To secure service-to-service communication, it is tunneled from the client-side to the server-side via a sidecar proxy. Next, the inter-proxy communication is secured using mTLS. The benefit of mTLS is that the service identity is not expressed as a token bearer. It can't be stolen, duplicated, or replayed from a source it hasn't been authenticated with. Istio's Citadel uses the concept of secure naming and protection against attacks. The client- side verifies an authenticated service account and only allows the named service to run and traverse any network requests.  

Istio's authorization feature also provides a cluster-level certificate authority with automated certificate management. Some of its key capabilities are as follows:

• For every service account, it generates a certificate and key pair.
• Using Kubernetes secrets, it distributes certificates and keys to the appropriate service pods.
• It sets up periodic certificates and key rotation.
• It sets up certificates and keys and disables policies if they're not being used or have been expired, stolen, and so on.

Whenever someone connects to any secure site, they are using TLS because this validates the server identity to the client and provides an encryption channel between the server and client. For service-to-service communication, the same concept is applied from the server to the client-side. To validate the client-side identity, a webhook application should request confirmation.

To do this, the mTLS feature can be used to validate client-level authentication by sending a certificate request message. This message will include the following:

• It includes a list of distinguished root certificates that are tested by the server.
• The client responds to the server through a certificate message stating it is a distinguished name.
• The server verifies the client certificate.
• If the verification succeeds, the server has successfully authenticated the client.

mTLS authentication is widely managed for business applications that have a limited number of homogeneous clients connecting to different web services. Overall, security requirements are a higher priority when implementing mTLS versus any other consumer.

mTLS has two modes—permissive and strict. Permissive mode allows traffic in the HTTP and HTTPS protocols, whereas strict mode only allows traffic using the HTTPS protocol.