Service Mesh Integration: SPIFFE/SPIRE with Istio for Zero-Trust Networking

Introduction: The Perfect Marriage of Identity and Mesh#

In our previous posts on SPIFFE/SPIRE, we’ve built a robust workload identity platform. Now it’s time to integrate this foundation with Istio service mesh to create a comprehensive zero-trust networking solution that combines cryptographic workload identity with intelligent traffic management.

This integration represents the evolution from basic service-to-service communication to a sophisticated platform where every connection is authenticated, authorized, and encrypted based on workload identity rather than network location.

Understanding the Integration Architecture#

Let’s visualize how SPIFFE/SPIRE integrates with Istio:

1
graph TB
2
    subgraph "Control Plane"
3
        ISTIOD[Istio Control Plane<br/>istiod]
4
        SPIRE_SERVER[SPIRE Server]
5
        PILOT[Pilot<br/>Service Discovery]
6
        CITADEL[Citadel<br/>Certificate Management]
7
    end
8

9
    subgraph "Data Plane - Node 1"
10
        ENVOY1[Envoy Proxy]
11
        SPIRE_AGENT1[SPIRE Agent]
12
        APP1[Application 1<br/>Frontend]
13

14
        SPIRE_AGENT1 --> ENVOY1
15
        ENVOY1 --> APP1
16
    end
17

18
    subgraph "Data Plane - Node 2"
19
        ENVOY2[Envoy Proxy]
20
        SPIRE_AGENT2[SPIRE Agent]
21
        APP2[Application 2<br/>Backend]
22

23
        SPIRE_AGENT2 --> ENVOY2
24
        ENVOY2 --> APP2
25
    end
26

27
    subgraph "Identity Flow"
28
        WL_API[Workload API]
29
        SVID[SPIFFE SVID]
30
        BUNDLE[Trust Bundle]
31
    end
32

33
    SPIRE_SERVER --> SPIRE_AGENT1
34
    SPIRE_SERVER --> SPIRE_AGENT2
35
    ISTIOD --> ENVOY1
36
    ISTIOD --> ENVOY2
37

38
    SPIRE_AGENT1 --> WL_API
39
    WL_API --> SVID
40
    SVID --> ENVOY1
41

42
    SPIRE_AGENT2 --> WL_API
43
    WL_API --> SVID
44
    SVID --> ENVOY2
45

46
    ENVOY1 -.->|mTLS with SPIFFE IDs| ENVOY2
47

48
    style SPIRE_SERVER fill:#ff9999
49
    style SPIRE_AGENT1 fill:#ffcc99
50
    style SPIRE_AGENT2 fill:#ffcc99
51
    style ENVOY1 fill:#99ff99
52
    style ENVOY2 fill:#99ff99

Integration Benefits#

Unified Identity: SPIFFE IDs become the source of truth for both authentication and authorization
Automatic mTLS: Envoy proxies use SPIFFE SVIDs for mutual TLS without manual certificate management
Fine-Grained Policies: Authorization policies based on cryptographic identity, not network location
Observability: Rich telemetry combining service mesh metrics with identity information
Multi-Cluster: SPIFFE federation enables secure cross-cluster communication

Installation and Configuration#

Step 1: Install Istio with SPIRE Integration#

First, let’s install Istio configured to use SPIRE as the certificate authority:

1
# Download and install Istio
2
curl -L https://istio.io/downloadIstio | sh -
3
cd istio-*
4
export PATH=$PWD/bin:$PATH
5

6
# Create Istio configuration for SPIRE integration
7
cat <<EOF > istio-spire-config.yaml
8
apiVersion: install.istio.io/v1alpha1
9
kind: IstioOperator
10
metadata:
11
  name: spire-integration
12
spec:
13
  values:
14
    # Disable Istio's built-in CA
15
    pilot:
16
      env:
17
        # Use SPIRE as external CA
18
        EXTERNAL_CA: ISTIOD_RA_KUBERNETES_API
19

20
        # SPIRE server endpoint
21
        CA_ADDR: spire-server.spire-system.svc:8081
22

23
        # Enable workload entry auto-registration
24
        PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION: true
25

26
        # Use SPIFFE identity format
27
        PILOT_ENABLE_SPIFFE_ENDPOINT_SLICE: true
28

29
        # Custom trust domain
30
        TRUST_DOMAIN: "cluster.local"
31

32
        # JWT issuer (matches SPIRE configuration)
33
        JWT_ISSUER: "https://oidc.enterprise.example.com"
34

35
    # Global proxy configuration
36
    global:
37
      # Mesh ID for multi-cluster
38
      meshID: "mesh1"
39

40
      # Trust domain (should match SPIRE)
41
      trustDomain: "cluster.local"
42

43
      # External CA configuration
44
      caAddress: "spire-server.spire-system.svc:8081"
45

46
      # Proxy configuration
47
      proxy:
48
        # Enable automatic protocol detection
49
        autoInject: enabled
50

51
        # SPIFFE integration
52
        env:
53
          # SPIFFE endpoint socket path
54
          SPIFFE_ENDPOINT_SOCKET: "unix:///run/spire/sockets/agent.sock"
55

56
          # Trust bundle path
57
          TRUST_BUNDLE_PATH: "/run/spire/bundle/bundle.crt"
58

59
          # Workload API timeout
60
          WORKLOAD_API_TIMEOUT: "30s"
61

62
    # Sidecar injector configuration
63
    sidecarInjectorWebhook:
64
      # Enable automatic sidecar injection
65
      enableNamespacesByDefault: false
66

67
      # Custom injection template for SPIRE
68
      templates:
69
        spire: |
70
          spec:
71
            containers:
72
            - name: istio-proxy
73
              volumeMounts:
74
              - name: spire-agent-socket
75
                mountPath: /run/spire/sockets
76
                readOnly: true
77
              - name: spire-bundle
78
                mountPath: /run/spire/bundle
79
                readOnly: true
80
            volumes:
81
            - name: spire-agent-socket
82
              hostPath:
83
                path: /run/spire/sockets
84
                type: DirectoryOrCreate
85
            - name: spire-bundle
86
              configMap:
87
                name: spire-bundle
88

89
  components:
90
    pilot:
91
      k8s:
92
        # Enhanced resources for SPIRE integration
93
        resources:
94
          requests:
95
            cpu: 200m
96
            memory: 512Mi
97
          limits:
98
            cpu: 2000m
99
            memory: 2Gi
100

