mTLS Certificate Authentication for Microservices in Kubernetes
Microservices communicate over the network dozens or hundreds of times per second. Without mutual authentication, any compromised pod inside your cluster can impersonate a legitimate service, intercept traffic, or make unauthorized calls. mTLS (mutual TLS) closes this gap by requiring both ends of every connection to present a valid X.509 certificate — no certificate, no connection. This guide covers mTLS from first principles through production deployment: how the handshake works, enabling it in Istio, automating certificate lifecycle with cert-manager, implementing SPIFFE/SPIRE workload identity, and debugging the errors you’ll inevitably encounter. ...