or other means. This left all default services exposed within the cluster. • The default istio profile that is labeled for produc- tion lacks many hardening controls and should be replaced with a more ronments, but it’s difficult to say which is a hardened, production-ready approach. Having a secured profile with an opinionated cluster configuration will help guide users towards building secured environments composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation, and other factors. For an explanation of NCC Group’s

Istio-agent and manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio authentication to verify the client making the connection. 2. Request authentication: Used for end-user authentication to verify the credential attached to the request. Authorization Istio allows users trust boundaries. This could be a user that has been granted limited cluster privileges and seeks to perform harmful actions they should not have actions to perform. This user may have permission to perform

SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 Service SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 Service ISTIO VIRTUAL SERVICE + Destination Rules Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Destination Rule:

Cluster Global Service Failover Multi Mesh 4 | Copyright © 2020 Orders Citadel Pilot Galley User Account Istiod Understanding Istio: Control and data planes data plane control plane 5 | Copyright WebAssembly? 8 | Copyright © 2020 8 | Copyright © 2020 User Experience 9 | Copyright © 2020 10 | Copyright © 2020 SECURITY Technology User Experience 11 | Copyright © 2020 11 | Copyright © 2020 Store Deploy Debug Debug in Production Cluster 1 Acco unt User Cluster 2 Istiod Order s User AWS EKS Istiod Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane

spec: hosts: - reviews.prod.svc.cluster.local awesomeRPC: - name: ”canary-route" match: - headers: user: exact: jason route: - destination: host: reviews.prod.svc.cluster.local subset: v2 - name: ”default" cluster.local", "reviews" ], "routes": [ { "name": ”canary-route" "match": { "headers": [ { "name": ":user", "exact_match": "jason" } ], }, "route": { "cluster": "outbound|9080||reviews.default.svc.cluster • Telemetry collecting Reviews v1 Reviews v2 AwesomRPC （header: user:jason) AwesomRPC （header: user:others) Envoy AwesomRPC （header: user: ***) Pilot 代码改动 • 解析 CRD • 生成 xDS 配置下发 优点： • 控制面改动小，可以快速实现对新协议的支持

TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING chain intercept packet and send it to INPUT ③ connection between user and real server #IstioCon HAPROXY- Transparent Transport ① user send traffic to haproxy ② HAPROXY works on userspace ③ Listen on vip + port and accept user connection ④ Loadbalancing: Loadbalancing: select a endpoint and init a connection to server with original user’s address (IP_TRANSPARENT) ⑤ Server’s response packet is flowing through the same path (TPROXY + Custom Route) #IstioCon

AwesomeRPC ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header: user = Jason) AwesomeRPC (header: user = XXX) Reviews v2 Let’s say that we’re running a bookinfo EnvoyFilter ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header: user = Jason) AwesomeRPC (header: user = XXX) Reviews v1 Pilot EnvoyFilter ● Match:

Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use Istio authorization policy to #IstioCon o User cases: no service access cross user namespace. o The sidecar CR helps to limit the known egress hosts for sidecars, sidecar needs to knows mesh in his own user namespace only only. o We can limit the mesh size to namespace scope for all user namespaces easily. Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled • Enable Istio

on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation limited to Istio agent (no support of other provisioner tools dedicated gateway support (architectural changes) ○ No separating out the gateway used for untrusted user traffic from the internal mesh traffic ○ One of the viable solutions to communicate between Legacy by C/S #IstioCon (eBPF-based) TCP/IP Stack Bypass ● eBPF ○ In-kernel virtual machine ○ Running user code in kernel space safety ○ Tracing, security ○ Networking ● Hooks ○ sock_ops ■ Construct

use it in production? #IstioCon Feedback Across ● GitHub issues ● discuss.istio.io ● Twitter ● User discussions ● Upgrade survey #IstioCon Common Feedback ● Users found upgrades challenging ● Releases Generation ● Definition of Done #IstioCon Upgrade Working Group Mission: To improve the stability, user experience, and test infrastructure around Istio upgrades #IstioCon Upgrade Working Group - Stability supported methods ○ Test documentation using istio.io test framework #IstioCon Upgrade Working Group - User Experience ● Add pre-checks to identify and warn about known potential issues ○ Provide a clear