101
        # Environment variables for SPIRE integration
102
        env:
103
        - name: SPIFFE_ENDPOINT_SOCKET
104
          value: "unix:///run/spire/sockets/agent.sock"
105
        - name: TRUST_DOMAIN
106
          value: "cluster.local"
107

108
        # Volume mounts for SPIRE
109
        volumeMounts:
110
        - name: spire-agent-socket
111
          mountPath: /run/spire/sockets
112
          readOnly: true
113
        - name: spire-bundle
114
          mountPath: /run/spire/bundle
115
          readOnly: true
116

117
        volumes:
118
        - name: spire-agent-socket
119
          hostPath:
120
            path: /run/spire/sockets
121
            type: DirectoryOrCreate
122
        - name: spire-bundle
123
          configMap:
124
            name: spire-bundle
125

126
    # Proxy configuration
127
    proxy:
128
      k8s:
129
        # Security context for SPIRE access
130
        securityContext:
131
          runAsUser: 1337
132
          runAsGroup: 1337
133

134
        # Resource limits
135
        resources:
136
          requests:
137
            cpu: 100m
138
            memory: 128Mi
139
          limits:
140
            cpu: 1000m
141
            memory: 1Gi
142
EOF
143

144
# Install Istio with SPIRE integration
145
istioctl install -f istio-spire-config.yaml --set values.pilot.env.EXTERNAL_CA=ISTIOD_RA_KUBERNETES_API

Step 2: Configure SPIRE for Istio Integration#

Update your SPIRE configuration to work with Istio:

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
  name: spire-server-istio-config
5
  namespace: spire-system
6
data:
7
  server.conf: |
8
    server {
9
      bind_address = "0.0.0.0"
10
      bind_port = "8081"
11
      socket_path = "/tmp/spire-server/private/api.sock"
12
      trust_domain = "cluster.local"
13
      data_dir = "/run/spire/data"
14
      log_level = "INFO"
15

16
      # JWT issuer configuration for Istio
17
      jwt_issuer = "https://oidc.enterprise.example.com"
18

19
      # Default SVID TTL (align with Istio expectations)
20
      default_svid_ttl = "1h"
21

22
      # CA configuration for Istio integration
23
      ca_subject = {
24
        country = ["US"],
25
        organization = ["Example Corp"],
26
        common_name = "SPIRE Server CA for Istio",
27
      }
28
    }
29

30
    plugins {
31
      # Kubernetes node attestor
32
      NodeAttestor "k8s_psat" {
33
        plugin_data {
34
          clusters = {
35
            "cluster.local" = {
36
              service_account_allow_list = ["spire-agent"]
37
              audience = ["spire-server"]
38
            }
39
          }
40
        }
41
      }
42

43
      # Kubernetes workload attestor with Istio support
44
      WorkloadAttestor "k8s" {
45
        plugin_data {
46
          # Skip kubelet verification for Istio sidecars
47
          skip_kubelet_verification = false
48
          kubelet_secure_port = 10250
49

50
          # Custom pod UID extraction for Istio
51
          use_new_container_locator = true
52

53
          # Verify node name
54
          verify_node_resolver = true
55
        }
56
      }
57

58
      # Istio-specific workload attestor
59
      WorkloadAttestor "docker" {
60
        plugin_data {
61
          docker_socket_path = "unix:///var/run/docker.sock"
62

63
          # Container ID matchers for Istio sidecars
64
          container_id_cgroup_matchers = [
65
            "/docker/([^/]+)",
66
            "/system.slice/docker-([^.]+).scope",
67
            "/kubepods/[^/]+/pod[^/]+/([^/]+)"
68
          ]
69

70
          # Use new container locator for better Istio support
71
          use_new_container_locator = true
72
        }
73
      }
74

75
      DataStore "sql" {
76
        plugin_data {
77
          database_type = "postgres"
78
          connection_string = "host=postgres-ha.data.svc.cluster.local dbname=spire user=spire sslmode=require"
79
        }
80
      }
81

82
      KeyManager "disk" {
83
        plugin_data {
84
          keys_path = "/run/spire/data/keys.json"
85
        }
86
      }
87

88
      UpstreamAuthority "disk" {
89
        plugin_data {
90
          cert_file_path = "/run/spire/ca/ca.crt"
91
          key_file_path = "/run/spire/ca/ca.key"
92
        }
93
      }
94

95
      # Kubernetes bundle notifier for Istio
96
      Notifier "k8sbundle" {
97
        plugin_data {
98
          # Update ConfigMap for Istio trust bundle
99
          webhook_label = "spiffe.io/webhook"
100
          config_map = "spire-bundle"
101
          config_map_key = "bundle.crt"
102
          namespace = "istio-system"
103
        }
104
      }
105
    }
106

107
    health_checks {
108
      listener_enabled = true
109
      bind_address = "0.0.0.0"
110
      bind_port = "8080"
111
      live_path = "/live"
112
      ready_path = "/ready"
113
    }
114

115
    telemetry {
116
      Prometheus {
117
        bind_address = "0.0.0.0"
118
        bind_port = "9988"
119
      }
120
    }
121
---
122
# SPIRE Agent configuration for Istio
123
apiVersion: v1
124
kind: ConfigMap
125
metadata:
126
  name: spire-agent-istio-config
127
  namespace: spire-system
128
data:
129
  agent.conf: |
130
    agent {
131
      data_dir = "/run/spire/data"
132
      log_level = "INFO"
133
      server_address = "spire-server.spire-system"
134
      server_port = "8081"
135
      socket_path = "/run/spire/sockets/agent.sock"
136
      trust_bundle_path = "/run/spire/bundle/bundle.crt"
137
      trust_domain = "cluster.local"
138

139
      # Insecure bootstrap for demo (use join tokens in production)
140
      insecure_bootstrap = false
141
    }
142

143
    plugins {
144
      NodeAttestor "k8s_psat" {
145
        plugin_data {
146
          cluster = "cluster.local"
147
          token_path = "/var/run/secrets/tokens/spire-agent"
148
        }
149
      }
150

151
      # Kubernetes workload attestor for Istio
152
      WorkloadAttestor "k8s" {
153
        plugin_data {
154
          skip_kubelet_verification = false
155
          kubelet_secure_port = 10250
156

157
          # Node name for verification
158
          node_name_env = "MY_NODE_NAME"
159

