> ## Documentation Index
> Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Introduction

> Overview of Istio zero trust security covering authentication with PeerAuthentication and mTLS, authorization via AuthorizationPolicy, encrypted traffic handling, and ambient mode implications

This short section is important for understanding how Istio implements zero-trust security across the mesh.

In this lesson/article you'll learn Istio's zero-trust building blocks: how authentication and authorization work, which resources control them, and how encrypted traffic is handled in practice. We'll revisit Istio's `PeerAuthentication` resource, examine common configuration options, and explain how Istio enforces—or bypasses—encryption in different deployment modes.

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/zDpSzOByf0QVxNkX/images/Prep-Course-Istio-Certified-Associate-ICA-Certification/Securing-Workloads/Introduction/istio-zero-trust-objectives-slide.jpg?fit=max&auto=format&n=zDpSzOByf0QVxNkX&q=85&s=b1f82e1d618c40d4ceb5477fcda6f3f5" alt="A presentation slide titled &#x22;Objectives&#x22; with a vertical, numbered list of items about Zero-Trust Architecture and Istio (introducing zero-trust, Istio authentication, encrypted traffic handling, and authorization). The slide has a turquoise left panel and colorful numbered markers beside each objective." width="1920" height="1080" data-path="images/Prep-Course-Istio-Certified-Associate-ICA-Certification/Securing-Workloads/Introduction/istio-zero-trust-objectives-slide.jpg" />
</Frame>

What this section covers

* Authentication (who is the principal?): Revisiting `PeerAuthentication`, mutual TLS (mTLS), and identity propagation.
* Authorization (what can an authenticated principal do?): How `AuthorizationPolicy` lets you allow or deny actions, with patterns for scoping policies and handling precedence.
* Encrypted traffic: How Istio encrypts traffic between workloads, how TLS is negotiated and enforced, and how encrypted traffic interacts with policy enforcement.
* Ambient mode: How Istio’s ambient mode changes enforcement and deployment considerations (note: ambient mode is not part of the [ICA exam objectives](https://learn.kodekloud.com/user/courses/istio-certified-associate-ica-certification) but is useful to understand operational differences).

Authentication is only half the battle — once a principal has verified identity, authorization defines what that principal may do. Istio’s `AuthorizationPolicy` resource provides fine-grained allow/deny rules (by principals, namespaces, workloads, ports, and HTTP attributes). These policies are powerful but can become complex; later sections will cover common patterns, how to reason about policy scope and precedence, and pitfalls to avoid.

You’re likely to see exam-style questions that ask you to reason about interactions between `PeerAuthentication`, `AuthorizationPolicy`, and mesh-wide defaults, so this lesson focuses both on concepts and the practical configuration details you’ll need.

Finally, we examine how Istio’s ambient mode interacts with authentication and authorization. Ambient mode changes the enforcement surfaces and how identity and traffic encryption are handled, which affects deployment and troubleshooting workflows. Again, ambient mode is useful to know but not required for the [ICA exam objectives](https://learn.kodekloud.com/user/courses/istio-certified-associate-ica-certification).

<Callout icon="lightbulb" color="#1CB2FE">
  This lesson/article covers authentication, authorization, and how encrypted traffic is handled in Istio. Ambient mode is discussed for completeness, but it is not part of the [ICA exam objectives](https://learn.kodekloud.com/user/courses/istio-certified-associate-ica-certification).
</Callout>

If you're ready, grab a cup of coffee and let's get started.

Links and references

* Istio PeerAuthentication docs: [https://istio.io/latest/docs/reference/config/security/peer\_authentication/](https://istio.io/latest/docs/reference/config/security/peer_authentication/)
* Istio AuthorizationPolicy docs: [https://istio.io/latest/docs/reference/config/security/authorization-policy/](https://istio.io/latest/docs/reference/config/security/authorization-policy/)
* Istio Mutual TLS overview: [https://istio.io/latest/docs/concepts/security/mtls-migration/](https://istio.io/latest/docs/concepts/security/mtls-migration/)
* Istio Ambient Mode: [https://istio.io/latest/docs/setup/additional-setup/ambient/](https://istio.io/latest/docs/setup/additional-setup/ambient/)
* ICA exam objectives: [https://learn.kodekloud.com/user/courses/istio-certified-associate-ica-certification](https://learn.kodekloud.com/user/courses/istio-certified-associate-ica-certification)

What you'll be able to do after this section

| Topic             | Focus                                                   | Example outcome                                                             |
| ----------------- | ------------------------------------------------------- | --------------------------------------------------------------------------- |
| Authentication    | Understand `PeerAuthentication` and mTLS modes          | Explain difference between `DISABLE`, `PERMISSIVE`, `STRICT` modes          |
| Authorization     | Apply `AuthorizationPolicy` to workloads and namespaces | Write a policy that restricts access to a service by principal or JWT claim |
| Encrypted traffic | Understand TLS negotiation and termination points       | Explain how sidecar and ambient modes handle encryption                     |
| Troubleshooting   | Diagnose authN/authZ failures                           | Interpret telemetry and logs to find policy conflicts or TLS mismatches     |

<CardGroup>
  <Card title="Watch Video" icon="video" cta="Learn more" href="https://learn.kodekloud.com/user/courses/istio-certified-associate/module/17ba1cac-61f4-48b6-b354-c2c735f5791d/lesson/1bef1776-edd7-44d5-99db-28b02fee0f36" />
</CardGroup>
