span>PI7nbt8d3F75kMzYlk3Wi
to0El0HD<span class="token operator">/</span>LGkwZmjf5dmzmySZYS2FUVa<span class="token operator">+</span>BxgSA6n6bj6wubAQotJYi6rBIML<span class="token operator">+</span>2zr
DPi<span class="token operator">/</span>7Z9HdiUphOeLCfkxE9IlStR3<span class="token operator">/</span><span class="token number">6</span><span class="token operator">+</span>LfpOL51jH<span class="token operator">+</span>Ibnz5nR7fOkA1iyg<span class="token operator">+</span>6YA3eh
l1oesFosltHaUawPn4qKgZiyN3Lrjw3UgcJ<span class="token operator">+</span>xGgL8GSZWV09ffcRJzquazRPPy3G
LDo6isXaqNtlJoQa<span class="token operator">/</span>W3aiuGnNmeUP4G3aPJGz8adWjC2GPxQYh3vlRAbADf3W1mR
CqB6bu7S1DFJj20CAwEAAaOBoDCBnTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB<span class="token operator">/</span>wQCMAAwHwYDVR0jBBgwFoAU
<span class="token constant">TE</span><span class="token operator">+</span>MDVW7GkIT<span class="token operator">/</span>RaO8b4xmAPXCpwwPQYDVR0RAQH<span class="token operator">/</span>BDMwMYYvc3BpZmZlOi8vY2x1
c3Rlci5sb2NhbC9ucy9kZWZhdWx0L3NhL2hlbGxvd29ybGQwDQYJKoZIhvcNAQEL
BQADggEBAFlUuLMjtEKUB<span class="token operator">/</span>VbyBSPJPfLwLmVEDb<span class="token operator">/</span>lOVrM3Ny4kN2dxXFn3xmb71c
WGwlzX6dk6cF663ClXnxEpySG2qoRRDV4flF4poRgMczrhtv6BE<span class="token operator">+</span>60bfod0rvRxT
yiiQRSb8oT5xGoAWx6O6vJELdHLhdFXMxW1OrfHyFisZlysxavPTwG9<span class="token operator">+</span>0ifmS<span class="token operator">+</span>yJ
HHgl1etQZ16xuWTbpSxwuqbFBg4et7qSFi7y<span class="token operator">/</span>onJxNps1PYOpsOh1k6DWPX<span class="token operator">+</span>r<span class="token operator">+</span><span class="token operator">/</span><span class="token constant">C</span>
nCNLd<span class="token operator">/</span>3mONR5yHegHYXtHA3FFJyOo7wEJSOFT<span class="token operator">+</span>qd7JpniWSGh2smSHmITEjM3bnC
9TD<span class="token operator">+</span>Q2tAf0cMQfHcauSs8ixxeMGdmvE<span class="token operator">=</span>
<span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span><span class="token constant">END</span> <span class="token constant">CERTIFICATE</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span>" <span class="token operator">|</span> step certificate inspect <span class="token operator">-</span>
<span class="token literal-property property">Certificate</span><span class="token operator">:</span>
	<span class="token literal-property property">Data</span><span class="token operator">:</span>
    	<span class="token literal-property property">Version</span><span class="token operator">:</span> <span class="token number">3</span> <span class="token punctuation">(</span><span class="token number">0x2</span><span class="token punctuation">)</span>
    	Serial Number<span class="token operator">:</span> <span class="token number">83141619664914625682796259868677974687</span> <span class="token punctuation">(</span><span class="token number">0x3e8c7e559b42ee7de2f81f4f847b2a9f</span><span class="token punctuation">)</span>
	Signature Algorithm<span class="token operator">:</span> <span class="token constant">SHA256</span><span class="token operator">-</span><span class="token constant">RSA</span>
    	<span class="token literal-property property">Issuer</span><span class="token operator">:</span> <span class="token constant">O</span><span class="token operator">=</span>cluster<span class="token punctuation">.</span>local
    	Validity
        	Not Before<span class="token operator">:</span> Jul <span class="token number">14</span> <span class="token number">19</span><span class="token operator">:</span><span class="token number">13</span><span class="token operator">:</span><span class="token number">31</span> <span class="token number">2022</span> <span class="token constant">UTC</span>
        	Not After <span class="token operator">:</span> Jul <span class="token number">15</span> <span class="token number">19</span><span class="token operator">:</span><span class="token number">15</span><span class="token operator">:</span><span class="token number">31</span> <span class="token number">2022</span> <span class="token constant">UTC</span>
    	<span class="token literal-property property">Subject</span><span class="token operator">:</span>
    	Subject Public Key Info<span class="token operator">:</span>
        	Public Key Algorithm<span class="token operator">:</span> <span class="token constant">RSA</span>
            	Public<span class="token operator">-</span>Key<span class="token operator">:</span> <span class="token punctuation">(</span><span class="token number">2048</span> bit<span class="token punctuation">)</span>
            	<span class="token literal-property property">Modulus</span><span class="token operator">:</span>