160
          # Kubernetes config for API access
161
          kube_config_file = "/var/lib/kubelet/kubeconfig"
162
        }
163
      }
164

165
      # Docker workload attestor for Istio sidecars
166
      WorkloadAttestor "docker" {
167
        plugin_data {
168
          docker_socket_path = "unix:///var/run/docker.sock"
169

170
          # Container matchers for Istio
171
          container_id_cgroup_matchers = [
172
            "/docker/([^/]+)",
173
            "/system.slice/docker-([^.]+).scope"
174
          ]
175
        }
176
      }
177

178
      KeyManager "memory" {
179
        plugin_data = {}
180
      }
181
    }
182

183
    health_checks {
184
      listener_enabled = true
185
      bind_address = "0.0.0.0"
186
      bind_port = "8080"
187
      live_path = "/live"
188
      ready_path = "/ready"
189
    }
190

191
    telemetry {
192
      Prometheus {
193
        bind_address = "0.0.0.0"
194
        bind_port = "9988"
195
      }
196
    }

Step 3: Configure Workload Registration for Istio#

Create ClusterSPIFFEID resources for Istio workloads:

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterSPIFFEID
3
metadata:
4
  name: istio-sidecars
5
spec:
6
  # SPIFFE ID template for Istio sidecars
7
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
8

9
  # Select all pods with Istio sidecar injection
10
  podSelector:
11
    matchLabels:
12
      security.istio.io/tlsMode: istio
13

14
  # Include common application namespaces
15
  namespaceSelector:
16
    matchExpressions:
17
      - key: name
18
        operator: NotIn
19
        values: ["kube-system", "kube-public", "spire-system"]
20

21
  # Workload selectors for SPIRE Agent
22
  workloadSelectorTemplates:
23
    - "k8s:ns:{{ .PodMeta.Namespace }}"
24
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
25
    - "k8s:pod-label:app:{{ .PodMeta.Labels.app }}"
26

27
  # DNS names for service mesh communication
28
  dnsNameTemplates:
29
    - "{{ .PodMeta.Labels.app }}.{{ .PodMeta.Namespace }}.svc.cluster.local"
30
    - "{{ .PodMeta.Name }}.{{ .PodMeta.Namespace }}.svc.cluster.local"
31

32
  # SVID TTL aligned with Istio certificate rotation
33
  ttl: 3600
34
---
35
# Specific registration for ingress gateways
36
apiVersion: spire.spiffe.io/v1alpha1
37
kind: ClusterSPIFFEID
38
metadata:
39
  name: istio-gateways
40
spec:
41
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/gateway/{{ .PodMeta.Labels.app }}"
42

43
  podSelector:
44
    matchLabels:
45
      app: istio-proxy
46
      istio: ingressgateway
47

48
  namespaceSelector:
49
    matchNames:
50
      - "istio-system"
51

52
  workloadSelectorTemplates:
53
    - "k8s:ns:{{ .PodMeta.Namespace }}"
54
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
55
    - "k8s:pod-label:istio:{{ .PodMeta.Labels.istio }}"
56

57
  dnsNameTemplates:
58
    - "istio-ingressgateway.istio-system.svc.cluster.local"
59
    - "*.example.com"
60

61
  # Longer TTL for stable gateway identities
62
  ttl: 7200
63
---
64
# Registration for Istio control plane
65
apiVersion: spire.spiffe.io/v1alpha1
66
kind: ClusterSPIFFEID
67
metadata:
68
  name: istio-control-plane
69
spec:
70
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/istiod"
71

72
  podSelector:
73
    matchLabels:
74
      app: istiod
75

76
  namespaceSelector:
77
    matchNames:
78
      - "istio-system"
79

80
  workloadSelectorTemplates:
81
    - "k8s:ns:{{ .PodMeta.Namespace }}"
82
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
83
    - "k8s:pod-label:app:istiod"
84

85
  # Admin privileges for Istio control plane
86
  admin: true
87

88
  dnsNameTemplates:
89
    - "istiod.istio-system.svc.cluster.local"
90
    - "istiod.istio-system"
91

92
  ttl: 3600

Step 4: Deploy Sample Application with Istio and SPIRE#

Let’s deploy a multi-tier application that uses both Istio service mesh and SPIFFE identities:

