Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio lei-tang Session agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture architecture ● Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster

How eBay is building a massive Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full isolation by confining service failures to AZ boundary AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s balancing & Traffic Flow ● Two tiers of hardware Load-Balancers (LB) ● Application-Tier LB ○ K8s service realized on Application-Tier LBs ● Web-Tier LB to control - ○ Percentage of traffic sent to an

Istio scalability optimization during Knative Service provisioning ○ Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled ● Reference Agenda #IstioCon an Ingress Gateway • By default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress and knative-local-gateway for cluster local access. They use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic

[1]) VM works on Istio! [1] Istio Service Mesh for VM Native, Chris Crall, Jianfei Hu, Google Cloud Next ‘19 #IstioCon Why Add VMs to the Mesh? ● = Why Service Mesh? ○ More services = more complexity Deterministic workloads with strong requirements ● For Istio ○ What is Istio? A service mesh. But more: an open service platform! ○ More use cases! ○ (Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon #IstioCon V1.1 Introducing Service Entry Service Entry v.s. Service v.s. Endpoints ● Service Entry ○ An entry that Istio maintains internally ○ Describing the properties of a service, internal/external to

using only one login and password. This is possible if you use SSO - Single Sign-On authentication service. You do not need to manage, store, and transfer user credentials. When a user connects to the database default simple mode for all connections (to show only schemas and tables and hide all system and service objects). How to manage preferences The best way to manage user access, restrictions, and permissions The configuration here is similar to the standard SSH setup, but it's integrated within your cloud service provider's Configuring Cloud SSH Tunnels DBeaver Ultimate User Guide 24.2.ea. Page 95 of 1171

using only one login and password. This is possible if you use SSO - Single Sign-On authentication service. You do not need to manage, store, and transfer user credentials. When a user connects to the database default simple mode for all connections (to show only schemas and tables and hide all system and service objects). How to manage preferences The best way to manage user access, restrictions, and permissions The configuration here is similar to the standard SSH setup, but it's integrated within your cloud service provider's Configuring Cloud SSH Tunnels DBeaver User Guide 24.2.ea. Page 95 of 1171. 1.

using only one login and password. This is possible if you use SSO - Single Sign-On authentication service. You do not need to manage, store, and transfer user credentials. When a user connects to the database default simple mode for all connections (to show only schemas and tables and hide all system and service objects). How to manage preferences The best way to manage user access, restrictions, and permissions (SERVER = DEDICATED) (SERVICE_NAME = XE) ) ) XE= (DESCRIPTION= (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = XE) ) ) Replace

Node 42 Starting/Stopping Cassandra as a Stand-Alone Process 42 Starting/Stopping Cassandra as a Service 42 Upgrading Cassandra 43 Best Practices for Upgrading Cassandra 43 Upgrading Cassandra: 0.8.x INSERT_HISTORICAL_PRICES -n 100 Running the Portfolio Demo Sample Application 6 4. Start the web service (must be in the $DSCDEMO_HOME/website directory to start). $ cd $DSCDEMO_HOME/website $ java -jar Debian packages start the Cassandra service automatically. To stop the service and clear the initial gossip history that gets populated by this initial start: $ sudo service cassandra stop $ sudo bash -c 'rm

������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Tracker § Red Hat Security Data § Oracle Linux Security Data § Alpine SecDB API Registry V2 Job Service Console DB Harbor Save Data Pull Layers Scan Get Info Dispatch Jobs Rest API CVE Repos HA via Harbor Helm chart API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service SQL Database Key/Value Storage Chart.yml

������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Tracker § Red Hat Security Data § Oracle Linux Security Data § Alpine SecDB API Registry V2 Job Service Console DB Harbor Save Data Pull Layers Scan Get Info Dispatch Jobs Rest API CVE Repos HA via Harbor Helm chart API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service SQL Database Key/Value Storage Chart.yml