In this session we’ll take a look at how to easily apply zero-trust-compatible network policy with Linkerd, the CNCF’s only graduated service mesh. In contrast to the Network Policies built into Kubernetes, which rely on IP addresses and implicitly “trust the network”, and which cannot authorize L7 features such as paths, Linkerd’s granular authorization policies build on top of cryptographic workload identity provided by mutual TLS. We’ll cover Linkerd’s ability to authorize requests based on HTTP path, verb, and workload identity, and demonstrate how to build a “deny by default” / “principle of least privilege” authorization policy for your Kubernetes cluster.