#IstioCon Set Sail for a Ship-Shape Istio Release Brian Avery / twitter: @briansvgs / Red Hat Senior Software Engineer Eric Van Norman / twitter: @kf0s / IBM Senior Software Engineer #IstioCon First

#IstioCon How HP set up secure and wise platform with Istio John Zheng/ john.zheng@hp.com #IstioCon Agenda ➢ HP Horizon platform design with Istio ➢ Secure Platform ➢ Wise Platform ➢ Excellent Excellent Observability Istio(envoy) can generate access logs for service traffic in a configurable set of formats #IstioCon Excellent Observability - Access logs Log Files Parse Istio-proxy Log •

Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File Permissions Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative Interface Exposed To Workload d is set to false, communication between the control plane will be secure by default.”1 In the “Default” profile used to represent a production environment, the “controlPlaneAuthP olicy” is set to “NONE” “controlPlaneAuthPolicy: MUTUAL_TLS” • Create a istio setup with control plane security enabled: istioctl install --set values.global.controlPlaneSecurityEnabled=true • Deploy the customized default policy • Start a Pod

based on ip hash, traffic from same client is forwarded to the same backend 2. Security Policy: set white/black list 3. Access log & Stats 4. Specific scenarios like SIP Trunking #IstioCon Common HTTP connection manager option is set to true and the skip_xff_append is set false. xff_num_trusted_hops : If use_remote_address is true and xff_num_trusted_hops is set to a value N that is greater than 244.0.20 ① Setting annotation sidecar.istio.io/interceptionMode: TPROXY, istio will automatically set the original src filter and iptabels rules #IstioCon Preserve TCP Original Src Addr - inner ① Config

this, users must set the ECC_SIGNATURE_ALGORITHM environmental variable on sidecar ejection to ECDSA for use by pilot-agent ○ For gateways this environmental variable also must be set on installation/upgrade #IstioCon Other environmental variables There are many other environmental variables that can be set. For more information see https://istio.io/latest/docs/reference/commands/pilot-agent/#envvars Remember:

of Istio. During the initial assessment, the Ada Logics auditing team reviewed the existing fuzzing set up. At the start of the audit, we made the following observations: ● Istio is integrated into OSS-Fuzz Certificate management ● Authentication ● Authorization ● Policy Enforcement Points (PEPs) ● A set of Envoy proxy extensions to manage telemetry and auditing Certificate management Alongside each Envoy configured Istio. If a threat actor is to exceed the trust boundaries they have been granted by way of the set of configurations, there is reason to believe this happens through a security vulnerability in the

and will be connected with a provider that can produce those items. ● Sponsoring vendors will set up a seperate registration form on their own platform, directed from the event site. The participants away cloud credits, e-book, subscriptions to their services, discount codes, etc. ● Sponsors will set up a seperate registration form on their own platform, directed from the event site. The participants

Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving and Eventing) that introduce event-driven and serverless capabilities for PILOT_DEBOUNCE_AFTER=100ms and PILOT_DEBOUNCE_MAX=10s are the env vars on pilot that can be tuned. o Set PILOT_DEBOUNCE_AFTER=1s helps under our workload. (we tested with 100ms, 1s, 2s, 5s, 10s) o With 800

complete, leading to 5xx errors Example: for sleep 30 + sleep 45 in the application container, we set terminationGracePeriodSeconds to 90 seconds. 20 Warning: These are workarounds, not solutions! Stabilizing pods, there are n sidecars ● Case 1: One size fits all (need to fit the biggest workload) + Easy to set, one default value for sidecar resources - Bigger default size = bigger cost ● Case 2: Adjust based

SOCKHASH: Hold socket as value Istio Meetup China ebpf Background Knowledge Prog type ● SOCK_OPS ➢ Set callbacks for TCP state changing ➢ Help functions: BPF_MAP_UPDATE_ELEM, BPF_SOCK_HASH_UPDATE ● SK_MSG