Many organizations, surprisingly, still do things like using Kubernetes with TLS terminated at the ingress. In that case, you just need the splitter in the same network as the nodes hosting the ingress controller. Or inspect the unencrypted traffic within the cluster.
It takes a non-trivial amount of work to set up a service mesh (and mutual TLS between services), so many k8s clusters end up with unencrypted traffic inside the cluster network.
> It takes a non-trivial amount of work to set up a service mesh
I feel like configuring wireguard between a group of physical hosts is fairly trivial. After all I do it semi-manually in order to access my LAN when I'm elsewhere and I'm certainly no expert sysadmin.
In this case we're talking about P2P traffic, which is generally not HTTPS. The linked issue references WebRTC https://en.wikipedia.org/wiki/WebRTC
Encrypted by Cloudflare, so they just use the keys to decrypt it again.
Many organizations, surprisingly, still do things like using Kubernetes with TLS terminated at the ingress. In that case, you just need the splitter in the same network as the nodes hosting the ingress controller. Or inspect the unencrypted traffic within the cluster.
It takes a non-trivial amount of work to set up a service mesh (and mutual TLS between services), so many k8s clusters end up with unencrypted traffic inside the cluster network.
> It takes a non-trivial amount of work to set up a service mesh
I feel like configuring wireguard between a group of physical hosts is fairly trivial. After all I do it semi-manually in order to access my LAN when I'm elsewhere and I'm certainly no expert sysadmin.