1
apiVersion: v1
2
kind: Namespace
3
metadata:
4
  name: bookinfo
5
  labels:
6
    istio-injection: enabled
7
    spire-managed: "true"
8
---
9
# Service accounts for each service
10
apiVersion: v1
11
kind: ServiceAccount
12
metadata:
13
  name: productpage
14
  namespace: bookinfo
15
---
16
apiVersion: v1
17
kind: ServiceAccount
18
metadata:
19
  name: details
20
  namespace: bookinfo
21
---
22
apiVersion: v1
23
kind: ServiceAccount
24
metadata:
25
  name: reviews
26
  namespace: bookinfo
27
---
28
apiVersion: v1
29
kind: ServiceAccount
30
metadata:
31
  name: ratings
32
  namespace: bookinfo
33
---
34
# ProductPage service and deployment
35
apiVersion: v1
36
kind: Service
37
metadata:
38
  name: productpage
39
  namespace: bookinfo
40
  labels:
41
    app: productpage
42
    service: productpage
43
spec:
44
  ports:
45
    - port: 9080
46
      name: http
47
  selector:
48
    app: productpage
49
---
50
apiVersion: apps/v1
51
kind: Deployment
52
metadata:
53
  name: productpage
54
  namespace: bookinfo
55
spec:
56
  replicas: 1
57
  selector:
58
    matchLabels:
59
      app: productpage
60
      version: v1
61
  template:
62
    metadata:
63
      labels:
64
        app: productpage
65
        version: v1
66
        security.istio.io/tlsMode: istio
67
      annotations:
68
        # Custom sidecar injection template for SPIRE
69
        sidecar.istio.io/inject: "true"
70
        inject.istio.io/templates: "sidecar,spire"
71
    spec:
72
      serviceAccountName: productpage
73
      containers:
74
        - name: productpage
75
          image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.2
76
          imagePullPolicy: IfNotPresent
77
          ports:
78
            - containerPort: 9080
79
          env:
80
            # Enable SPIFFE identity for application
81
            - name: SPIFFE_ENDPOINT_SOCKET
82
              value: "unix:///run/spire/sockets/agent.sock"
83
            - name: TRUST_DOMAIN
84
              value: "cluster.local"
85
          volumeMounts:
86
            - name: spire-agent-socket
87
              mountPath: /run/spire/sockets
88
              readOnly: true
89
      volumes:
90
        - name: spire-agent-socket
91
          hostPath:
92
            path: /run/spire/sockets
93
            type: DirectoryOrCreate
94
---
95
# Details service and deployment
96
apiVersion: v1
97
kind: Service
98
metadata:
99
  name: details
100
  namespace: bookinfo
101
  labels:
102
    app: details
103
    service: details
104
spec:
105
  ports:
106
    - port: 9080
107
      name: http
108
  selector:
109
    app: details
110
---
111
apiVersion: apps/v1
112
kind: Deployment
113
metadata:
114
  name: details
115
  namespace: bookinfo
116
spec:
117
  replicas: 1
118
  selector:
119
    matchLabels:
120
      app: details
121
      version: v1
122
  template:
123
    metadata:
124
      labels:
125
        app: details
126
        version: v1
127
        security.istio.io/tlsMode: istio
128
      annotations:
129
        sidecar.istio.io/inject: "true"
130
        inject.istio.io/templates: "sidecar,spire"
131
    spec:
132
      serviceAccountName: details
133
      containers:
134
        - name: details
135
          image: docker.io/istio/examples-bookinfo-details-v1:1.16.2
136
          imagePullPolicy: IfNotPresent
137
          ports:
138
            - containerPort: 9080
139
          env:
140
            - name: SPIFFE_ENDPOINT_SOCKET
141
              value: "unix:///run/spire/sockets/agent.sock"
142
          volumeMounts:
143
            - name: spire-agent-socket
144
              mountPath: /run/spire/sockets
145
              readOnly: true
146
      volumes:
147
        - name: spire-agent-socket
148
          hostPath:
149
            path: /run/spire/sockets
150
            type: DirectoryOrCreate
151
---
152
# Reviews service and deployment (multiple versions)
153
apiVersion: v1
154
kind: Service
155
metadata:
156
  name: reviews
157
  namespace: bookinfo
158
  labels:
159
    app: reviews
160
    service: reviews
161
spec:
162
  ports:
163
    - port: 9080
164
      name: http
165
  selector:
166
    app: reviews
167
---
168
apiVersion: apps/v1
169
kind: Deployment
170
metadata:
171
  name: reviews-v1
172
  namespace: bookinfo
173
spec:
174
  replicas: 1
175
  selector:
176
    matchLabels:
177
      app: reviews
178
      version: v1
179
  template:
180
    metadata:
181
      labels:
182
        app: reviews
183
        version: v1
184
        security.istio.io/tlsMode: istio
185
      annotations:
186
        sidecar.istio.io/inject: "true"
187
        inject.istio.io/templates: "sidecar,spire"
188
    spec:
189
      serviceAccountName: reviews
190
      containers:
191
        - name: reviews
192
          image: docker.io/istio/examples-bookinfo-reviews-v1:1.16.2
193
          imagePullPolicy: IfNotPresent
194
          ports:
195
            - containerPort: 9080
196
          env:
197
            - name: SPIFFE_ENDPOINT_SOCKET
198
              value: "unix:///run/spire/sockets/agent.sock"
199
          volumeMounts:
200
            - name: spire-agent-socket
201
              mountPath: /run/spire/sockets
202
              readOnly: true
203
      volumes:
204
        - name: spire-agent-socket
205
          hostPath:
206
            path: /run/spire/sockets
207
            type: DirectoryOrCreate
208
---
209
apiVersion: apps/v1
210
kind: Deployment
211
metadata:
212
  name: reviews-v2
213
  namespace: bookinfo
214
spec:
215
  replicas: 1
216
  selector:
217
    matchLabels:
218
      app: reviews
219
      version: v2
220
  template:
221
    metadata:
222
      labels:
223
        app: reviews
224
        version: v2
225
        security.istio.io/tlsMode: istio
226
      annotations:
227
        sidecar.istio.io/inject: "true"
228
        inject.istio.io/templates: "sidecar,spire"
229
    spec:
230
      serviceAccountName: reviews
231
      containers:
232
        - name: reviews
233
          image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2
234
          imagePullPolicy: IfNotPresent
235
          ports:
236
            - containerPort: 9080
237
          env:
238
            - name: SPIFFE_ENDPOINT_SOCKET
239
              value: "unix:///run/spire/sockets/agent.sock"
240
          volumeMounts:
241
            - name: spire-agent-socket
242
              mountPath: /run/spire/sockets
243
              readOnly: true
244
      volumes:
245
        - name: spire-agent-socket
246
          hostPath:
247
            path: /run/spire/sockets
248
            type: DirectoryOrCreate
249
---
250
# Ratings service and deployment
251
apiVersion: v1
252
kind: Service
253
metadata:
254
  name: ratings
255
  namespace: bookinfo
256
  labels:
257
    app: ratings
258
    service: ratings
259
spec:
260
  ports:
261
    - port: 9080
262
      name: http
263
  selector:
264
    app: ratings
265
---
266
apiVersion: apps/v1
267
kind: Deployment
268
metadata:
269
  name: ratings
270
  namespace: bookinfo
271
spec:
272
  replicas: 1
273
  selector:
274
    matchLabels:
275
      app: ratings
276
      version: v1
277
  template:
278
    metadata:
279
      labels:
280
        app: ratings
281
        version: v1
282
        security.istio.io/tlsMode: istio
283
      annotations:
284
        sidecar.istio.io/inject: "true"
285
        inject.istio.io/templates: "sidecar,spire"
286
    spec:
287
      serviceAccountName: ratings
288
      containers:
289
        - name: ratings
290
          image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2
291
          imagePullPolicy: IfNotPresent
292
          ports:
293
            - containerPort: 9080
294
          env:
295
            - name: SPIFFE_ENDPOINT_SOCKET
296
              value: "unix:///run/spire/sockets/agent.sock"
297
          volumeMounts:
298
            - name: spire-agent-socket
299
              mountPath: /run/spire/sockets
300
              readOnly: true
301
      volumes:
302
        - name: spire-agent-socket
303
          hostPath:
304
            path: /run/spire/sockets
305
            type: DirectoryOrCreate

Advanced Authorization Policies with SPIFFE Identities#

Now let’s create sophisticated authorization policies using SPIFFE identities:

1
apiVersion: security.istio.io/v1beta1
2
kind: AuthorizationPolicy
3
metadata:
4
  name: productpage-policy
5
  namespace: bookinfo
6
spec:
7
  # Apply to productpage service
8
  selector:
9
    matchLabels:
10
      app: productpage
11
  rules:
12
    # Allow access from ingress gateway
13
    - from:
14
        - source:
15
            principals: ["cluster.local/ns/istio-system/gateway/istio-proxy"]
16
      to:
17
        - operation:
18
            methods: ["GET", "POST"]
19
            paths: ["/productpage*", "/static/*"]
20

21
    # Allow health checks from Kubernetes
22
    - from:
23
        - source:
24
            principals: ["cluster.local/ns/kube-system/sa/system"]
25
      to:
26
        - operation:
27
            methods: ["GET"]
28
            paths: ["/health", "/ready"]
29
---
30
# Reviews service authorization
31
apiVersion: security.istio.io/v1beta1
32
kind: AuthorizationPolicy
33
metadata:
34
  name: reviews-policy
35
  namespace: bookinfo
36
spec:
37
  selector:
38
    matchLabels:
39
      app: reviews
40
  rules:
41
    # Only allow access from productpage
42
    - from:
43
        - source:
44
            principals: ["cluster.local/ns/bookinfo/sa/productpage"]
45
      to:
46
        - operation:
47
            methods: ["GET"]
48
            paths: ["/reviews*"]
49

50
    # Allow internal health checks
51
    - from:
52
        - source:
53
            principals: ["cluster.local/ns/bookinfo/sa/reviews"]
54
      to:
55
        - operation:
56
            methods: ["GET"]
57
            paths: ["/health"]
58
---
59
# Details service authorization
60
apiVersion: security.istio.io/v1beta1
61
kind: AuthorizationPolicy
62
metadata:
63
  name: details-policy
64
  namespace: bookinfo
65
spec:
66
  selector:
67
    matchLabels:
68
      app: details
69
  rules:
70
    # Only allow access from productpage
71
    - from:
72
        - source:
73
            principals: ["cluster.local/ns/bookinfo/sa/productpage"]
74
      to:
75
        - operation:
76
            methods: ["GET"]
77
            paths: ["/details*"]
78
---
79
# Ratings service authorization
80
apiVersion: security.istio.io/v1beta1
81
kind: AuthorizationPolicy
82
metadata:
83
  name: ratings-policy
84
  namespace: bookinfo
85
spec:
86
  selector:
87
    matchLabels:
88
      app: ratings
89
  rules:
90
    # Only allow access from reviews service
91
    - from:
92
        - source:
93
            principals: ["cluster.local/ns/bookinfo/sa/reviews"]
94
      to:
95
        - operation:
96
            methods: ["GET"]
97
            paths: ["/ratings*"]
98

99
    # Allow specific reviews versions with different access patterns
100
    - from:
101
        - source:
102
            principals: ["cluster.local/ns/bookinfo/sa/reviews"]
103
      when:
104
        - key: source.labels[version]
105
          values: ["v2", "v3"]
106
      to:
107
        - operation:
108
            methods: ["GET", "POST"]
109
            paths: ["/ratings*"]
110
---
111
# Cross-namespace communication policy
112
apiVersion: security.istio.io/v1beta1
113
kind: AuthorizationPolicy
114
metadata:
115
  name: cross-namespace-policy
116
  namespace: bookinfo
117
spec:
118
  # Apply to all services in bookinfo namespace
119
  rules:
120
    # Allow monitoring from observability namespace
121
    - from:
122
        - source:
123
            principals: ["cluster.local/ns/monitoring/sa/prometheus"]
124
      to:
125
        - operation:
126
            methods: ["GET"]
127
            paths: ["/metrics", "/stats/prometheus"]
128

129
    # Allow tracing from jaeger
130
    - from:
131
        - source:
132
            principals: ["cluster.local/ns/istio-system/sa/jaeger"]
133
      to:
134
        - operation:
135
            methods: ["POST"]
136
            paths: ["/api/traces"]
137
---
138
# Time-based access policy (business hours only)
139
apiVersion: security.istio.io/v1beta1
140
kind: AuthorizationPolicy
141
metadata:
142
  name: business-hours-policy
143
  namespace: bookinfo
144
spec:
145
  selector:
146
    matchLabels:
147
      app: ratings
148
  rules:
149
    - from:
150
        - source:
151
            principals: ["cluster.local/ns/bookinfo/sa/reviews"]
152
      when:
153
        # Only allow access during business hours (simplified example)
154
        - key: request.time | date('%H')
155
          values: ["09", "10", "11", "12", "13", "14", "15", "16", "17"]
156
      to:
157
        - operation:
158
            methods: ["GET", "POST"]
159
---
160
# Environment-based access control
161
apiVersion: security.istio.io/v1beta1
162
kind: AuthorizationPolicy
163
metadata:
164
  name: environment-policy
165
  namespace: bookinfo
166
spec:
167
  rules:
168
    # Production environment - strict controls
169
    - from:
170
        - source:
171
            principals: ["cluster.local/ns/bookinfo/sa/*"]
172
      when:
173
        - key: destination.labels[environment]
174
          values: ["production"]
175
        - key: source.labels[environment]
176
          values: ["production"]
177
      to:
178
        - operation:
179
            methods: ["GET", "POST"]
180

181
    # Staging environment - more permissive
182
    - from:
183
        - source:
184
            principals: ["cluster.local/ns/bookinfo/sa/*"]
185
      when:
186
        - key: destination.labels[environment]
187
          values: ["staging"]
188
      to:
189
        - operation:
190
            methods: ["GET", "POST", "PUT", "DELETE"]

Traffic Management with SPIFFE Identity Context#

Enhance Istio traffic management with SPIFFE identity information:

1
apiVersion: networking.istio.io/v1beta1
2
kind: VirtualService
3
metadata:
4
  name: reviews-routing
5
  namespace: bookinfo
6
spec:
7
  hosts:
8
    - reviews
9
  http:
10
    # Route based on source identity
11
    - match:
12
        - headers:
13
            # Custom header with SPIFFE ID
14
            spiffe-id:
15
              exact: "spiffe://cluster.local/ns/bookinfo/sa/productpage"
16
      route:
17
        - destination:
18
            host: reviews
19
            subset: v2
20
          weight: 50
21
        - destination:
22
            host: reviews
23
            subset: v1
24
          weight: 50
25