                	<span class="token number">94</span><span class="token operator">:</span>d3<span class="token operator">:</span><span class="token number">95</span><span class="token operator">:</span><span class="token number">59</span><span class="token operator">:</span>7b<span class="token operator">:</span>ae<span class="token operator">:</span>d6<span class="token operator">:</span>4e<span class="token operator">:</span>bf<span class="token operator">:</span>2c<span class="token operator">:</span>ba<span class="token operator">:</span><span class="token number">09</span><span class="token operator">:</span>5a<span class="token operator">:</span><span class="token number">22</span><span class="token operator">:</span>2b<span class="token operator">:</span>
                	<span class="token number">59</span><span class="token operator">:</span><span class="token number">71</span><span class="token operator">:</span>bb<span class="token operator">:</span>db<span class="token operator">:</span>c3<span class="token operator">:</span><span class="token number">23</span><span class="token operator">:</span>5f<span class="token operator">:</span>5a<span class="token operator">:</span>e6<span class="token operator">:</span><span class="token number">34</span><span class="token operator">:</span>fa<span class="token operator">:</span><span class="token number">00</span><span class="token operator">:</span>c3<span class="token operator">:</span><span class="token number">30</span><span class="token operator">:</span>c7<span class="token operator">:</span>
                	<span class="token number">94</span><span class="token operator">:</span><span class="token number">87</span><span class="token operator">:</span>b2<span class="token operator">:</span><span class="token number">05</span><span class="token operator">:</span>8b<span class="token operator">:</span>cc<span class="token operator">:</span>cf<span class="token operator">:</span>cf<span class="token operator">:</span><span class="token number">23</span><span class="token operator">:</span>b9<span class="token operator">:</span>db<span class="token operator">:</span>b7<span class="token operator">:</span>c7<span class="token operator">:</span><span class="token number">77</span><span class="token operator">:</span><span class="token number">17</span><span class="token operator">:</span>
                	<span class="token literal-property property">be</span><span class="token operator">:</span><span class="token number">64</span><span class="token operator">:</span><span class="token number">33</span><span class="token operator">:</span><span class="token number">36</span><span class="token operator">:</span><span class="token number">25</span><span class="token operator">:</span><span class="token number">93</span><span class="token operator">:</span><span class="token number">75</span><span class="token operator">:</span>a2<span class="token operator">:</span>b6<span class="token operator">:</span>8d<span class="token operator">:</span><span class="token number">04</span><span class="token operator">:</span><span class="token number">97</span><span class="token operator">:</span><span class="token number">41</span><span class="token operator">:</span>c3<span class="token operator">:</span>fc<span class="token operator">:</span>
                	<span class="token literal-property property">b1</span><span class="token operator">:</span>a4<span class="token operator">:</span>c1<span class="token operator">:</span><span class="token number">99</span><span class="token operator">:</span>a3<span class="token operator">:</span>7f<span class="token operator">:</span><span class="token number">97</span><span class="token operator">:</span><span class="token number">66</span><span class="token operator">:</span>ce<span class="token operator">:</span>6c<span class="token operator">:</span><span class="token number">92</span><span class="token operator">:</span><span class="token number">65</span><span class="token operator">:</span><span class="token number">84</span><span class="token operator">:</span>b6<span class="token operator">:</span><span class="token number">15</span><span class="token operator">:</span>
                	<span class="token number">45</span><span class="token operator">:</span>5a<span class="token operator">:</span>f8<span class="token operator">:</span>1c<span class="token operator">:</span><span class="token number">60</span><span class="token operator">:</span><span class="token number">48</span><span class="token operator">:</span>0e<span class="token operator">:</span>a7<span class="token operator">:</span>e9<span class="token operator">:</span>b8<span class="token operator">:</span>fa<span class="token operator">:</span>c2<span class="token operator">:</span>e6<span class="token operator">:</span>c0<span class="token operator">:</span><span class="token number">42</span><span class="token operator">:</span>
