Overview

Review security features that are built into ambient mesh, such as mTLS, and configure further security policies.

Verifying mTLS

Ambient mesh adds mutual TLS (mTLS) encryption between all mesh-enrolled workloads by default. You can follow the community ambient mesh mTLS guide to verify mTLS connections.

Applying authorization policies on Layer 4 and 7

You can configure policies for authentication and authorization, to mitigate both internal and external threats against your data, endpoints, communication, and platform.

If you want to apply authorization policies, start by reviewing the differences between applying an authorization policy at the ztunnel (L4) versus at the waypoint (L7). Then, you can follow the guides to apply policies at the ztunnel or at the waypoint.

CEL and workload claims authorization for L4 traffic

CEL and workload claims authorization is an alpha feature in the Solo distribution of Istio 1.30. It requires an Enterprise-level license for Solo Enterprise for Istio. Alpha features are likely to change, are not fully tested, and are not supported for production. For more information, see Solo feature maturity.

The Solo distribution of Istio 1.30 and later extends ztunnel AuthorizationPolicy with Common Expression Language (CEL) expressions and workload identity claims embedded in mTLS certificates. You can write policies that reference per-workload attributes such as workload name, namespace, and custom security annotations, going beyond the fixed attribute keys that standard when conditions support. No waypoint is required.

Use CEL and workload claims authorization when:

You need to distinguish individual workloads that share a Kubernetes service account, using workload-level claims instead of service-account-level identity.
You want to enforce traffic segmentation between security zones using workload annotations, such as allowing only PCI-DSS-annotated workloads to reach a payment service.
Your policy requirements extend beyond source namespace or service account to pod-level identity attributes.

To get started, see CEL and workload claims authorization for L4 traffic.

Workload identity and attestation

When planning your ambient mesh security setup, you might need to access and use the identities of workloads in individual connections. The following features of the Solo distribution of Istio facilitate identity lookup and workload identity attestation.

These features require your mesh to be installed with the Solo distribution of Istio and an Enterprise-level license for Solo Enterprise for Istio. Contact your account representative to obtain a valid license.

SPIRE workload attestation: Use SPIRE node agents to attest and grant identities to ambient mesh workloads, which can be used for mTLS connections between the workloads.

Secure workload identities with SPIRE