Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy itself was not part of the assessment) did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default services exposed within the cluster. • The default Istio sidecar and would allow a malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated profiles for security: Istio allows a variety

Scala, etc. ● Running on variety of Hardware ○ General-purpose x86 servers ○ GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters in an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes Region Rn #IstioCon Application Specs Region R1 Application Deployment: Federation ● Hierarchy of control planes ● Global Control Plane ○ Users provide application specs to Global Control-Plane

| grep -v envoy | wc -l | xargs) -ne 0 ]; do sleep 1; done”] This preStop hook will wait for application connections to be drained before stopping the container. 18 Workaround: Use postStart and preStop that Envoy is stopped after any other container in a pod ● Use a `preStop` lifecycle hook in the application container manifest: lifecycle: preStop: exec: connection draining may not complete, leading to 5xx errors Example: for sleep 30 + sleep 45 in the application container, we set terminationGracePeriodSeconds to 90 seconds. 20 Warning: These are workarounds

Management ❏ MetaProtocol - Service Mesh 通用七层协议框架 #IstioCon Protocols in a Typical Microservice Application Service Service Service Service Service Service Message Broker RPC RPC RPC Message Message with application layer error codes ○ HTTP status code ○ Redis Get error ○ ... ● Observability with application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer authorization: Identity/Source IP/ Dest Port ○ Request level auth is impossible #IstioCon BookInfo Application - AwesomeRPC ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header:

use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic Splitting, blue/green deployment How Istio is leveraged Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use Istio authorization policy to control duration from Knative Ingress and istio VirtualService are created to Knative probe thinks the configuration works. o [Istio 1.5.4] Istio is picking up new VirtualService slowly 30s #IstioCon Istio

添加新Filter的方式 ● Built-in Filter & Community Provided: ○ https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/http_fi lters ○ …. ● 自定义开发： ○ 静态预编译： ■ 将其他过滤器集成到Envoy的源代码中，并编译新的Envoy版本。 runtime ○ ~20MB for WAVM ○ ~10MB for V8 ● 事件驱动模型 ● 兼容native filter调用 方式 8 Example Wasm filter configuration ● 下发到Envoy Proxy侧的配置 9 OCI Registry As Storage ● OCI Artifacts项目的参考实现, 可显著简化OCI注册库中任意内容的存储; com/asm/asm- test:v0.1 --manifest-config runtime- config.json:application/vnd.module.wasm.config.v1+json example- filter.wasm:application/vnd.module.wasm.content.layer.v1+wasm ○ Wasm Artifact镜像规范参考

to Enterprise Service Mesh 宋净超（Jimmy Song） September 24, 2022 Shanghai, China Cloud Native Application Networking Secure, Observe and manage microservices Outline ● Background ● Enterprise Service complexity and lack of operational agility ● You can't be Cloud Native at scale without a modern application- aware network Cloud!=Cloud Native Bare metal VMs Kubernetes VMs ● Monolith was decoupled to different from the perspective of a developer building and operating an application Why is Istio? TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management

in Go #IstioCon Architecture Overview - Discovery and Routing ● Service Discovery and Configuration using Consul ● HTTP/TCP traffic via HAProxy ● gRPC traffic via Envoy ● Internet egress proxy layer (HAProxy/Envoy) ● More control over load balancing ● Offload application services from networking and configuration ● Avoid other sources of failures (Consul etc) ● Possible benefits on Observability

certificates • On the fly certificate renewals with no service downtime • Unified simplified configuration to enable mTLS for all services • Kubernetes service account based authn/authz • Secure cross-cluster certificates may take different formats (JKS, PEM, etc) • Client certificate renewal may require client application restarts Challenges – Client certificates 7 • mTLS provided by Istio • Server certificate provided sidecar container • Client certificate includes the K8s service account of the Kafka client application • SPIFE:///ns//sa/ • Configurable certificate

from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits /reviews rewrite: uri: /api/ms/CubeCorp/MovieInfo/test/reviews/reviews On-demand configuration to test any component/service | CONFIDENTIAL REQUEST RESPONSE API MOCKS ASSERTION RULES Local Service Testing by Devs Component, E2E Tests Service Tests Learning from usage of application and services Dev Usage Staging/UAT Env API catalog | CONFIDENTIAL #Rollbacks MTTR