Security Considerations on Istio's CRDs with Namespace-Based Multi-Tenancy

Istio’s traffic‑management layer relies on custom resource definitions such as VirtualService to program Envoy sidecars across the mesh. In clusters that host multiple tenants, administrators often grant each team permission to create these CRDs within their own namespace, assuming that namespace boundaries provide sufficient isolation. The introduction of the mesh‑gateway option in VirtualService, however, expands the scope of routing rules from a single namespace to the entire mesh. As a result, a tenant that can edit a VirtualService can inadvertently—or maliciously—affect traffic originating from any other tenant, a scenario that was not part of Istio’s original threat model.

The attack vector hinges on the fact that Istio’s control plane aggregates all VirtualService definitions and pushes a unified configuration to every Envoy proxy. When a VirtualService specifies the mesh gateway, its routing rules are evaluated by all sidecars, regardless of namespace. An adversary with write access can therefore craft a rule that matches a target hostname and forwards the request to a malicious service under their control. Although Istio enforces mutual TLS between services, the proxy treats the attacker‑controlled endpoint as the legitimate destination, breaking end‑to‑end encryption and allowing data exfiltration or denial‑of‑service.

To protect multi‑tenant environments, operators should restrict creation of mesh‑gateway VirtualServices to a trusted admin group and move tenant‑exposed routing to the Kubernetes Gateway API, which natively supports cross‑namespace scoping. Additional safeguards include enabling configuration scoping, limiting egress listeners to approved namespaces, and deploying admission controllers that validate host fields against a whitelist. Organizations that cannot overhaul their architecture can still reduce risk by revoking unnecessary RBAC permissions on Istio CRDs and enforcing strict policy‑as‑code pipelines. These steps restore the intended isolation guarantees and keep the service mesh from becoming an attack surface.