A service mesh, such as Anthos Service Mesh (a managed Istio service), is the Google-recommended solution for implementing a zero-trust security model for microservices within a GKE cluster. It provides strong, identity-based authentication and encryption for all service-to-service communication using mutual TLS (mTLS). This is achieved by injecting a sidecar proxy alongside each microservice, which transparently intercepts, encrypts, and authenticates all traffic, fulfilling the requirement regardless of the underlying network topology. This approach ensures that only trusted services can communicate and that all data in transit is secure.

A. GKE Network Policies operate at OSI Layer 3/4. They control which pods can communicate but do not provide traffic encryption or cryptographic identity authentication for the services themselves.

C. Cloud Load Balancing with SSL Termination secures traffic from external clients to the cluster's edge (north-south traffic). It does not encrypt the internal traffic between microservices (east-west traffic).

D. VPC Firewall Rules, even with service accounts, operate at the VM/node level. They can control network connectivity between nodes but do not provide the granular, service-level encryption and authentication required for pod-to-pod communication.

1. Google Cloud Documentation - Anthos Service Mesh Security: "Anthos Service Mesh helps you to secure your services by providing a certificate authority (CA) for generating certificates to allow for mutual TLS (mTLS) authentication. With mTLS, service-to-service communication is encrypted and authenticated..." This directly supports using a service mesh for mTLS.

Source: Google Cloud, "Security benefits", Anthos Service Mesh documentation.

2. Google Cloud Whitepaper - BeyondProd: A new approach to cloud-native security: This paper outlines Google's internal zero-trust model, which heavily relies on service identity, mTLS, and a service mesh for securing microservices. "All RPCs are protected with mutual authentication and encryption... This protection is provided by our Application Layer Transport Security (ALTS)..." Anthos Service Mesh brings this capability to Google Cloud customers.

Source: Google Cloud, "BeyondProd: A new approach to cloud-native security", Section: "Mutual authentication and transport encryption".

3. Google Cloud Documentation - GKE Network Policy: "Network policies are the Kubernetes firewall for pods. Network policies control network traffic at level 3 or 4 of the OSI model..." This confirms that Network Policies do not operate at the application layer to provide encryption, which is a key requirement.

Source: Google Cloud, "About GKE network policy", GKE documentation.

4. Google Cloud Solutions - Zero trust security with Anthos: "Anthos Service Mesh helps you to control the traffic flowing in, out, and within your service mesh... By default, Anthos Service Mesh encrypts traffic between services by using mutual Transport Layer Security (mTLS)." This explicitly states that Anthos Service Mesh is the tool for achieving zero-trust via mTLS for inter-service traffic.

Source: Google Cloud, "Zero trust security with Anthos", Google Cloud Solutions.