                	8b<span class="token operator">:</span><span class="token number">49</span><span class="token operator">:</span><span class="token number">62</span><span class="token operator">:</span>2e<span class="token operator">:</span>ab<span class="token operator">:</span><span class="token number">04</span><span class="token operator">:</span><span class="token number">83</span><span class="token operator">:</span>0b<span class="token operator">:</span>fb<span class="token operator">:</span>6c<span class="token operator">:</span>eb<span class="token operator">:</span>0c<span class="token operator">:</span>f8<span class="token operator">:</span>bf<span class="token operator">:</span>ed<span class="token operator">:</span>
                	9f<span class="token operator">:</span><span class="token number">47</span><span class="token operator">:</span><span class="token number">76</span><span class="token operator">:</span><span class="token number">25</span><span class="token operator">:</span><span class="token number">29</span><span class="token operator">:</span><span class="token number">84</span><span class="token operator">:</span>e7<span class="token operator">:</span>8b<span class="token operator">:</span><span class="token number">09</span><span class="token operator">:</span>f9<span class="token operator">:</span><span class="token number">31</span><span class="token operator">:</span><span class="token number">13</span><span class="token operator">:</span>d2<span class="token operator">:</span><span class="token number">25</span><span class="token operator">:</span>4a<span class="token operator">:</span>
                	<span class="token literal-property property">d4</span><span class="token operator">:</span><span class="token number">77</span><span class="token operator">:</span>ff<span class="token operator">:</span>af<span class="token operator">:</span>8b<span class="token operator">:</span>7e<span class="token operator">:</span><span class="token number">93</span><span class="token operator">:</span>8b<span class="token operator">:</span>e7<span class="token operator">:</span><span class="token number">58</span><span class="token operator">:</span>c7<span class="token operator">:</span>f8<span class="token operator">:</span><span class="token number">86</span><span class="token operator">:</span>e7<span class="token operator">:</span>cf<span class="token operator">:</span>
                	<span class="token number">99</span><span class="token operator">:</span>d1<span class="token operator">:</span>ed<span class="token operator">:</span>f3<span class="token operator">:</span>a4<span class="token operator">:</span><span class="token number">03</span><span class="token operator">:</span><span class="token number">58</span><span class="token operator">:</span>b2<span class="token operator">:</span><span class="token number">83</span><span class="token operator">:</span>ee<span class="token operator">:</span><span class="token number">98</span><span class="token operator">:</span><span class="token number">03</span><span class="token operator">:</span><span class="token number">77</span><span class="token operator">:</span>a1<span class="token operator">:</span><span class="token number">97</span><span class="token operator">:</span>
                	5a<span class="token operator">:</span>1e<span class="token operator">:</span>b0<span class="token operator">:</span>5a<span class="token operator">:</span>2c<span class="token operator">:</span><span class="token number">96</span><span class="token operator">:</span>d1<span class="token operator">:</span>da<span class="token operator">:</span><span class="token number">51</span><span class="token operator">:</span>ac<span class="token operator">:</span>0f<span class="token operator">:</span>9f<span class="token operator">:</span>8a<span class="token operator">:</span>8a<span class="token operator">:</span><span class="token number">81</span><span class="token operator">:</span>
                	<span class="token number">98</span><span class="token operator">:</span>b2<span class="token operator">:</span><span class="token number">37</span><span class="token operator">:</span><span class="token number">72</span><span class="token operator">:</span>eb<span class="token operator">:</span>8f<span class="token operator">:</span>0d<span class="token operator">:</span>d4<span class="token operator">:</span><span class="token number">81</span><span class="token operator">:</span>c2<span class="token operator">:</span>7e<span class="token operator">:</span>c4<span class="token operator">:</span><span class="token number">68</span><span class="token operator">:</span>0b<span class="token operator">:</span>f0<span class="token operator">:</span>
                	<span class="token number">64</span><span class="token operator">:</span><span class="token number">99</span><span class="token operator">:</span><span class="token number">59</span><span class="token operator">:</span>5d<span class="token operator">:</span>3d<span class="token operator">:</span>7d<span class="token operator">:</span>f7<span class="token operator">:</span><span class="token number">11</span><span class="token operator">:</span><span class="token number">27</span><span class="token operator">:</span>3a<span class="token operator">:</span>ae<span class="token operator">:</span>6b<span class="token operator">:</span><span class="token number">34</span><span class="token operator">:</span>4f<span class="token operator">:</span>3f<span class="token operator">:</span>
                	2d<span class="token operator">:</span>c6<span class="token operator">:</span>2c<span class="token operator">:</span>3a<span class="token operator">:</span>3a<span class="token operator">:</span>8a<span class="token operator">:</span>c5<span class="token operator">:</span>da<span class="token operator">:</span>a8<span class="token operator">:</span>db<span class="token operator">:</span><span class="token number">65</span><span class="token operator">:</span><span class="token number">26</span><span class="token operator">:</span><span class="token number">84</span><span class="token operator">:</span>1a<span class="token operator">:</span>fd<span class="token operator">:</span>
                	6d<span class="token operator">:</span>da<span class="token operator">:</span>8a<span class="token operator">:</span>e1<span class="token operator">:</span>a7<span class="token operator">:</span><span class="token number">36</span><span class="token operator">:</span><span class="token number">67</span><span class="token operator">:</span><span class="token number">94</span><span class="token operator">:</span>3f<span class="token operator">:</span><span class="token number">81</span><span class="token operator">:</span>b7<span class="token operator">:</span><span class="token number">68</span><span class="token operator">:</span>f2<span class="token operator">:</span><span class="token number">46</span><span class="token operator">:</span>cf<span class="token operator">:</span>
                	<span class="token literal-property property">c6</span><span class="token operator">:</span>9d<span class="token operator">:</span>5a<span class="token operator">:</span><span class="token number">30</span><span class="token operator">:</span>b6<span class="token operator">:</span><span class="token number">18</span><span class="token operator">:</span>fc<span class="token operator">:</span><span class="token number">50</span><span class="token operator">:</span><span class="token number">62</span><span class="token operator">:</span>1d<span class="token operator">:</span>ef<span class="token operator">:</span><span class="token number">95</span><span class="token operator">:</span><span class="token number">10</span><span class="token operator">:</span>1b<span class="token operator">:</span><span class="token number">00</span><span class="token operator">:</span>
                	<span class="token number">37</span><span class="token operator">:</span>f7<span class="token operator">:</span>5b<span class="token operator">:</span><span class="token number">59</span><span class="token operator">:</span><span class="token number">91</span><span class="token operator">:</span>0a<span class="token operator">:</span>a0<span class="token operator">:</span>7a<span class="token operator">:</span>6e<span class="token operator">:</span>ee<span class="token operator">:</span>d2<span class="token operator">:</span>d4<span class="token operator">:</span><span class="token number">31</span><span class="token operator">:</span><span class="token number">49</span><span class="token operator">:</span>8f<span class="token operator">:</span>
                	6d
            	<span class="token literal-property property">Exponent</span><span class="token operator">:</span> <span class="token number">65537</span> <span class="token punctuation">(</span><span class="token number">0x10001</span><span class="token punctuation">)</span>
    	X509v3 extensions<span class="token operator">:</span>
        	X509v3 Key Usage<span class="token operator">:</span> critical
            	Digital Signature<span class="token punctuation">,</span> Key Encipherment
        	X509v3 Extended Key Usage<span class="token operator">:</span>
            	Server Authentication<span class="token punctuation">,</span> Client Authentication
        	X509v3 Basic Constraints<span class="token operator">:</span> critical
            	<span class="token constant">CA</span><span class="token operator">:</span><span class="token constant">FALSE</span>
        	X509v3 Authority Key Identifier<span class="token operator">:</span>
