The Negatives to a Per-Host Service Mesh, the Sidecar Model Being a More Ideal Solution for Providing a More Robust Security Boundary

May 22, 2023

In our quest to improve the security of our service mesh, eBPF seems like a logical solution. In particular, a per-host proxy which would eliminate the need for a sidecar as a part of our service mesh implementation. But, there are security implications that we need to consider which would leave us more vulnerable if this decision was carelessly made. The sidecar proxy is actually an integral part of providing a reliable and scalable service, whilst providing necessary security constraints.