Zero trust for APIs: From edge to mesh with Istio

Kubernetes security is often built on the "castle-and-moat" fallacy. Teams harden the edge but leave internal east-west traffic implicitly trusted. In a world of Log4Shell-style zero-days, the perimeter is a myth. It is not a question of if a pod is breached, but when.

This talk examines zero trust using Istio Ambient Mode. It moves past the sidecar tax and explores a sidecar-less mesh that makes security more attainable. It deconstructs a real-world breach, showing how attackers steal pod identities and move laterally, then implements the three pillars of mesh security: identity via Ztunnel, authentication via JWT, and authorization via waypoint proxies.