Service Mesh Security
Advanced
Service meshes like Istio and Linkerd add security features but also new attack surfaces. Understanding their architecture reveals potential weaknesses.
Service Mesh Components
Data Plane (Sidecars)
- • Envoy proxy per pod
- • mTLS between services
- • Traffic interception
- • Observability data
Control Plane
- • Istiod (Istio)
- • Certificate management
- • Policy distribution
- • Service discovery
Istio Enumeration
bash
# Check if Istio is installed
kubectl get ns istio-system
kubectl get pods -n istio-system
# Sidecar injection status
kubectl get namespace -L istio-injection
# View Istio policies
kubectl get authorizationpolicies -A
kubectl get peerauthentications -A
kubectl get destinationrules -A
# Check mTLS mode
kubectl get peerauthentication -A -o yaml | grep mode
# Envoy admin interface (from within pod)
curl localhost:15000/config_dump
curl localhost:15000/clusters
curl localhost:15000/listenersBypass Techniques
bash
# If mTLS is PERMISSIVE mode, plaintext still works
curl http://service.namespace.svc.cluster.local
# Direct pod-to-pod communication (bypass sidecar)
# Get pod IP and connect directly
kubectl get pod -o wide
curl http://POD_IP:APP_PORT
# If sidecar injection is namespace-based
# Create pod in non-injected namespace
# Envoy bypass via localhost
# Application may trust localhost connections