By Default 013 Medium Permissive Kubernetes RBAC within a Namespace 015 Medium Default Sidecar Image Not Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File canonicalization and prioritiza- tion between Hostnames should apply both to ensure a well-documented consistency and to prevent abuse by surreptitious updates of earlier-created hostnames. 12 | Google Istio exposed via sidecar (see finding NCC-GOIST2005-002 on the previous page) • Sidecar image using outdated, unhardened base image (see finding NCC-GOIST2005-005 on page 23) • Debug interface enabled for istiod

Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Plane Hardening Istio Security Releases Complete Security Coverage Consistency Depth Visibility Completeness Service mesh security best practices 2 Cluster security Edge

"nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses:

webassemblyhub.io/yuval/addheader-rust:v1 Build Store 14 | Copyright © 2020 Build Store WASM Artifact Image Specification 15 | Copyright © 2020 Build Store Deploy > meshctl wasm deploy istio --mgmt-kubecontext --mgmt-kubecontext kind-mgmt-cluster --deployment-name ratings-add-header --namespace bookinfo --image webassemblyhub.io/yuval/addheader-rust:v1 --cluster mgmt-cluster --labels app=ratings Extension Config

containers: - image: rating-v1 ... --- kind: Deployment metadata: name: rating-v2 spec: replicas: 3 template: metadata: labels: app: rating version: v2 spec: containers: - image: rating-v2

spec: containers: - image: rating- v1 kind: Deployment metadata: name: rating-v2 spec: replicas: 3 template: metadata: labels: app: rating version: v2 spec: containers: - image: rating- v2 Kubernet

Cluster + Registry docker push kubectl apply docker pull Local Kubernetes Local Registry + Fast! Image transfers are over localhost + Reproducible configuration with other developers and Istio tests

non-idempotent methods as it is triggers when a server is unavailable at the TCP level. Build your Istiod image, push your tag and use it in the IstioOperator manifest. 55 Istio proxy performance and capacity

flamegraph.pl out.folded > cpu.svg • 镜像修改 • 编译pilot-agent, envoy二进制后替换现有envoy镜像并配置到自定义deployment的image中， • Dockerfile: • From istio/proxyv2:1.9.0 COPY envoy /usr/local/bin/envoy COPY pilot-agent /u