well-maintained and secure project with a sound code base, well-established security practices and a responsive product security team. 8 Istio Security Audit, 2023 Fuzzing The second goal of the audit was Istio-agent and manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio authentication to verify the client making the connection. 2. Request authentication: Used for end-user authentication to verify the credential attached to the request. Authorization Istio allows users

composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation, and other factors. For an explanation of NCC Group’s namespace / control plane. As mentioned in finding NCC- GOIST2005-002 on page 13, there are debug interfaces exposed that cannot be disabled by Istio, so that even when all the security features are enabled access to. Reproduction Steps 1. Configure a cluster per Appendix E on page 49, with a restricted user confined to a "rest rict-test" namespace per the Istio cluster setup guide2 2. Obtain the output

not decreasing it. 66 Abstracting Istio Adopting Istio The same way as we build libraries and interfaces to improve productivity, we need to build proper abstractions to maximize the added value of Istio Automating the onboarding ● Making a feature fully automated and managed It improves by a lot: ● The user experience for developing services ● The maintainability of Istio for operators 67 How we abstract

SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 Service SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 Service ISTIO VIRTUAL SERVICE + Destination Rules Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Destination Rule:

Cluster Global Service Failover Multi Mesh 4 | Copyright © 2020 Orders Citadel Pilot Galley User Account Istiod Understanding Istio: Control and data planes data plane control plane 5 | Copyright WebAssembly? 8 | Copyright © 2020 8 | Copyright © 2020 User Experience 9 | Copyright © 2020 10 | Copyright © 2020 SECURITY Technology User Experience 11 | Copyright © 2020 11 | Copyright © 2020 Store Deploy Debug Debug in Production Cluster 1 Acco unt User Cluster 2 Istiod Order s User AWS EKS Istiod Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane

spec: hosts: - reviews.prod.svc.cluster.local awesomeRPC: - name: ”canary-route" match: - headers: user: exact: jason route: - destination: host: reviews.prod.svc.cluster.local subset: v2 - name: ”default" cluster.local", "reviews" ], "routes": [ { "name": ”canary-route" "match": { "headers": [ { "name": ":user", "exact_match": "jason" } ], }, "route": { "cluster": "outbound|9080||reviews.default.svc.cluster • Telemetry collecting Reviews v1 Reviews v2 AwesomRPC （header: user:jason) AwesomRPC （header: user:others) Envoy AwesomRPC （header: user: ***) Pilot 代码改动 • 解析 CRD • 生成 xDS 配置下发 优点： • 控制面改动小，可以快速实现对新协议的支持

TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING chain intercept packet and send it to INPUT ③ connection between user and real server #IstioCon HAPROXY- Transparent Transport ① user send traffic to haproxy ② HAPROXY works on userspace ③ Listen on vip + port and accept user connection ④ Loadbalancing: Loadbalancing: select a endpoint and init a connection to server with original user’s address (IP_TRANSPARENT) ⑤ Server’s response packet is flowing through the same path (TPROXY + Custom Route) #IstioCon

AwesomeRPC ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header: user = Jason) AwesomeRPC (header: user = XXX) Reviews v2 Let’s say that we’re running a bookinfo EnvoyFilter ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header: user = Jason) AwesomeRPC (header: user = XXX) Reviews v1 Pilot EnvoyFilter ● Match:

Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use Istio authorization policy to #IstioCon o User cases: no service access cross user namespace. o The sidecar CR helps to limit the known egress hosts for sidecars, sidecar needs to knows mesh in his own user namespace only only. o We can limit the mesh size to namespace scope for all user namespaces easily. Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled • Enable Istio

on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation limited to Istio agent (no support of other provisioner tools dedicated gateway support (architectural changes) ○ No separating out the gateway used for untrusted user traffic from the internal mesh traffic ○ One of the viable solutions to communicate between Legacy by C/S #IstioCon (eBPF-based) TCP/IP Stack Bypass ● eBPF ○ In-kernel virtual machine ○ Running user code in kernel space safety ○ Tracing, security ○ Networking ● Hooks ○ sock_ops ■ Construct