Ok, I know this is a contentious topic, but: Could someone clearly articulate the threat model under which service-to-service TLS is the best solution? The scenarios I considered are:

1) Traffic integrity/confidentiality to protect against Mallory on the wire. Host-to-host affords this at much better cost, less duplication of code, and even less attack surface (unless the TLS is provided by a single sidecar).

Most importantly, given that container scheduling & microservices mean a lot of traffic between two IPs never leaves the host, host-to-host prevents us from repeatedly encrypting and decrypting our own RAM.

2) Service authentication. People seem to use it for this, paired with Client-Side certificates.

But with container scheduling, compromising one node means you can just wait for certificates to come to you, Pokemon-Style.

Assuming you can't get root, preventing you from talking to services you shouldn't can also be done better / cheaper on the network layer (Cilium etc?).

Summary: Perhaps there's nuance I don't get, but service-to-service TLS was a much more sensible security measure before jobs started migrating across different nodes, and before everything was microservices on relatively beefy machines.

I mean, if you argued that all Unix pipes and IPC should be TLSed, people would glance at you sideways. Isn't insisting on TLS for each service somewhat similar?