            	<span class="token literal-property property">keyid</span><span class="token operator">:</span>4C<span class="token operator">:</span>4F<span class="token operator">:</span>8C<span class="token operator">:</span>0D<span class="token operator">:</span><span class="token number">55</span><span class="token operator">:</span><span class="token constant">BB</span><span class="token operator">:</span>1A<span class="token operator">:</span><span class="token number">42</span><span class="token operator">:</span><span class="token number">13</span><span class="token operator">:</span><span class="token constant">FD</span><span class="token operator">:</span><span class="token number">16</span><span class="token operator">:</span>8E<span class="token operator">:</span><span class="token constant">F1</span><span class="token operator">:</span><span class="token constant">BE</span><span class="token operator">:</span><span class="token number">31</span><span class="token operator">:</span><span class="token number">98</span><span class="token operator">:</span><span class="token number">03</span><span class="token operator">:</span><span class="token constant">D7</span><span class="token operator">:</span>0A<span class="token operator">:</span>9C
        	X509v3 Subject Alternative Name<span class="token operator">:</span> critical
            	<span class="token constant">URI</span><span class="token operator">:</span>spiffe<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span>cluster<span class="token punctuation">.</span>local<span class="token operator">/</span>ns<span class="token operator">/</span><span class="token keyword">default</span><span class="token operator">/</span>sa<span class="token operator">/</span>helloworld
	Signature Algorithm<span class="token operator">:</span> <span class="token constant">SHA256</span><span class="token operator">-</span><span class="token constant">RSA</span>
     	<span class="token number">59</span><span class="token operator">:</span><span class="token number">54</span><span class="token operator">:</span>b8<span class="token operator">:</span>b3<span class="token operator">:</span><span class="token number">23</span><span class="token operator">:</span>b4<span class="token operator">:</span><span class="token number">42</span><span class="token operator">:</span><span class="token number">94</span><span class="token operator">:</span><span class="token number">07</span><span class="token operator">:</span>f5<span class="token operator">:</span>5b<span class="token operator">:</span>c8<span class="token operator">:</span><span class="token number">14</span><span class="token operator">:</span>8f<span class="token operator">:</span><span class="token number">24</span><span class="token operator">:</span>f7<span class="token operator">:</span>cb<span class="token operator">:</span>c0<span class="token operator">:</span>
     	<span class="token literal-property property">b9</span><span class="token operator">:</span><span class="token number">95</span><span class="token operator">:</span><span class="token number">10</span><span class="token operator">:</span><span class="token number">36</span><span class="token operator">:</span>ff<span class="token operator">:</span><span class="token number">94</span><span class="token operator">:</span>e5<span class="token operator">:</span>6b<span class="token operator">:</span><span class="token number">33</span><span class="token operator">:</span><span class="token number">73</span><span class="token operator">:</span><span class="token number">72</span><span class="token operator">:</span>e2<span class="token operator">:</span><span class="token number">43</span><span class="token operator">:</span><span class="token number">76</span><span class="token operator">:</span><span class="token number">77</span><span class="token operator">:</span><span class="token number">15</span><span class="token operator">:</span>c5<span class="token operator">:</span>9f<span class="token operator">:</span>
     	7c<span class="token operator">:</span><span class="token number">66</span><span class="token operator">:</span>6f<span class="token operator">:</span>bd<span class="token operator">:</span>5c<span class="token operator">:</span><span class="token number">58</span><span class="token operator">:</span>6c<span class="token operator">:</span><span class="token number">25</span><span class="token operator">:</span>cd<span class="token operator">:</span>7e<span class="token operator">:</span>9d<span class="token operator">:</span><span class="token number">93</span><span class="token operator">:</span>a7<span class="token operator">:</span><span class="token number">05</span><span class="token operator">:</span>eb<span class="token operator">:</span>ad<span class="token operator">:</span>c2<span class="token operator">:</span><span class="token number">95</span><span class="token operator">:</span>
     	<span class="token number">79</span><span class="token operator">:</span>f1<span class="token operator">:</span><span class="token number">12</span><span class="token operator">:</span>9c<span class="token operator">:</span><span class="token number">92</span><span class="token operator">:</span>1b<span class="token operator">:</span>6a<span class="token operator">:</span>a8<span class="token operator">:</span><span class="token number">45</span><span class="token operator">:</span><span class="token number">10</span><span class="token operator">:</span>d5<span class="token operator">:</span>e1<span class="token operator">:</span>f9<span class="token operator">:</span><span class="token number">45</span><span class="token operator">:</span>e2<span class="token operator">:</span>9a<span class="token operator">:</span><span class="token number">11</span><span class="token operator">:</span><span class="token number">80</span><span class="token operator">:</span>
