Confidential Table of Findings For each finding, NCC Group uses a composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation enabled, there does not appear to be a way to restrict a Pod’s access to them. Attempts to modify the settings to “controlPlaneAuth Policy: MUTUAL_TLS” did not appear to have any effect on preventing a Pod not recommendations. Use namespaces for isolation (a contentious perspective) and configured third party service account tokens instead of using Kubernetes built in tokens. This section should clearly outline what the

downtime • Unified simplified configuration to enable mTLS for all services • Kubernetes service account based authn/authz • Secure cross-cluster interaction between client apps and Kafka Security goals container • Client certificate includes the K8s service account of the Kafka client application • SPIFE:///ns//sa/account name> • Configurable certificate expiration • On

root CA ■ Each workload gets unique identity based on K8s Service account - spiffe:///ns//sa/account> ■ Following assertions enforced through admission checks - ● Each namespace is globally unique across all clusters ● Each deployment is associated with a unique service account ○ Trust Domain mapped to workload environments ■ Prod, Pre-prod, PCI, Staging, etc. ○ To support

Workload Abstraction ● Workload Entry ○ single non-Kubernetes workload ○ mTLS using service account ○ work with an Istio ServiceEntry ● Workload Group ○ a collection of non-K8s workloads ○ metadata platform-specific identity ■ w/o a platform-specific identity ● using a short-lived K8s service account token ● Automatic certificate rotation ● Validation of the proxy’s status for VM-based workloads

Global Service Failover Multi Mesh 4 | Copyright © 2020 Orders Citadel Pilot Galley User Account Istiod Understanding Istio: Control and data planes data plane control plane 5 | Copyright

vCPU (1 worker/vCPU) ● Load test your workloads at different level of concurrency and resources ● Account for RPS/pod when calculating the capacity and beware of HPA ● Capacity differs greatly depending

circumvent the configured policies. It is Istioʼs assumption that default settings are secure, and insecure default settings would be considered a security issue. Policy enforcement points must securely

etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection and TCP settings ● Handle signals gracefully (SIGINT, SIGTERM) ● Automate for easy management of setup across environments

Vocabulary https://istio.io/docs/reference/config/policy-and- telemetry/attribute-vocabulary/Metric settings in Istio bypass adaptor• Service. Represent a set/group of workloads to provide the same behaviors

reserved. ● Augment tracing to surface 5G specific tags ● Optimize HTTP/2 stream and connection settings ● Configure sidecar proxy concurrency Tuning Istio to Meet 5G Requirements 13 ©2021 Aspen Mesh