Istio enforces workload identity for service access using SPIFFE/SPIRE-issued SVIDs
Istio, leveraging SPIFFE/SPIRE as its certificate authority, enforces granular workload identity for mutual TLS (mTLS) and authorization policies within the service mesh. SPIRE issues cryptographically verifiable identities (SVIDs) to workloads, which Istio's Envoy proxies consume via the Envoy SDS API to authenticate services and control access for various operations, including AI retrieval and general service access. This integration provides enhanced attestation capabilities and supports trus
Linked Evidence
SPIRE can be configured as the certificate authority for Istio workloads via Envoy's SDS API, so that every Envoy proxy in the mesh fetches its SVID directly from SPIRE rather than from istiod, enabling hardware-attested workload identities and cross-cluster trust federation.
SPIRE — IstioSPIRE delivers cryptographic identities (X.509-SVIDs) to Envoy proxy instances through the SDS API, allowing the proxy to present SPIFFE-compliant identities for mTLS and to validate peer identities — the same mechanism Istio uses when configured with SPIRE as its identity provider.
Envoy — SPIFFESPIRE issues X.509-SVIDs to Envoy via the SDS API and configures TLS certificate and validation-context listeners on the proxy, providing the cryptographic identity substrate that Istio leverages for mTLS enforcement when SPIRE replaces istiod as the certificate authority.
X.509 SVID authentication with Envoy — SPIFFESupport for SPIRE was introduced to Istio in 1.14, allowing SPIRE to be configured as a source for issuing Istio workload identities through Envoy's SDS API, offering diverse workload and node attestation options.
SPIRE: A case for attestable workload identity - Solo.io