26
    # Route based on source service account
27
    - match:
28
        - sourceLabels:
29
            app: productpage
30
      route:
31
        - destination:
32
            host: reviews
33
            subset: v3
34
          weight: 100
35

36
    # Default routing for other identities
37
    - route:
38
        - destination:
39
            host: reviews
40
            subset: v1
41
---
42
# Destination rules with SPIFFE-aware load balancing
43
apiVersion: networking.istio.io/v1beta1
44
kind: DestinationRule
45
metadata:
46
  name: reviews-destination
47
  namespace: bookinfo
48
spec:
49
  host: reviews
50
  trafficPolicy:
51
    # Load balancing based on consistent hash of SPIFFE ID
52
    loadBalancer:
53
      consistentHash:
54
        httpHeaderName: "spiffe-id"
55

56
    # Connection pool settings for SPIFFE-enabled services
57
    connectionPool:
58
      tcp:
59
        maxConnections: 100
60
        connectTimeout: 30s
61
        tcpKeepalive:
62
          time: 7200s
63
          interval: 75s
64
      http:
65
        http1MaxPendingRequests: 50
66
        http2MaxRequests: 100
67
        maxRequestsPerConnection: 10
68
        maxRetries: 3
69
        idleTimeout: 60s
70

71
    # Circuit breaker with SPIFFE identity consideration
72
    outlierDetection:
73
      consecutive5xxErrors: 5
74
      consecutiveGatewayErrors: 5
75
      interval: 30s
76
      baseEjectionTime: 30s
77
      maxEjectionPercent: 50
78
      minHealthPercent: 30
79

80
  subsets:
81
    - name: v1
82
      labels:
83
        version: v1
84
      trafficPolicy:
85
        # Stricter settings for v1 (older version)
86
        connectionPool:
87
          tcp:
88
            maxConnections: 50
89
    - name: v2
90
      labels:
91
        version: v2
92
      trafficPolicy:
93
        # More permissive for v2
94
        connectionPool:
95
          tcp:
96
            maxConnections: 100
97
    - name: v3
98
      labels:
99
        version: v3
100
      trafficPolicy:
101
        # Latest version gets most resources
102
        connectionPool:
103
          tcp:
104
            maxConnections: 200
105
---
106
# Service entry for external services with SPIFFE identity
107
apiVersion: networking.istio.io/v1beta1
108
kind: ServiceEntry
109
metadata:
110
  name: external-ratings-service
111
  namespace: bookinfo
112
spec:
113
  hosts:
114
    - external-ratings.example.com
115
  ports:
116
    - number: 443
117
      name: https
118
      protocol: HTTPS
119
  location: MESH_EXTERNAL
120
  resolution: DNS
121
---
122
# Virtual service for external service with identity-based routing
123
apiVersion: networking.istio.io/v1beta1
124
kind: VirtualService
125
metadata:
126
  name: external-ratings
127
  namespace: bookinfo
128
spec:
129
  hosts:
130
    - external-ratings.example.com
131
  tls:
132
    - match:
133
        - port: 443
134
          sniHosts:
135
            - external-ratings.example.com
136
      route:
137
        - destination:
138
            host: external-ratings.example.com
139
            port:
140
              number: 443
141
---
142
# Gateway configuration with SPIFFE identity validation
143
apiVersion: networking.istio.io/v1beta1
144
kind: Gateway
145
metadata:
146
  name: bookinfo-gateway
147
  namespace: bookinfo
148
spec:
149
  selector:
150
    istio: ingressgateway
151
  servers:
152
    - port:
153
        number: 80
154
        name: http
155
        protocol: HTTP
156
      hosts:
157
        - bookinfo.example.com
158
      # Redirect HTTP to HTTPS
159
      tls:
160
        httpsRedirect: true
161
    - port:
162
        number: 443
163
        name: https
164
        protocol: HTTPS
165
      hosts:
166
        - bookinfo.example.com
167
      tls:
168
        mode: SIMPLE
169
        credentialName: bookinfo-tls-secret
170
---
171
# Virtual service for gateway with identity-aware routing
172
apiVersion: networking.istio.io/v1beta1
173
kind: VirtualService
174
metadata:
175
  name: bookinfo-gateway-vs
176
  namespace: bookinfo
177
spec:
178
  hosts:
179
    - bookinfo.example.com
180
  gateways:
181
    - bookinfo-gateway
182
  http:
183
    # Route based on client certificate SPIFFE ID (if mutual TLS)
184
    - match:
185
        - uri:
186
            exact: /productpage
187
      route:
188
        - destination:
189
            host: productpage
190
            port:
191
              number: 9080
192
    - match:
193
        - uri:
194
            prefix: /static
195
      route:
196
        - destination:
197
            host: productpage
198
            port:
199
              number: 9080
200
    # API endpoints with stronger authentication
201
    - match:
202
        - uri:
203
            prefix: /api/
204
      route:
205
        - destination:
206
            host: productpage
207
            port:
208
              number: 9080
209
      headers:
210
        request:
211
          add:
212
            # Add SPIFFE ID header for backend processing
213
            x-spiffe-id: "spiffe://cluster.local/ns/istio-system/gateway/istio-proxy"

Observability and Monitoring Integration#

Enhance observability with SPIFFE identity context:

