Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy itself was not part of the assessment) did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default services exposed within the cluster. • The default Istio sidecar and would allow a malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated profiles for security: Istio allows a variety

..] Istio VirtualService By creating a tool to ease the transition from a .csv file to an Istio VirtualService file. ● Golang service ○ Convert .csv to VirtualService ○ Open Pull Request on Github Specialist #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 ? SEO specialist creates the file manually Matching old URLs with the new ones based Importing the file Generating the Istio configuration Deploy to production 1 3 4 2 How does it work ? #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to

managed Istio offering 11 issues found ● 5 system resource exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping ● 1 case unhandled errors ● 1 case of using a deprecated manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio Security boundaries including authentication bypass, reading sensitive information, writing files to the underlying file system, exploiting logical errors. The security components have limited functionality, and it should

添加新Filter的方式 ● Built-in Filter & Community Provided: ○ https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/http_fi lters ○ …. ● 自定义开发： ○ 静态预编译： ■ 将其他过滤器集成到Envoy的源代码中，并编译新的Envoy版本。 runtime ○ ~20MB for WAVM ○ ~10MB for V8 ● 事件驱动模型 ● 兼容native filter调用 方式 8 Example Wasm filter configuration ● 下发到Envoy Proxy侧的配置 9 OCI Registry As Storage ● OCI Artifacts项目的参考实现, 可显著简化OCI注册库中任意内容的存储; 获取私有仓库登录信息之后, 按照如下命令创建Secret ○ kubectl create secret generic asmwasm-cache -n istio-system --from- file=.dockerconfigjson=myconfig.json --type=kubernetes.io/dockerconfigjson 16 ��������� �������������

signed with SPIFFE format Istio-proxy CA server #IstioCon Istio identity – how to get configuration ● Format: "spiffe:///ns//sa/” ● istioctl proxy-config exec -c istio-proxy curl localhost:15000/config_dump #IstioCon Istio identity – check configuration result ● Result: cert generated automatically with Istio identity 1) Apply peer-authentication ingress host and secure ingress port to send request: From curl command: need attaching certificate file Access productpage 1) Generate client and server certificates and keys 2) Create a secret for

multi-containers pods Stabilizing Istio CPU: 1 Pod App container Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container resources HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type:

filter. LDS with AwesomeRPC filter EnvoyFilter is an Istio configuration CRD, by which we can apply a “patch” to the Envoy configuration generated by Pilot. #IstioCon EnvoyFilter Example - Dubbo Traffic HTTP and gRPC. You can think of Aeraki as the “Controller" to automate the creation of envoy configuration for layer-7 protocols #IstioCon Aeraki: Manage any layer-7 traffic in an Istio service mesh Provides an abstract layer with Aeraki CRDs, hiding the trivial details of the low-level envoy configuration from operation ● Protocol-related envoy configurations are now generated by Aeraki, significantly

Request Traffic Response Traffic Specs synced from Federated Access Point L4 Configuration L7 Route Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per service mesh span all clusters in an AZ - ○ Re-deployed Istio to AZ cluster ○ In Primary-Remote configuration within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway watch EDS, LDS, RDS push times) ■ Resource usage (CPU, memory, etc.) ○ Secondary Goal ■ Fine-tune configuration params - debounce interval, push concurrency, etc. #IstioCon Control-plane Scale Testing:

duration from Knative Ingress and istio VirtualService are created to Knative probe thinks the configuration works. o [Istio 1.5.4] Istio is picking up new VirtualService slowly 30s #IstioCon Istio x] Support for backpressure on XDS pushes to avoid overloading Envoy during periods of high configuration churn. This is disabled by default and can be enabled by setting the PILOT_ENABLE_FLOW_CONTROL • support for backpressure on XDS pushes to avoid overloading Envoy during periods of high configuration churn 30s #IstioCon Unleash maximum scalability by fully leveraging Istio features in Knative

Failure Adoption Challenges ● Multi-region deployments ● Non-flat networks ● Multi-tenant configuration ● Management of Istio installation ● Self-service mesh enablement for service owners Demo k8s Istio Istio Validation Webhooks ● Allow configuration only related to owned namespace ○ Only allow configuration for a “service’s” hostname ● Validated ○ Deployments ○ Virtual