L4 policy
enforcement
ztunnel
xDS config
xDS Client
App A cert
CA Client
App X cert
L4
Telemetry
Istiod (Control Plane /
Certificate Authority / Registration Authority)
1. Establish secure connection to
istiod: 15012 - can I get my DS config?
2. Here are your workload xDS configs
3. Give me certs for App A
4. You're allowed to represent App A,
here are the certs