1
apiVersion: telemetry.istio.io/v1alpha1
2
kind: Telemetry
3
metadata:
4
  name: spiffe-metrics
5
  namespace: bookinfo
6
spec:
7
  # Apply to all workloads in namespace
8
  metrics:
9
    - providers:
10
        - name: prometheus
11
    - overrides:
12
        - match:
13
            metric: ALL_METRICS
14
          tagOverrides:
15
            # Add SPIFFE ID tags to all metrics
16
            source_spiffe_id:
17
              value: "%{SOURCE_PRINCIPAL}"
18
            destination_spiffe_id:
19
              value: "%{DESTINATION_PRINCIPAL}"
20
            source_trust_domain:
21
              value: "%{SOURCE_PRINCIPAL | split('/')[0]}"
22
            destination_trust_domain:
23
              value: "%{DESTINATION_PRINCIPAL | split('/')[0]}"
24
---
25
# Enhanced access logging with SPIFFE context
26
apiVersion: telemetry.istio.io/v1alpha1
27
kind: Telemetry
28
metadata:
29
  name: spiffe-access-logs
30
  namespace: bookinfo
31
spec:
32
  accessLogging:
33
    - providers:
34
        - name: otel
35
    - format:
36
        # Custom log format with SPIFFE identity
37
        text: |
38
          [%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"
39
          %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT%
40
          %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%
41
          "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%"
42
          "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"
43
          source_spiffe_id="%SOURCE_PRINCIPAL%"
44
          destination_spiffe_id="%DESTINATION_PRINCIPAL%"
45
          source_app="%SOURCE_APP%" destination_service="%DESTINATION_SERVICE_NAME%"
46
          source_version="%SOURCE_VERSION%" destination_version="%DESTINATION_VERSION%"
47
          mutual_tls="%CONNECTION_MTLS%"
48
          spiffe_verification="%DOWNSTREAM_TLS_SUBJECT%"
49
---
50
# Distributed tracing with SPIFFE context
51
apiVersion: telemetry.istio.io/v1alpha1
52
kind: Telemetry
53
metadata:
54
  name: spiffe-tracing
55
  namespace: bookinfo
56
spec:
57
  tracing:
58
    - providers:
59
        - name: jaeger
60
    # Custom tracing tags
61
    - customTags:
62
        source_spiffe_id:
63
          header:
64
            name: "x-spiffe-source-id"
65
            defaultValue: "%{SOURCE_PRINCIPAL}"
66
        destination_spiffe_id:
67
          header:
68
            name: "x-spiffe-dest-id"
69
            defaultValue: "%{DESTINATION_PRINCIPAL}"
70
        trust_domain:
71
          header:
72
            name: "x-spiffe-trust-domain"
73
            defaultValue: "cluster.local"
74
        mtls_enabled:
75
          environment:
76
            name: "CONNECTION_MTLS"
77
            defaultValue: "unknown"
78
---
79
# Prometheus configuration for SPIFFE metrics
80
apiVersion: v1
81
kind: ConfigMap
82
metadata:
83
  name: prometheus-spiffe-config
84
  namespace: monitoring
85
data:
86
  spiffe-recording-rules.yml: |
87
    groups:
88
    - name: spiffe.rules
89
      rules:
90
      # Request rate by SPIFFE identity
91
      - record: spiffe:request_rate_5m
92
        expr: |
93
          sum(rate(istio_requests_total[5m])) by (
94
            source_spiffe_id,
95
            destination_spiffe_id,
96
            source_app,
97
            destination_service_name
98
          )
99

100
      # Error rate by SPIFFE identity
101
      - record: spiffe:error_rate_5m
102
        expr: |
103
          sum(rate(istio_requests_total{response_code!~"2.."}[5m])) by (
104
            source_spiffe_id,
105
            destination_spiffe_id,
106
            source_app,
107
            destination_service_name
108
          )
109
          /
110
          sum(rate(istio_requests_total[5m])) by (
111
            source_spiffe_id,
112
            destination_spiffe_id,
113
            source_app,
114
            destination_service_name
115
          )
116

117
      # P99 latency by SPIFFE identity
118
      - record: spiffe:request_duration_p99_5m
119
        expr: |
120
          histogram_quantile(0.99,
121
            sum(rate(istio_request_duration_milliseconds_bucket[5m])) by (
122
              source_spiffe_id,
123
              destination_spiffe_id,
124
              le
125
            )
126
          )
127

128
      # mTLS usage by service
129
      - record: spiffe:mtls_usage
130
        expr: |
131
          sum(istio_requests_total{connection_security_policy="mutual_tls"}) by (
132
            source_spiffe_id,
133
            destination_spiffe_id
134
          )
135
          /
136
          sum(istio_requests_total) by (
137
            source_spiffe_id,
138
            destination_spiffe_id
139
          )
140
---
141
# Alert rules for SPIFFE/Istio integration
142
apiVersion: monitoring.coreos.com/v1
143
kind: PrometheusRule
144
metadata:
145
  name: spiffe-istio-alerts
146
  namespace: monitoring
147
spec:
148
  groups:
149
    - name: spiffe.istio
150
      rules:
151
        - alert: SPIFFEIdentityMTLSFailure
152
          expr: |
153
            sum(rate(istio_requests_total{connection_security_policy!="mutual_tls"}[5m])) by (
154
              source_spiffe_id, destination_spiffe_id
155
            ) > 0
156
          for: 2m
157
          labels:
158
            severity: warning
159
          annotations:
160
            summary: "Non-mTLS traffic detected between SPIFFE identities"
161
            description: "Traffic from {{ $labels.source_spiffe_id }} to {{ $labels.destination_spiffe_id }} is not using mutual TLS"
162

163
        - alert: SPIFFEUnauthorizedAccess
164
          expr: |
165
            sum(rate(istio_requests_total{response_code="403"}[5m])) by (
166
              source_spiffe_id, destination_spiffe_id
167
            ) > 0.1
168
          for: 1m
169
          labels:
170
            severity: critical
171
          annotations:
172
            summary: "Unauthorized access attempts detected"
173
            description: "{{ $labels.source_spiffe_id }} is being denied access to {{ $labels.destination_spiffe_id }}"
174

175
        - alert: SPIFFEIdentityHighErrorRate
176
          expr: spiffe:error_rate_5m > 0.05
177
          for: 3m
178
          labels:
179
            severity: warning
180
          annotations:
181
            summary: "High error rate for SPIFFE identity communication"
182
            description: "Error rate between {{ $labels.source_spiffe_id }} and {{ $labels.destination_spiffe_id }} is {{ $value | humanizePercentage }}"
183

184
        - alert: SPIFFEIdentityHighLatency
185
          expr: spiffe:request_duration_p99_5m > 5000
186
          for: 5m
187
          labels:
188
            severity: warning
189
          annotations:
190
            summary: "High latency for SPIFFE identity communication"
191
            description: "P99 latency between {{ $labels.source_spiffe_id }} and {{ $labels.destination_spiffe_id }} is {{ $value }}ms"

Multi-Cluster Federation with Istio and SPIRE#

Configure cross-cluster communication with federated trust:

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterFederatedTrustDomain
3
metadata:
4
  name: remote-cluster-federation
5
spec:
6
  # Remote cluster trust domain
7
  trustDomain: "remote.cluster.local"
8

9
  # Bundle endpoint of remote cluster
10
  bundleEndpointURL: "https://spire-bundle.remote.cluster.local:8443"
11

