Creative Commons Attribution 4.0 International (CC BY 4.0) Istio Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 authentication to verify the credential attached to the request. Authorization Istio allows users to create authorization policies to specify mesh-, namespace-, and workload-wide access control for workloads error { uncompressedStream, err := gzip.NewReader(gzipStream) if err != nil { return fmt.Errorf("create gzip reader: %v", err) } tarReader := tar.NewReader(uncompressedStream) for { header, err :=

High Medium Low Informational 3 | Google Istio Security Assessment Google / NCC Group Confidential Table of Findings For each finding, NCC Group uses a composite risk score that takes into account the severity Reproduction Steps • Modify the default policy mesh config map for “controlPlaneAuthPolicy: MUTUAL_TLS” • Create a istio setup with control plane security enabled: istioctl install --set values.global.control function defined in istio/pkg/config/validation/valid ation.go Impact An attacker that is able to create an Istio VirtualService within a Kubernetes cluster can hi- jack the requests of any other namespace’s

China TZ 1. Getting involved - Content 2. Getting involved - Financial support The following table describes the event bundles that allow IstioCon to showcase a multi-vendor ecosystem of partners can listen to music. Social event live music Available sponsorship: 2 ● We hire an artist to create a large scale unique piece that combines all the themes that are addressed during the conference

marked 1337 ip -f inet rule add fwmark 1337 lookup 133 ip -f inet route add local default dev lo table 133 ③ echo 1 > /proc/sys/net/ipv4/conf/eth0/route_localnet #IstioCon Preserve TCP Original Src

of time and effort – Realistic outcome: Just create E2E tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API API tests • Can also be sped up by just navigating the application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR, #bugs-in-production development process. That’s not good!! | CONFIDENTIAL Start testing earlier Create and maintain a balanced test pyramid Create different types of tests with low effort 7 What we need… End-to-end Component

Commits - Documentation fixes, UI adjustments #IstioCon Commits ● For anything larger or bug fixes, create an issue and ask around for opinions ● General Contributing Guide ● Contributing Documentation: Process ● Viewing changes as if they were live ● Linter is pretty specific ● Don't forget to update/create a test if the page changed is tested! #IstioCon Run make lint locally to verify changes and check Netlify preview to view updates as if they were live #IstioCon Summary ● Don't be afraid to create issues, ask around, and share your ideas ● Join the Working Group ● Contributing ○ Check out

Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出（Transaction ID） C(application) Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 2018-0930(time) 日志输出 B(application) Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出 Get the corresponding logs for one time request by transaction ID Request(Transaction

Service spec: ... #IstioCon AccessPoint Spec Step 1: Access Point Spec ● Create the Specs on our Global Control Plane ● Realized on hardware LBs ● Internal orchestration & UI cluster ■ Each Istio deployment manages subset of namespaces using DiscoverySelectors ○ Overall, create macro-segments for different environments #IstioCon Step 4: Evolving Security ● Origin or Request debounce interval, push concurrency, etc. #IstioCon Control-plane Scale Testing: Setup ● Setup ○ Create Gateway Pods & thousands of Pods with sidecar Envoys ○ Measure Config convergence time ■ Time taken

trafficPolicy: tls: mode: ISTIO_MUTUAL 1) Generate client and server certificates and keys 2) Create a secret for the ingress gateway: productpage-credential 3) Define a gateway which specifying above attaching certificate file Access productpage 1) Generate client and server certificates and keys 2) Create a secret for the ingress gateway: productpage-credential 3) Define a gateway which specifying above

identity token ● All we have to do is ○ specify a new WorkloadGroup with a template (to create WorkloadEntry) ○ create a ServiceEntry (to select specific workloads) #IstioCon What Else Did Not Solve?