Existing microservice deployment tools support only single-hop communication policies, failing to model the hierarchical tree structure of service call chains—resulting in overly permissive security controls. To address this, we propose a fine-grained security policy language grounded in the service invocation tree, the first to fully support expressive modeling of tree-structured call dependencies. We design a Visibly Pushdown Automaton (VPA) for dynamic policy enforcement and implement a non-intrusive runtime monitor atop the Istio service mesh, requiring no application code modification. Experimental evaluation demonstrates that our approach efficiently enforces complex security properties—including path-sensitive, context-aware, and hierarchical constraints—while introducing only millisecond-scale latency overhead even in large-scale microservice deployments. The solution thus achieves a principled balance among security expressiveness, enforcement fidelity, and runtime performance.

A microservice-based application is composed of multiple self-contained components called microservices, and controlling inter-service communication is important for enforcing safety properties. Presently, inter-service communication is configured using microservice deployment tools. However, such tools only support a limited class of single-hop policies, which can be overly permissive because they ignore the rich service tree structure of microservice calls. Policies that can express the service tree structure can offer development and security teams more fine-grained control over communication patterns. To this end, we design an expressive policy language to specify service tree structures, and we develop a visibly pushdown automata-based dynamic enforcement mechanism to enforce service tree policies. Our technique is non-invasive: it does not require any changes to service implementations, and does not require access to microservice code. To realize our method, we build a runtime monitor on top of a service mesh, an emerging network infrastructure layer that can control inter-service communication during deployment. In particular, we employ the programmable network traffic filtering capabilities of Istio, a popular service mesh implementation, to implement an online and distributed monitor. Our experiments show that our monitor can enforce rich safety properties while adding minimal latency overhead on the order of milliseconds.