mTLS & pod-to-pod encryption
Identity and encryption between services.
Pod-to-pod traffic rides the cluster network in plaintext by default, so anything that can sniff the wire or insert itself in the path can read and tamper with it — and the flat network means a compromised pod is often already in a position to try. Mutual TLS solves two problems in one handshake: it encrypts the connection, and it gives both ends a cryptographically verifiable identity, so payments-api knows the caller really is web and not an impostor that merely reached its port.
The usual way to get mTLS everywhere without touching application code is a service mesh — Istio or Linkerd inject a sidecar proxy beside each pod that transparently wraps every connection. You enable it per namespace and set the mode to STRICT so plaintext is refused rather than merely tolerated; PERMISSIVE (the migration default) accepts both, which is a stepping stone, not a destination.
apiVersion: security.istio.io/v1kind: PeerAuthenticationmetadata: { name: default, namespace: payments }spec:mtls:mode: STRICT # refuse any non-mTLS traffic in this namespace
Identity, not just a tunnel
The real value of mTLS is the identity it carries. Meshes build on SPIFFE — every workload gets a short-lived certificate encoding an identity (a SPIFFE ID), issued and rotated automatically by the mesh CA (SPIRE, or the mesh’s built-in one). Because each connection is authenticated to a specific workload identity, you can then write authorization in terms of who is calling, not which IP.
apiVersion: security.istio.io/v1kind: AuthorizationPolicymetadata: { name: payments-allow-web, namespace: payments }spec:selector: { matchLabels: { app: payments-api } }action: ALLOWrules:- from:- source:principals: ["cluster.local/ns/storefront/sa/web"] # SPIFFE identity
Without a mesh
No mesh means mTLS is the application’s job: issue certificates (cert-manager is the common in-cluster CA), mount them into the pods, and have the client verify the server and the server verify the client. It is more wiring and more to rotate, but the guarantee is identical — encrypted, mutually authenticated connections between named workloads.