     	<span class="token literal-property property">c7</span><span class="token operator">:</span><span class="token number">33</span><span class="token operator">:</span>ae<span class="token operator">:</span>1b<span class="token operator">:</span>6f<span class="token operator">:</span>e8<span class="token operator">:</span><span class="token number">11</span><span class="token operator">:</span>3e<span class="token operator">:</span>eb<span class="token operator">:</span><span class="token number">46</span><span class="token operator">:</span>df<span class="token operator">:</span>a1<span class="token operator">:</span>dd<span class="token operator">:</span>2b<span class="token operator">:</span>bd<span class="token operator">:</span>1c<span class="token operator">:</span><span class="token number">53</span><span class="token operator">:</span>ca<span class="token operator">:</span>
     	<span class="token number">28</span><span class="token operator">:</span><span class="token number">90</span><span class="token operator">:</span><span class="token number">45</span><span class="token operator">:</span><span class="token number">26</span><span class="token operator">:</span>fc<span class="token operator">:</span>a1<span class="token operator">:</span>3e<span class="token operator">:</span><span class="token number">71</span><span class="token operator">:</span>1a<span class="token operator">:</span><span class="token number">80</span><span class="token operator">:</span><span class="token number">16</span><span class="token operator">:</span>c7<span class="token operator">:</span>a3<span class="token operator">:</span>ba<span class="token operator">:</span>bc<span class="token operator">:</span><span class="token number">91</span><span class="token operator">:</span>0b<span class="token operator">:</span><span class="token number">74</span><span class="token operator">:</span>
     	<span class="token number">72</span><span class="token operator">:</span>e1<span class="token operator">:</span><span class="token number">74</span><span class="token operator">:</span><span class="token number">55</span><span class="token operator">:</span>cc<span class="token operator">:</span>c5<span class="token operator">:</span>6d<span class="token operator">:</span>4e<span class="token operator">:</span>ad<span class="token operator">:</span>f1<span class="token operator">:</span>f2<span class="token operator">:</span><span class="token number">16</span><span class="token operator">:</span>2b<span class="token operator">:</span><span class="token number">19</span><span class="token operator">:</span><span class="token number">97</span><span class="token operator">:</span>2b<span class="token operator">:</span><span class="token number">31</span><span class="token operator">:</span>6a<span class="token operator">:</span>
     	<span class="token literal-property property">f3</span><span class="token operator">:</span>d3<span class="token operator">:</span>c0<span class="token operator">:</span>6f<span class="token operator">:</span>7e<span class="token operator">:</span>d2<span class="token operator">:</span><span class="token number">27</span><span class="token operator">:</span>e6<span class="token operator">:</span>4b<span class="token operator">:</span>ec<span class="token operator">:</span><span class="token number">89</span><span class="token operator">:</span>1c<span class="token operator">:</span><span class="token number">78</span><span class="token operator">:</span><span class="token number">25</span><span class="token operator">:</span>d5<span class="token operator">:</span>eb<span class="token operator">:</span><span class="token number">50</span><span class="token operator">:</span><span class="token number">67</span><span class="token operator">:</span>
     	5e<span class="token operator">:</span>b1<span class="token operator">:</span>b9<span class="token operator">:</span><span class="token number">64</span><span class="token operator">:</span>db<span class="token operator">:</span>a5<span class="token operator">:</span>2c<span class="token operator">:</span><span class="token number">70</span><span class="token operator">:</span>ba<span class="token operator">:</span>a6<span class="token operator">:</span>c5<span class="token operator">:</span><span class="token number">06</span><span class="token operator">:</span>0e<span class="token operator">:</span>1e<span class="token operator">:</span>b7<span class="token operator">:</span>ba<span class="token operator">:</span><span class="token number">92</span><span class="token operator">:</span><span class="token number">16</span><span class="token operator">:</span>
