Service mesh architecture

Sidecar vs ambient; what the mesh enforces.

Advanced30 min · lesson 7 of 15

A service mesh is the most common way to bring workload identity, mTLS, and authorization to a cluster without changing application code. Understanding its architecture is what lets you reason about where security is enforced and what it costs.

Proxies that own the security

A mesh interposes a proxy in the path of every service’s traffic. In the sidecar model (classic Istio, Linkerd) an Envoy or linkerd2-proxy runs alongside each pod and transparently wraps outbound connections in mTLS and enforces policy on inbound ones — the application sends plain HTTP to its own proxy and the proxy handles identity and encryption. In the newer ambient model, that work moves to a per-node component (ztunnel), removing per-pod sidecars and their overhead while keeping the same mTLS and identity guarantees. Either way, the app is unchanged and the mesh owns the cryptography.

the mesh data path
# Sidecar model — a proxy per pod:
# [ app ] --plain--> [ sidecar ] ==mTLS==> [ sidecar ] --plain--> [ app ]
# frontend proxy proxy api
# the app never sees TLS; the proxies authenticate + encrypt.
#
# Ambient model — per-node ztunnel handles mTLS, no sidecar in the pod.
#
# Enable the mesh by labeling a namespace for injection:
kubectl label namespace prod istio-injection=enabled

What the mesh gives you

Because the proxy sits in every connection, the mesh delivers three zero-trust primitives uniformly across polyglot services: identity (each workload gets a SPIFFE-style certificate), encryption (mTLS between proxies), and authorization (identity-based policy at the proxy). It also provides observability — a map of who talks to what — which is invaluable for writing tight policy and investigating incidents. The tradeoff is operational complexity and some latency/resource overhead, which the ambient model aims to reduce. Istio and Linkerd are the dominant choices; Linkerd favors simplicity, Istio favors feature breadth, but both anchor identity in the workload’s Kubernetes service account.

Service mesh architecture
data plane
sidecar proxy (per pod)
Envoy / linkerd2-proxy
or ambient ztunnel (per node)
no sidecar, less overhead
what it enforces
identity
SPIFFE-style workload certs
mTLS
encrypted, authenticated east-west
authorization + observability
policy + who-talks-to-what
The proxy in every path lets the mesh add identity, encryption, and authz transparently — the zero-trust data plane, without app changes.
A mesh is powerful but not free
Sidecars add latency, memory, and operational complexity, and a misconfigured mesh can break traffic in subtle ways. Adopt it for the security and observability it provides, size the overhead deliberately (or evaluate ambient mode), and roll it out namespace by namespace rather than cluster-wide overnight.