One of the main features of Istio is its baked in security features which applications are able to utilize without any additional instrumentation. This enables application developers to focus more on application features and offload security to Istio.
Security implementation is made possible using the envoy sidecar proxy and the implemenation is done both at the edge of the mesh ( using the ingress gateway), or at the service layer within the cluster.
Istio has two main types of authentication it implements.
-
Peer authentication which applies to workloads (services) and manages MTLS settings.
-
Request authentication which applies to JWTs.
To get more information on how to configure them , refer to this link.
Istio is able to provide various levels of access control within the mesh. The levels include mesh wide , namespace wide and a more targeted workload policy. It is able to do this using an Authorization Policy.
More information on features and configuration of authorization policies is located here.
The following are additional resources for learning about istio security.