     	2e<span class="token operator">:</span>f2<span class="token operator">:</span>fe<span class="token operator">:</span><span class="token number">89</span><span class="token operator">:</span>c9<span class="token operator">:</span>c4<span class="token operator">:</span>da<span class="token operator">:</span>6c<span class="token operator">:</span>d4<span class="token operator">:</span>f6<span class="token operator">:</span>0e<span class="token operator">:</span>a6<span class="token operator">:</span>c3<span class="token operator">:</span>a1<span class="token operator">:</span>d6<span class="token operator">:</span>4e<span class="token operator">:</span><span class="token number">83</span><span class="token operator">:</span><span class="token number">58</span><span class="token operator">:</span>
     	<span class="token literal-property property">f5</span><span class="token operator">:</span>fe<span class="token operator">:</span>af<span class="token operator">:</span>ef<span class="token operator">:</span>c2<span class="token operator">:</span>9c<span class="token operator">:</span><span class="token number">23</span><span class="token operator">:</span>4b<span class="token operator">:</span><span class="token number">77</span><span class="token operator">:</span>fd<span class="token operator">:</span>e6<span class="token operator">:</span><span class="token number">38</span><span class="token operator">:</span>d4<span class="token operator">:</span><span class="token number">79</span><span class="token operator">:</span>c8<span class="token operator">:</span><span class="token number">77</span><span class="token operator">:</span>a0<span class="token operator">:</span>1d<span class="token operator">:</span>
     	<span class="token number">85</span><span class="token operator">:</span>ed<span class="token operator">:</span>1c<span class="token operator">:</span>0d<span class="token operator">:</span>c5<span class="token operator">:</span><span class="token number">14</span><span class="token operator">:</span>9c<span class="token operator">:</span>8e<span class="token operator">:</span>a3<span class="token operator">:</span>bc<span class="token operator">:</span><span class="token number">04</span><span class="token operator">:</span><span class="token number">25</span><span class="token operator">:</span><span class="token number">23</span><span class="token operator">:</span><span class="token number">85</span><span class="token operator">:</span>4f<span class="token operator">:</span>ea<span class="token operator">:</span>9d<span class="token operator">:</span>ec<span class="token operator">:</span>
     	9a<span class="token operator">:</span><span class="token number">67</span><span class="token operator">:</span><span class="token number">89</span><span class="token operator">:</span><span class="token number">64</span><span class="token operator">:</span><span class="token number">86</span><span class="token operator">:</span><span class="token number">87</span><span class="token operator">:</span>6b<span class="token operator">:</span><span class="token number">26</span><span class="token operator">:</span><span class="token number">48</span><span class="token operator">:</span><span class="token number">79</span><span class="token operator">:</span><span class="token number">88</span><span class="token operator">:</span>4c<span class="token operator">:</span><span class="token number">48</span><span class="token operator">:</span>cc<span class="token operator">:</span>dd<span class="token operator">:</span>b9<span class="token operator">:</span>c2<span class="token operator">:</span>f5<span class="token operator">:</span>
     	<span class="token number">30</span><span class="token operator">:</span>fe<span class="token operator">:</span><span class="token number">43</span><span class="token operator">:</span>6b<span class="token operator">:</span><span class="token number">40</span><span class="token operator">:</span>7f<span class="token operator">:</span><span class="token number">47</span><span class="token operator">:</span>0c<span class="token operator">:</span><span class="token number">41</span><span class="token operator">:</span>f1<span class="token operator">:</span>dc<span class="token operator">:</span>6a<span class="token operator">:</span>e4<span class="token operator">:</span>ac<span class="token operator">:</span>f2<span class="token operator">:</span>2c<span class="token operator">:</span><span class="token number">71</span><span class="token operator">:</span><span class="token number">78</span><span class="token operator">:</span>
     	<span class="token literal-property property">c1</span><span class="token operator">:</span>9d<span class="token operator">:</span>9a<span class="token operator">:</span>f1

