Secure internal calls with short-lived service JWTs or mTLS (via service mesh) and K8s NetworkPolicies.
Service-to-Service Authentication
# Short-lived internal JWT tokens
import jwt, time
def get_service_token(caller: str) -> str:
return jwt.encode({
"sub": caller,
"aud": "internal",
"exp": time.time() + 300, # 5 minute token
}, INTERNAL_SECRET, algorithm="HS256")
# Call another service
headers = {"Authorization": "Bearer " + get_service_token("order-service")}
resp = httpx.post("http://payment-svc/charge",
headers=headers, json=data)
# K8s NetworkPolicy -- whitelist pod-to-pod traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
spec:
podSelector:
matchLabels: {app: payment-service}
ingress:
- from:
- podSelector:
matchLabels: {app: order-service}