Khirawdhi Ray

Systems. Security. Thoughts.

Breaking Service-to-Service Trust in Microservices

by

khirawdhi
in , , , ,

Modern cloud-native architectures are built on an assumption that quietly becomes catastrophic at scale: “Internal traffic is trusted.”

Not explicitly. Not architecturally documented. But operationally everywhere.

A service authenticates once. Receives broad internal access. Starts talking to downstream systems. And suddenly the entire platform behaves like a flat internal network with prettier YAML.

This is how modern lateral movement works.

Not through SMB shares or through domain controllers but through APIs.

The New Attack Surface: East-West Traffic

In monoliths, compromise was vertical. In microservices, compromise becomes horizontal.

The moment an attacker gains execution inside a single workload, they inherit:

  • service account identity
  • mounted tokens
  • internal DNS visibility
  • service mesh trust
  • east-west network reachability
  • implicit authorization assumptions
  • downstream API access paths

The attack surface is no longer “the application.” The attack surface is the relationship graph between services.

The Core Security Failure

Most organizations successfully secure:

  • ingress
  • authentication
  • API gateways
  • WAFs
  • external APIs

Then completely collapse security internally.

Typical assumptions:

  • “It’s inside the cluster.”
  • “It already passed authentication.”
  • “Traffic is encrypted with mTLS.”
  • “Only internal services can call this.”
  • “NetworkPolicies protect us.”

These assumptions fail because:

  • identity is often shared
  • authorization is weak or absent
  • trust is transitive
  • workloads are overprivileged
  • internal APIs were never designed for hostile callers

The result: One compromised pod becomes a trusted internal actor.

Real-World Trust Collapse

Consider a typical Kubernetes environment:

Internet

API Gateway

Frontend Service

Order Service

Payment Service

Inventory Service

Kafka / Redis / Internal APIs

Externally:

  • OAuth enforced
  • WAF enabled
  • Rate limiting enabled
  • JWT validation present

Internally: 

"frontend.default.svc.cluster.local can call order-service"

That is the security model.

The Compromise Path

Attacker exploits:

  • SSRF
  • RCE
  • deserialization
  • command injection
  • dependency compromise
  • poisoned CI/CD artifact
  • vulnerable sidecar
  • container escape

Now they land inside a pod. What happens next is where architecture matters

Phase1: Identity Theft

The attacker immediately targets:

/var/run/secrets/kubernetes.io/serviceaccount/token

This becomes their workload identity.

Most clusters still expose:

  • overly permissive service accounts
  • namespace-wide read access
  • secret listing
  • configmap access
  • pod metadata access

Now the attacker is no longer “external.” They are an authenticated workload.

Phase2: Internal Reconnaissance

Internal DNS makes service discovery trivial:

nslookup *.svc.cluster.local

Or:

kubectl get svc

if RBAC is weak.

Attackers enumerate:

  • internal APIs
  • admin endpoints
  • Prometheus targets
  • Grafana dashboards
  • metrics exporters
  • internal gRPC services
  • Kafka brokers
  • Redis instances
  • service mesh control planes

Most organizations never threat model internal enumeration.

Phase3: Trust Pivoting

This is where service-to-service trust breaks.

Example:

POST /internal/payment/refund

The endpoint assumes:

  • request originated internally
  • caller is trusted
  • upstream auth already happened

No fine-grained authorization exists.

No workload attestation exists.

No SPIFFE identity validation exists.

No request-level policy exists.

Now any compromised service can invoke privileged operations.

The Dangerous Myth of mTLS

One of the most misunderstood concepts in cloud-native security: mTLS does not solve authorization.

mTLS answers: “Who are you?”

It does NOT answer: “Should you be allowed to do this?”

Most service meshes stop at authentication.

Example:

frontend → payment-service

mTLS validates identity.

But if authorization policy is absent: ANY authenticated workload can call payment-service

This becomes catastrophic during lateral movement. Encryption without authorization is still trust collapse.

gRPC Makes This Worse

gRPC amplifies internal trust issues because:

  • APIs are strongly connected
  • internal methods are rarely exposed externally
  • reflection often leaks service definitions
  • streaming channels remain long-lived
  • authorization is commonly delegated upstream

Attackers abuse: grpcurl

to enumerate internal methods: grpcurl payment-service:50051 list

Then invoke privileged RPCs directly. Most internal gRPC APIs were designed for performance, not hostile environments.