Even if the pod IP changes as the pod goes up and down, you can not mistake the identity for anything else because it is embedded in the connection itself. The connection would not be made with the wrong identity. This is not just a certificate, a pod MUST present a valid service account token to Istio which gets exchanged for a valid certificate via CSR requests.  Pods never send private keys over the network. Further, the CSR process continues through the pod lifecycle as the certificate is renewed every 12 hours in Istio.

Cilium vs Istio: How is traffic encrypted?

By default, there is no encryption among nodes for Cilium. Optionally, you could enable node-to-node encryption via IPSec or Wireguard. I didn’t try either of them because IPSec node-to-node encryption is beta, and Wireguard encryption doesn’t support L7 policy enforcement.

Istio automatically encrypts traffic using Mutual TLS whenever possible. Mutual TLS alone is not always enough to fully secure traffic, as it provides only authentication, not authorization. This means that anyone with a valid certificate can still access a service. To fully lock down traffic, it is recommended to configure authorization policies, which allow creating fine-grained policies to allow or deny traffic.

Multi-tenancy for Envoy for Layer 7

With cilium, the L7 policy is evaluated by Envoy proxy on every node.  Envoy proxy on a node handles L7 processing for multiple pods running on the same node as the Envoy proxy. With Istio, the L7 policy is evaluated on every pod thus you need an Envoy proxy on every pod which might incur more run costs when compared with running Envoy per node in Cilium.  But with Cilium, you have Envoy on the node that is doing Envoy L7 processing for multiple identities. If you look at Envoy CVEs, you’ll see most of the CVEs are L7-related. The probability to have security issues for 1 Envoy to process L7 policies for multiple pods are higher than for 1 Envoy process L7 policies for its own pod. Wasm is a great way to provide custom extensions to Envoy based on requirements from individual teams.  A Wasm filter could have a bug (for example, with infinite loop) that makes Envoy proxy hang thus impacting every other team who has pods running on the same node. You have to be extremely careful with L7 for Envoy on the node to minimize impact to pods on the same node.

There is quite a bit of information on why multi-tenancy for Envoy (or other proxies) for Layer 7 has a huge catch, for example, this tweet, summarized issues with the L7 multitenancy proxy in terms of the outage, noisy neighbor, budgeting, and cost-attrition, along with the Envoy team had evaluated that how hard it is to implement multitenancy in Envoy and came to the conclusion that the complexity isn’t worth the effort.

Screenshot of Louis Ryan tweet says,"I think every #serevicemesh would love to reduce it's TCO and #proxyless seems attractive but there's a huge catch. Uncontrolled L7 config in a multi-tenant proxy is an outage & noisy-neighbor factory. @istiomesh and others don't do this for a very good reason"
Screenshot of Matt Klein's tweet saying."We have actually put some thought into what tenant accounting would look like in envoy. I think it's possible to do reasonably accurately, but I agree with the general sentiment that the complexity is probably not worth it."

Wrapping Up

Mutual TLS(mTLS) is used everywhere. The cryptographic modules used by mTLS can be FIPS 140-2 compliant which is desired by many of our enterprise and government customers. Network cache-based identity may fail when a pod dies, a new pod is created and gets the IP of the old pod but has a different identity.  Due to the slow propagation of new pod information to the Cilium agent, the new pod could have a mistaken identity. Enabling multi-tenant proxies for L7 policies are complicated and can cause outage, noisy neighbor, budgeting, and cost-attrition concerns from 1 tenant to other tenants on the same node.

To achieve defense in depth, you should consider L3/L4 network policies in addition to L7 security policies from a service mesh that provides cryptographic identity. Combining the two is highly recommended as part of the Istio security best practices. In the event of a compromised pod or security vulnerability in the cluster, defense in depth will limit or stop an attacker’s progress whether it is Man In The Middle Attacks (MITM) or IP address spoofing.

 

 

 

By Lin Sun, Director of Open Source at Solo.io and CNCF Ambassador

Lin is the Director of Open-Source at Solo.io and a CNCF ambassador. She has worked on Istio service mesh since 2017 and serves on the Istio Technical Oversight Committee and Steering Committee. Previously, she was a Senior Technical Staff Member and Master Inventor at IBM for 15+ years. She is the author of the book “Istio Explained” and has more than 200 patents to her name.

LinkedIn: https://www.linkedin.com/in/lin-sun-a9b7a81/
Twitter: https://twitter.com/linsun_unc
Github: https://github.com/linsun

Previous Introducing Batch, A New Managed Service For Scheduling Batch Jobs At Any Scale
Next Set Up And Observe A Spring Boot Application With Grafana Cloud, Prometheus, And OpenTelemetry