Service mesh acts as a layer 7 overlay network that can span on-premise, datacenter and cloud deployments and provides routing, traffic shaping, load balancing, and telemetry combined with security capabilities such access control policies and encryption (mutual TLS). Istio is an open service mesh platform, that connects, manages, and secures microservices. Istio provides layer 7 path-based routing, traffic shaping, load balancing, and telemetry. Access control policies can be configured targeting both layer 7 and layer 4 properties to control access, routing, and more, based on service identity.
But when it comes to detecting and preventing advanced attacks techniques, we need to deploy security controls that go beyond Kubernetes Network Policies or Istio service access policies. These policies should be able to define service-aware network policies for workloads that do not communicate inside the mesh; Apply machine learning based profiling, detection & mitigation of post-intrusion events such as data exfiltration, lateral movement, and command & control communications. Specifically, DNS, as Kubernetes service discovery; And enable to define policies for infrastructure and system services that operate outside the mesh operations – such as logging services and worker node monitoring.