I try to understand why Istio have the mTLS feature? It enables mutual TLS authentication between all the services in a cluster via automatically issued certificates.
Mandatory TLS authentication is a benefit only as long as they are services outside Istio, but when Istio is enabled globally in Kubernetes, this is not the case - then every service gets certificate automatically, so can connect to any other.
Maybe TLS is used as identity provider, required by Istio authorization rules, like asked in yet unanswered Does istio authorization have effect if mtls is not used for istio authentication?? But why Istio does not just use Kubernetes service accounts as identity provider. This is even mentioned in documentation.
Also, even with TLS for identity, why encrypting traffic (TLS can be used without encryption)? I am assuming here that the container is not able to spoof IP address.