Istio can secure the communication between microservices without requiring app code changes. Security is provided by authenticating and encrypting communication paths within the cluster. This is becoming a common security and compliance requirement. Delegating communication security to Istio (as opposed to implementing TLS in each microservice), ensures that your app will be deployed with consistent and manageable security policies.
Citadel is an optional part of Istio’s control plane components. When enabled, it provides each Envoy sidecar proxy with a strong (cryptographic) identity in the form of a certificate. Identity is based on the microservice’s service account and is independent of its specific network location, such as cluster or current IP address. Envoys then use the certificates to identify each other and establish an authenticated and encrypted communication channel between them.
Citadel is responsible for these tasks:
- Providing each service with an identity representing its role
- Providing a common trust root to allow Envoys to validate and authenticate each other
- Providing a key management system, automating generation, distribution, and rotation of certificates and keys
When an application microservice connects to another microservice, the communication is redirected through the client-side and server-side Envoys. This is the end-to-end communication flow:
- Local TCP connection (that is, localhost, not reaching the “wire”) between the app and Envoy (client- and server-side)
- Mutually authenticated and encrypted connection between Envoy proxies
When Envoy proxies establish a connection, they exchange and validate certificates to confirm that each is indeed connected to a valid and expected peer. The established identities can later be used as basis for policy checks, for example, access authorization.