RBAC within a Namespace 015 Medium Default Sidecar Image Not Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File Permissions Set 007 Low Istio Client-Side Bypasses any plaintext endpoints exposed via its control plane and should enforce all network communications use mTLS (or at minimum, TLS) for communi- cations within the istio-system namespace / control plane. As include: • /docs/ops/best-practices/security/: This section only provides 2 general recommendations. Use namespaces for isolation (a contentious perspective) and configured third party service account tokens

achieve our goal. 16 Workaround: Use postStart and preStop lifecycle hooks Stabilizing Istio 1. Ensure that Envoy is started before any other container in a pod ● Use a `postStart` lifecycle hook in yStarts: true 17 Workaround: Use postStart and preStop lifecycle hooks Stabilizing Istio 2. Ensure that Envoy is stopped after any other container in a pod ● Use a `preStop` lifecycle hook in the the container. 18 Workaround: Use postStart and preStop lifecycle hooks Stabilizing Istio 2. Ensure that Envoy is stopped after any other container in a pod ● Use a `preStop` lifecycle hook in the

environments, the need for x509 certificates that use Elliptical Curve Cryptography (ECC) is a requirement ● In Istio 1.6, support for workloads to use ECC certificates for mTLS in sidecar-to-sidecar must use ECC cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported #IstioCon pilot-agent environmental variables Disclaimer: Environmental variables and their use are deprecated in a future release. Use at your own discretion. ● To enable this, users must set the ECC_SIGNATURE_ALGORITHM environmental variable on sidecar ejection to ECDSA for use by pilot-agent ○ For gateways

What is Istio? A service mesh. But more: an open service platform! ○ More use cases! ○ (Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store Cached DNS response – 10.4.4.4 DNS queries to the system configured name servers. Envoy does not use the agent’s DNS cache. http req to 10.4.4.4 GET /status/200 httpbin.ns1.svc.cluster.local SVC IP: expect more? And what do we need else? #IstioCon Why We Expect More? A Closer Look… ● Example use case: Telco & Edge computing ○ where VMs play a crucial role now and later ○ where service mesh is

Go which shields the project from memory-unsafe implementation issues such as buffer overflow and use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ 6 Istio skips certificate verification Low High Yes 7 Unhandled errors Informational n/a Yes 8 Use of deprecated 3rd party library Low High Yes 9 TOCTOU race conditions in file utils Medium High Yes Istio Security Audit, 2023 8: Use of deprecated 3rd party library Severity: Low Difficulty: High Fixed: Yes Affected components: ● pkg/model Vectors: ● CWE-1104: Use of Unmaintained Third Party Components

GKE, with GCLB and Istio IngressGateway User Google Cloud Load Balancer Gateways Web App How do we use Istio? [...] spec: gateways: - istio-system/istio-ingressgateway hosts: - www.blablacar cluster ○ Expose an API to be used with REST or a CLI ● React.js SPA ○ Allow non developers to use the API ○ Analyze existing redirections without technical skills Ease the work of our SEO Specialist com/blablacar/istio-redirector And leave a star ? #IstioCon How can we use istio-redirector ? The GitHub repository host also a HelmChart that you can use to deploy istio-redirector on your own cluster. Feel free

Outline ● Background ● Enterprise Service Mesh: Tetrate Service Bridge ● Tetrate OSS Projects ● Use Case ● Resources Tetrate the Service Mesh Creators Zack Butcher Istio Steering Committee Jeyappragash added to the group will use macro APIs that automatically generate Istio APIs under the hood. ● Direct: Indicates that the configurations to be added to the group will directly use Istio APIs. Tetrate Config scanning ● GitHub Envoy Gateway ● API standarization ● Support Kubernetes Gateway API Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data

Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon What is the use case of original address 1. Sticky Session: based on ip hash, traffic from same client is forwarded configuration use_remote_address: Envoy will only append to XFF if the use_remote_address HTTP connection manager option is set to true and the skip_xff_append is set false. xff_num_trusted_hops : If use_remote_address

knative-ingress-gateway for external access and knative-local-gateway for cluster local access. They use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application TLS is enabled to secure the user application traffic end to end in production • Allow platform to use Istio authorization policy to control the access to each Knative service based on Istio service roles enabled, all traffic through Kube service managed by istio mesh. o Knative community is working to use Destination rules for Pod IPs addressable directly. Knative issue: https://github.com/istio/istio/issues/23494

case of Inbound, 4-tuple key may conflict due to same src/dst ip address #IstioCon Use pod ip as hash key Use pod_ip to generate a unique key is a way to distinguish socket from different network