Service Mesh Enforcement

A whitelist on paper is a policy. A whitelist enforced by a service mesh is a control. Service mesh technologies — Istio, Linkerd, Cilium — operate at the infrastructure layer, intercepting every network request between agents and services. They enforce mutual TLS between all endpoints, validate identity on every connection, and apply authorization policies before any traffic flows. The agent never speaks directly to the destination. The mesh mediates every conversation.

1. Mutual TLS Everywhere Every connection between agents and services is encrypted with mutual TLS. Both sides present certificates. Both sides verify. No plaintext traffic between any components, even within the same physical network. If an attacker compromises the network layer, they get encrypted traffic they cannot read.
2. Identity-Based Policies Authorization policies reference agent identities, not IP addresses. An agent that moves between hosts, scales horizontally, or restarts with a new IP retains its identity and its policy. Identity-based policies survive infrastructure changes that would break IP-based rules.
3. Traffic Observability The service mesh logs every connection attempt — allowed and denied. Denied connections are visibility into what a compromised agent is trying to reach. Allowed connections are the baseline for anomaly detection. The mesh is both a firewall and a sensor.