Skip to content

Kaustav-Sarkar/Istio-Defense-In-Depth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
apps
apps
 
 
cerbos
cerbos
 
 
db
db
 
 
deployment
deployment
 
 
docs
docs
 
 
kind
kind
 
 
scripts
scripts
 
 
security-tests
security-tests
 
 
.gitignore
.gitignore
 
 
.python-version
.python-version
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Istio Security POC: Zero-Trust Architecture

This project is a Proof of Concept (POC) demonstrating how an Istio service mesh can provide zero-trust security and decoupled identity passing.

Demo

Walkthrough of the Istio security POC (login, persona-based access, Cerbos + RLS).

Istio security POC demo

Architecture

The architecture enforces strict service-to-service authentication (mTLS & AuthZ) and utilizes a sidecar EnvoyFilter to securely translate a platform-standard identity header (x-mesh-identity) into custom application-specific headers.

For an in-depth explanation of the design, see the Architecture Document.

Quickstart (Local Testing)

To run the tests for the currently implemented services:

  1. Run Python Tests
    This script runs the pytest suites for all existing Python applications.

    ./scripts/test-python.sh

  2. Run Cerbos Policy Tests
    This script runs the Cerbos policy tests.

    ./scripts/test-cerbos.sh

  3. Run the UI (after cluster is up)
    The Streamlit UI runs locally on the host (outside the cluster). Requires mkcert (brew install mkcert nss).

    ./scripts/create-local-certs.sh   # one-time: generates trusted certs
./scripts/run-ui.sh               # starts UI at https://app.localtest.me:8501

  4. Run the security attack suite (after cluster is up)
    Manual negative-path tests across 12 attack categories. See security-tests/ATTACKS.md.

    pip install -r security-tests/requirements.txt
./security-tests/run-attacks.sh

For full local cluster setup and end-to-end validation, see the Setup and Run Guide.

Demo users (login & verify)

After the cluster and UI are running (setup guide), open https://app.localtest.me:8501, click Login, and use these Keycloak accounts:

Persona Username Password What to check
Employee alice.employee alice-password Own profile shows full PII/salary; other employees are limited
Manager mary.manager mary-password Direct report (Alice) shows salary band, not exact salary
HR Admin henry.hradmin henry-password HR fields on employees; no IT asset serials
IT Admin ivan.itadmin ivan-password Minimal employee fields; full IT asset access

Repository Structure

  • apps/ - FastAPI microservices, Streamlit UI, auth-service, and database seeder
  • cerbos/ - Cerbos policies and tests
  • db/ - PostgreSQL initialization scripts and migrations
  • deployment/ - Kubernetes manifests (base, apps, data, identity, networking, security)
  • docs/ - Architecture and setup documentation
  • kind/ - Kind cluster configuration
  • scripts/ - Automation scripts for cluster management and testing
  • security-tests/ - Security attack suite (12 categories; see ATTACKS.md)

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Demo video Latest
Jun 9, 2026

Packages

 
 
 

Contributors

Languages