Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective on whether security features sufficiently subsequent phases of the assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts

Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski This report is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0) Istio Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project previous audit 50 Istio SLSA compliance 52 1 Istio Security Audit, 2023 Executive summary In September and October 2022 Ada Logics carried out a security audit of the Istio project. The audit was sponsored

management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support with Added Security ● Secure bootstrapping process ○ Automate provisioning a VM's mesh identity (certificate) ■ based

#IstioCon Istio Architecture Connect, secure, control, and observe services. #IstioCon Security Architecture #IstioCon Bookinfo architecture without service mesh ● Reviews-v1 ○ doesn’t call accept only plain text ● UNSET: inherit from parent, default to PERMISSIVE if no set apiVersion: "security.istio.io/v1beta1“ kind: "PeerAuthentication“ metadata: name: "demo-peer-policy“ namespace: "default“ gateway Access productpage #IstioCon Authorize ingress traffic with JWT token apiVersion: "security.istio.io/v1beta1“ kind: "RequestAuthentication“ metadata: name: "jwt-example“ namespace: istio-system

Load-Balancer Web-Tier Load-Balancer Pods Pods Pods AZ 1 AZ 2 AZ n Client #IstioCon What about Security? ● L4 Micro-segmentation Solution ○ Central Policy store capturing Application-to-Application Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Enforcement applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Security, Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions:

Co-founder Chair CNCF SIG Security Varun Talwar Co-founder Co-creator gRPC, Istio Lizan Zhou Senior Maintainer, Envoy Community & Industry Leaders ● Founded CNCF SIG Security ● Secure and Hardened Istio ● Training and Certification Collaboration with NIST ● Author SP 800-204 series on microservice security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud across clusters ● High availability & resiliency enabling active-active deployments ● Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery

Toader & Zsolt Varga 2021-Feb-26 Apache Kafka with Istio on K8s 2 • Scalability • Resiliency • Security • Observability • Disaster recovery Production grade Apache Kafka on Kubernetes 3 • Secure service account based authn/authz • Secure cross-cluster interaction between client apps and Kafka Security goals 4 • Kafka brokers require private-key and certificate pairs • Private keys and certificates the fly certificate renewal • Kafka listeners configured in PLAINTEXT mode Security layer provided by Istio 8 Security layer provided by Istio 9 • Kafka does not process client certificate in PLAINTEXT

mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer security ○ HTTP JWT Auth ○ Redis Auth ○ ... IP Data IP Header TCP Data TCP Header Layer-7 Observability - only TCP metrics ○ TCP sent/received bytes ○ TCP opened/closed connections ● Security ○ Connection level authentication: mTLS ○ Connection level authorization: Identity/Source IP/

varies with autoscaling Hub and Spoke API Gateway Book Info Payments Product Info ✓ Security ✓ Visibility ✓ Traffic Shaping ✘ Latency ✘ Single Point of Failure Service Mesh API Gateway Product Info Proxy Proxy Proxy Proxy + k8s Istio mTLS mTLS mTLS ✓ Security ✓ Visibility ✓ Traffic Shaping ✓ Latency ✓ Single Point of Failure Adoption Challenges