Kafka and Redis Become Lateral Movement Infrastructure

Once inside the cluster:

Kafka

Attackers abuse:

  • unrestricted topic subscriptions
  • weak ACLs
  • event poisoning
  • replay attacks
  • trust in asynchronous consumers

Example:

{
  "event": "user.role.updated",
  "role": "admin"
}

If downstream consumers trust producer identity weakly, privilege escalation becomes event-driven.

Redis

Redis becomes dangerous when used for:

  • session storage
  • distributed locks
  • feature flags
  • token caches
  • authorization state

Common failures:

  • no AUTH
  • shared credentials
  • flat network trust
  • unrestricted access from workloads

Compromised services can:

  • steal sessions
  • poison caches
  • manipulate feature toggles
  • inject authorization bypass states

Service Meshes Can Increase Blast Radius

Ironically, service meshes often expand trust domains.

Organizations deploy:

  • Istio
  • Linkerd
  • Consul

Then assume the problem is solved.

But many meshes create:

  • universal workload connectivity
  • shared trust roots
  • broad certificate trust
  • permissive authorization defaults

Without strict policy segmentation:

Compromised workload

Valid mesh identity

Full east-west reachability

The attacker now moves through the mesh exactly as intended traffic would.

The Real Problem: Identity Without Boundaries

Microservices introduced distributed trust. But most organizations never redesigned authorization models for distributed systems.

Traditional perimeter logic still exists mentally:

outside = hostile
inside = trusted

Cloud-native environments destroy this assumption.

In Kubernetes:

  • every workload is a potential attacker
  • every service is internet-exposed internally
  • every token is an identity primitive
  • every API is a lateral movement opportunity

What Secure Architectures Actually Do

Secure-by-design microservices treat internal traffic as hostile by default. That changes everything.

1. Workload Identity Must Be Strong

Avoid:

  • shared service accounts
  • namespace-wide identities
  • static credentials
  • long-lived secrets

Prefer:

  • SPIFFE/SPIRE
  • workload-bound identity
  • short-lived credentials
  • attested workload identity

Identity should represent:

WHO
WHAT
WHERE

not merely:

"something inside the cluster"

2. Authorization Must Exist Between Services

Every internal API should enforce:

  • caller identity validation
  • least privilege authorization
  • action-level policy
  • workload-level RBAC

Example:

frontend-service:
  can:
    - create_order

cannot:
    - refund_payment
    - access_admin_api

Internal APIs require authorization exactly like external APIs.

3. East-West Segmentation Must Exist

Flat clusters are catastrophic.

Use:

  • Kubernetes NetworkPolicies
  • namespace isolation
  • egress restrictions
  • service-level allowlists
  • mesh authorization policies

A compromised pod should NOT gain universal reachability.

4. Internal APIs Must Be Threat Modeled

Most internal APIs were never designed assuming malicious callers.

Threat model:

  • replay attacks
  • confused deputy problems
  • forged internal requests
  • event poisoning
  • trust chaining
  • identity spoofing
  • metadata abuse

Internal APIs are production attack surfaces. Treat them accordingly.

5. Observability Must Become Security Telemetry

Traditional logs are insufficient.

You need visibility into:

  • workload identity changes
  • abnormal service call graphs
  • unexpected east-west traffic
  • new RPC invocation paths
  • unusual Kafka consumers
  • Redis access anomalies
  • service mesh policy violations

Modern detection becomes graph-based. Not perimeter-based.

Final Thought

Microservices did not eliminate monolithic trust. They distributed it. And in many environments, that made compromise worse.

The future of cloud-native security is not:

  • more encryption
  • more sidecars
  • more gateways

It is:

  • identity-aware authorization
  • workload attestation
  • trust minimization
  • graph-aware threat modeling
  • hostile-by-default internal design

Because attackers no longer break in and stop. They become services.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *