JianFeng Ding, LuYao Zhong #IstioCon Agenda ● Istio identity ● mTLS in Isito ● Secure ingress traffic ● Authorize ingress traffic ● Authorize in mesh traffic ● Summary #IstioCon Istio Architecture Connect Envoy 2. Request Cert (SDS)) 3. CSR Auth: JWT 4. Cert signed with SPIFFE format Istio-proxy CA server #IstioCon Istio identity – how to get configuration ● Format: "spiffe:///ns peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on Using ingress port and ingress host to send request: can access reviews-v1, reviews-v2 and reviews-v3 can reach v2 as

tc hooks • Triggered by ingress/egress packets IPVS bypass conntrack • Why IPVS depends on conntrack? • Iptables/conntrack SNAT • How IPVS bypasses conntrack? • Ingress • Move IPVS Netfilter hook program is easy to deploy • How to do SNAT in eBPF • Do SNAT in TC egress • Do reverse SNAT in TC ingress Tc egress Hit eBPF map? Does SNAT nic nic Y N • How IPVS talks with eBPF program? • eBPF

https://aka.ms/cpp/linter • Clang-tidy https://aka.ms/cpp/clangtidy • MSVC Code Analysis https://aka.ms/cpp/ca/bg ⚡ Dynamic Analysis • Address Sanitizer https://aka.ms/asan • Fuzzing with libFuzzer https://aka