Istio manages its own identity model, which can represent human users, services, or groups of services. In Kubernetes, Istio uses Kubernetes' service account to represent identity. Istio uses its PKI (through Citadel) to create a strong cryptographic identity for each pod that it manages. It creates a x.509 certificate (in SPIFEE format) and a key pair for each service account and injects them as secrets to the pod. Pilot manages a map between the DNS service names and the identities that are allowed to run them. When clients call into services, they can verify that the services are indeed run by allowed identities and can detect rogue services. With a strong identity in place, let's take a look at how authentication ...