Istio provides strong identities for workloads running in the mesh by default. 

Istio control plane (Istiod) and Istio agents (that run on each pod, within the Envoy proxy container) work together to sign, distribute, and rotate X.509 certificates to workloads (see Fig.A).

