Beta

DevSecOps - Kubernetes DevOps & Security

Kubernetes Operations and Security

Pod Pod Communication Need for mTLS

Securing communication between pods is critical in a microservices architecture. By default, Kubernetes routes traffic in plaintext, exposing sensitive data to network eavesdroppers. This guide explains the risks of unencrypted pod-to-pod traffic and shows how a service mesh—specifically Istio—simplifies end-to-end encryption using mutual TLS (mTLS).

Table of Contents

1. The Risk of Plaintext Pod-to-Pod Traffic

By default, Pod A sends HTTP requests directly to Pod B over the cluster network. An attacker on the same node—or any compromised network segment—can intercept and read this traffic.

Pod A (HTTP)  ───►  Pod B (HTTP)

Warning

Plaintext HTTP between pods exposes API keys, tokens, and PII to packet sniffers. Always encrypt inter-service traffic in production.

2. Challenges of Embedding TLS in Applications

To secure traffic with TLS (HTTPS), every microservice must handle:

  • Generating and rotating key pairs
  • Securely storing private keys
  • Performing TLS handshakes
  • Updating certificates upon expiry

This creates significant operational complexity and duplicates effort across teams.

3. Service Mesh Solution: Istio and mTLS

A service mesh like Istio offloads TLS responsibilities to sidecar proxies, automating certificate issuance and mTLS handshakes.

Prerequisites

Note

Ensure you have:

  • A running Kubernetes cluster (v1.20+)
  • kubectl configured for your cluster
  • Helm (optional) or istioctl CLI installed

Step-by-Step Guide

  1. Install Istio

    istioctl install --set profile=demo -y

  2. Enable Automatic Sidecar Injection

    kubectl label namespace default istio-injection=enabled

  3. Deploy Your Applications
    Any pod in the default namespace now includes an Istio sidecar.

  4. Verify mTLS is Enforced

    istioctl authn tls-check

When Pod A calls Pod B:

  • Pod A’s app → plaintext to Envoy sidecar
  • Envoy (Pod A) → performs mTLS handshake → Envoy (Pod B)
  • Envoy (Pod B) → decrypts → plaintext to Pod B’s app

The image illustrates pod-to-pod communication within a Kubernetes node, highlighting security measures and the prevention of an attacker's access.

4. Comparing Approaches

ApproachTLS ManagementComplexityEncryption Type
Manual TLS in ServiceDeveloperHighHTTPS
Istio Service MeshSidecar Proxies (Envoy)LowmTLS

5. Next Steps and References

We’ll dive deeper into advanced Istio features—custom mTLS policies, certificate rotation, and traffic observability.

Watch Video

Watch video content

Previous
Demo Kube bench
Next
Istio Basics