IstioCon 2023 - Virtual

Impersonation and Identity theft are serious crimes in the world of Kubernetes! Who's checking IDs and making sure imposters haven't made their way into our cluster? When considering protecting our services and providing identity for authorization, we'll always turn to a Service Mesh as an insertion/interception point. However, with this new mode of Istio called Ambient Mesh, some questions arise: - How does Ambient prevent impersonation? - What's the Ztunnel have to do with identity? - Where do we maintain mTLS? - How does authorization get enforced at L4 and L7?? - What did you do to my sidecar??? In this talk, we break down the key security features of Istio Ambient Mesh, and provide proof that Ambient Mesh truly prevents identity theft while still providing the same key capabilities as the Istio Service Mesh. We'll demonstrate how Ambient Mesh provides Ztunnel as a daemonset to provide a complete security posture and node-to-node encryption vs. pod-to-pod within the node.