Application Layer Policy
Istio mints and distributes cryptographic identities and uses them to establish mutually authenticated TLS connections between pods. Calico enforces authorization policy on this communication integrating cryptographic identities and network layer attributes.
envoy.ext_authz filter inserted into the proxy, which calls out to Dikastes when service requests are processed. We compute policy based on a global store which is distributed to Dikastes by its local Felix.
Application Layer Policy is described in the Project Calico docs.