12
  # Authentication method
13
  bundleEndpointProfile:
14
    type: "https_spiffe"
15
    endpointSPIFFEID: "spiffe://remote.cluster.local/spire/server"
16
---
17
# Istio multi-cluster configuration
18
apiVersion: networking.istio.io/v1beta1
19
kind: ServiceEntry
20
metadata:
21
  name: remote-productpage
22
  namespace: bookinfo
23
spec:
24
  hosts:
25
    - productpage.bookinfo.remote
26
  location: MESH_EXTERNAL
27
  ports:
28
    - number: 9080
29
      name: http
30
      protocol: HTTP
31
  resolution: DNS
32
  addresses:
33
    - 240.0.0.1 # Virtual IP for remote service
34
  endpoints:
35
    - address: productpage.bookinfo.svc.cluster.local
36
      network: remote-network
37
      ports:
38
        http: 9080
39
---
40
# Cross-cluster authorization policy
41
apiVersion: security.istio.io/v1beta1
42
kind: AuthorizationPolicy
43
metadata:
44
  name: cross-cluster-policy
45
  namespace: bookinfo
46
spec:
47
  selector:
48
    matchLabels:
49
      app: reviews
50
  rules:
51
    # Allow access from remote cluster productpage
52
    - from:
53
        - source:
54
            principals: ["remote.cluster.local/ns/bookinfo/sa/productpage"]
55
      to:
56
        - operation:
57
            methods: ["GET"]
58
            paths: ["/reviews*"]
59
    # Allow access from local cluster
60
    - from:
61
        - source:
62
            principals: ["cluster.local/ns/bookinfo/sa/productpage"]
63
      to:
64
        - operation:
65
            methods: ["GET"]
66
            paths: ["/reviews*"]
67
---
68
# Virtual service for cross-cluster routing
69
apiVersion: networking.istio.io/v1beta1
70
kind: VirtualService
71
metadata:
72
  name: cross-cluster-reviews
73
  namespace: bookinfo
74
spec:
75
  hosts:
76
    - reviews
77
  http:
78
    # Route based on source cluster
79
    - match:
80
        - headers:
81
            cluster-id:
82
              exact: "remote-cluster"
83
      route:
84
        - destination:
85
            host: reviews.bookinfo.remote
86
            port:
87
              number: 9080
88
          weight: 100
89
    # Local cluster traffic
90
    - route:
91
        - destination:
92
            host: reviews
93
            subset: v1
94
          weight: 100

Performance Optimization and Troubleshooting#

Performance Tuning#

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
  name: istio-spire-performance
5
  namespace: istio-system
6
data:
7
  # Pilot performance tuning
8
  pilot-config.yaml: |
9
    env:
10
      # Increase pilot resources for SPIFFE processing
11
      PILOT_MAX_WORKLOAD_ENTRIES: "10000"
12
      PILOT_DEBOUNCE_AFTER: "100ms"
13
      PILOT_DEBOUNCE_MAX: "10s"
14

15
      # SPIFFE-specific optimizations
16
      SPIFFE_BUNDLE_REFRESH_INTERVAL: "300s"
17
      SPIFFE_CACHE_SIZE: "10000"
18
      SPIFFE_VALIDATION_TIMEOUT: "30s"
19

20
      # Memory optimization
21
      GODEBUG: "gctrace=1"
22
      GOMAXPROCS: "4"
23

24
  # Envoy performance tuning for SPIFFE
25
  envoy-config.yaml: |
26
    admin:
27
      address:
28
        socket_address:
29
          address: 127.0.0.1
30
          port_value: 15000
31

32
    # Enhanced cluster configuration for SPIFFE
33
    cluster_manager:
34
      outlier_detection:
35
        split_external_local_origin_errors: true
36
      upstream_bind_config:
37
        source_address:
38
          address: 0.0.0.0
39
          port_value: 0
40

41
    # SDS configuration for SPIFFE
42
    node:
43
      metadata:
44
        SPIFFE_BUNDLE_REFRESH_DELAY: "30s"
45
        SPIFFE_CERT_REFRESH_DELAY: "300s"
46
        WORKLOAD_API_TIMEOUT: "30s"

Troubleshooting Commands#

1
# Check SPIFFE identity integration
2
kubectl exec -n bookinfo $(kubectl get pod -l app=productpage -o jsonpath='{.items[0].metadata.name}') -c istio-proxy -- \
3
  openssl s_client -connect details:9080 -servername details -showcerts
4

5
# Verify SPIRE registration entries
6
kubectl exec -n spire-system spire-server-0 -c spire-server -- \
7
  /opt/spire/bin/spire-server entry list -spiffeID spiffe://cluster.local/ns/bookinfo/sa/productpage
8

9
# Check Istio proxy configuration
10
istioctl proxy-config cluster productpage-xxx.bookinfo --fqdn details.bookinfo.svc.cluster.local
11

12
# Verify mTLS configuration
13
istioctl authn tls-check productpage-xxx.bookinfo details.bookinfo.svc.cluster.local
14

15
# Debug authorization policies
16
istioctl analyze -n bookinfo
17

18
# Check SPIFFE bundle propagation
19
kubectl get configmap spire-bundle -n istio-system -o yaml
20

21
# Verify Envoy SPIFFE integration
22
kubectl exec -n bookinfo productpage-xxx -c istio-proxy -- \
23
  curl -s localhost:15000/certs | jq '.certificates[].cert_chain[].subject_alt_names'

Conclusion#

The integration of SPIFFE/SPIRE with Istio service mesh creates a powerful zero-trust networking platform that provides:

✅ Cryptographic Workload Identity: Every service has a verifiable SPIFFE ID
✅ Automatic mTLS: No manual certificate management required
✅ Fine-Grained Authorization: Policies based on identity, not network location
✅ Rich Observability: Telemetry enhanced with identity context
✅ Multi-Cluster Support: Federated trust across environments
✅ Defense in Depth: Multiple layers of security validation

This foundation enables true zero-trust architecture where trust is established through cryptographic proof rather than network perimeters. The combination of SPIRE’s robust identity platform with Istio’s sophisticated traffic management creates an enterprise-grade security solution suitable for the most demanding environments.

In our next post, we’ll explore multi-cluster SPIFFE federation patterns, showing how to extend this zero-trust architecture across multiple Kubernetes clusters and cloud providers.

Additional Resources#

Need help implementing SPIFFE/SPIRE with Istio in your environment? The communities actively support production deployments and complex integration scenarios.