You are responsible for a distributed web application where internal services call each other over the network to process customer requests and access sensitive metadata. The current setup uses shared credentials and broad network access, and a recent incident showed one compromised workload could reach services it should never have touched. You need to redesign the trust model so service identity, transport security, and authorization are enforced consistently.
How would you design the infrastructure so only the right workloads can authenticate and communicate with each other, even if one node or pod is compromised? Be explicit about the trust boundaries, the controls you would put at each boundary, and how you would detect and respond when those controls fail.