[tayo42]

I haven't worked with a service mesh, I worked at a company that did everything you are describing.

I don't get how you don't still need to do all that? Are the local server proxy to the service in plaintext then? Encryption is just between proxies?

[darkwater]

Yes, traffic between generic service and the mesh entrypoint is clear text BUT since the proxy is in a sidecar of the generic service pod, it shares the same "localhost" by mean of Linux network namespaces, so it's virtually isolated (if there isn't a bug) from other code running on the same node. When it exits the pod localhost, traffic is already encrypted.

[tayo42]

Oh i see, that makes sense I think. Thanks!