Understanding Istio security architecture

In Chapter 3, we discussed how the Istio control plane is responsible for the injection of sidecars and establishing trust so that sidecars can communicate with the control plane securely and security policies are eventually enforced by the sidecar. When deployed in Kubernetes, Istio relies on Kubernetes service accounts to identify the roles of workloads in a Service Mesh. The Istio CA watches the Kubernetes API server for the addition/deletion/modification of any service accounts in the namespace with Istio injection enabled. It creates a key and certificates for each service account and, during Pod creation, the certificate and key are mounted onto the sidecar. The Istio CA is responsible for managing the life cycle of the certificates distributed to the sidecars, including the rotation and management of private keys. Using the Secure Production Identity Framework for Everyone (SPIFFE) format identities, Istio provides a strong identity...