This directory contains a namespace-scoped Istio service-to-service policy POC for poc-mesh. It demonstrates STRICT mTLS, deny-by-default authorization, explicit allow rules based on Kubernetes service account identity, and traffic patterns that are easy to inspect in Kiali.
poc-mesh/
manifests/
00-namespace.yaml
10-apps.yaml
20-mtls.yaml
30-authz.yaml
scripts/
apply.sh
test.sh
README.md
The POC creates a dedicated namespace named poc-mesh with Istio sidecar injection enabled and deploys three internal services:
frontend: developer-friendly caller workload usingfrontend-sabackend: echo-style HTTP API usingbackend-sapayments: second caller workload usingpayments-sa
All workloads are internal-only ClusterIP Services. The backend uses mendhak/http-https-echo:34, a common public demo image that replies on arbitrary paths and methods without requiring a custom image build. That makes it a good fit for testing:
GET /api/ordersPOST /api/ordersGET /health
frontend and payments use wbitt/network-multitool:extra, which keeps the Pods easy to inspect and includes curl for in-cluster tests.
The namespace uses a default-closed authorization posture:
namespace-deny-allblocks traffic unless a later ALLOW policy matches.backend-allow-frontend-readgrants only the exact traffic the POC wants to demonstrate.backend-deny-payments-exampleis an explicit readability example showing thatpaymentsis not supposed to callbackend.
This pattern is easier to reason about than permissive defaults because any new workload or path starts denied until it is deliberately opened.
Istio converts the source workload identity into a SPIFFE-like principal. In this POC the principals are:
cluster.local/ns/poc-mesh/sa/frontend-sacluster.local/ns/poc-mesh/sa/backend-sacluster.local/ns/poc-mesh/sa/payments-sa
The backend ALLOW policy matches only frontend-sa and only for:
GET /api/ordersGET /health
Because POST /api/orders is not listed, it is denied even from frontend. Because payments-sa is not allowed, payments is denied even when it uses the same path.
cd examples/eks-with-istio-gateway-api/poc-mesh
chmod +x scripts/apply.sh scripts/test.sh
./scripts/apply.shcd examples/eks-with-istio-gateway-api/poc-mesh
./scripts/test.shExpected results:
frontend -> backend GET /api/orders:PASSfrontend -> backend GET /health:PASSfrontend -> backend POST /api/orders:PASSbecause the request is correctly denied with HTTP 403payments -> backend GET /api/orders:PASSbecause the request is correctly denied with HTTP 403
After running the tests, Kiali should make the policy behavior easy to understand:
- Graph view for namespace
poc-mesh - Successful traffic edge from
frontendtobackend - No permitted
payments -> backendaccess pattern - mTLS indicators on workloads and edges
- Workload details on
backendshowing inbound traffic and security context
The denied requests may not appear as a normal successful edge in every graph mode, but the backend and source workload metrics should still help explain what happened.
kubectl get pods -A | grep -E 'kiali|prometheus'
kubectl get svc -A | grep -E 'kiali|prometheus'Common install location:
kubectl -n istio-system port-forward svc/kiali 20001:20001If the service is installed elsewhere:
kubectl get svc -A | grep kiali
kubectl -n <kiali-namespace> port-forward svc/<kiali-service-name> 20001:20001First find the service:
kubectl get svc -A | grep prometheusCommon examples:
kubectl -n monitoring port-forward svc/prometheus-server 9090:80
kubectl -n istio-system port-forward svc/prometheus 9090:9090- No Gateway API or ingress is used here.
- All traffic stays inside the cluster.
- The POC is intentionally small so developers can correlate policy YAML, test output, and Kiali visuals quickly.