Skip to content

๐Ÿš€ Implementation

We start by deploying a simple Flask application into a Kubernetes cluster without Zero Trust controls enabled. This allows us to establish a security baseline, observe open service-to-service communication, and then incrementally enforce Zero Trust Architecture (ZTA) for comparison.

๐Ÿ”ง Step-by-Step Breakdown

๐ŸŸข 1. Initial Deployment (ZTA Disabled)

  • Run the following to provision the environment:
task dev

This command automates:

  • Kind cluster creation

  • Namespace and image setup

  • Helm-based app deployment (zta-demo-app)

  • Istio installation (without ZTA policies activated)

  • The following values in values-local.yaml are disabled by default:

authn:
  enabled: false
authz:
  enabled: false
gateway:
  enabled: false
virtualsvc:
  enabled: false
svcentry:
  enabled: false

โœ… This results in unrestricted cross-service communication inside the mesh.

  • Inside a pod:
curl zta-demo-app-service:8080/hello

Returns:

Hello I am reachable! from zta-demo-app-<pod-name>

This is expected because there is no authentication or authorization in place. This insecure state means any compromised pod can access internal services freely.

Before Zero Trust Architecture

top1 screenshot1

๐Ÿ”’ 2. Enabling Zero Trust

To activate Zero Trust components, run:

task activate-zta

This uses yq to toggle the following values in values-local.yaml:

authn:
  enabled: true
authz:
  enabled: true
gateway:
  enabled: true
virtualsvc:
  enabled: true
svcentry:
  enabled: true

Then it triggers a Helm upgrade and waits for the pods to be ready.

  • Now, try the same curl command again from another pod:
curl zta-demo-app-service:8080/hello

Returns:

RBAC: access denied

Zero Trust policies enforced via Istio now block all traffic that is not explicitly allowed.

After Zero Trust Architecture

top2 screenshot2

๐Ÿ” 3. Access with Token

To access the service securely:

  • Run:
task get-token

This retrieves a JWT access token using the configured Auth0 credentials and writes it to token.txt.

  • Then use it inside the pod:
curl zta-demo-app-service:8080/hello -H "Authorization: Bearer $token"

This returns:

Hello I am reachable! from zta-demo-app-<pod-name>

The request is now authorized, authenticated, and securely handled via mTLS and policy rules.

โš–๏ธ Performance Comparison

We use curl with the -w flag to compare the latency introduced by ZTA.

โฑ Before ZTA

curl -o /dev/null -s -w "Total: %{time_total}s\n" zta-demo-app-service:8080/hello

Output:

Total: 0.005481s

โฑ After ZTA (Token Authenticated)

curl -o /dev/null -s -w "Total: %{time_total}s\n" zta-demo-app-service:8080/hello -H "Authorization: Bearer $token"

Output:

Total: 0.005916s

Before Zero Trust Architecture

screenshot3

After Zero Trust Architecture

screenshot4

๐Ÿง  Performance Perspective

The added latency of ~435 microseconds (ยตs) is negligible:

Comparison Value
Human reaction time ~0.2โ€“0.3 seconds
One frame at 60 FPS ~0.0167 seconds
Latency added by ZTA ~0.0004 seconds

๐Ÿ” In return for this near-zero impact, we gain end-to-end service authentication, traffic encryption, and granular access control.