[InTheArena]

This looks interesting, but it's not clear to me if this supports TLS traffic to the daemon-set nodes running on each individual node. A key thing that I am looking at meshes for are last mile TLS encryption, with a appropriate sidecar.

[emilevauge]

We think that it is interesting to have an alternative with a simpler design bringing almost all features. So yes, mTLS between pods is not supported. But it's a decent tradeoff for many users. Finally, mTLS could be supported in the future between nodes :)

[williamallthing]

This is one of the several reasons Linkerd moved from per-host to sidecars.

For mTLS, the moment you want to have identity per service (as opposed to one cert across everything in the mesh), you need the security boundary to be at the pod level.