support A/B testing, canary deployments, rate limiting, access control, encryption and end-to-end authentication. Istio itself is implemented in Go which shields the project from memory-unsafe implementation is that it offers a series of security features related to identity, policies, TLS encryption, authentication, authorization and internal auditing to enhance the security in the mesh. Istio's security components There are a number of ways an attacker would seek to exceed their trust boundaries including authentication bypass, reading sensitive information, writing files to the underlying file system, exploiting

configuration result ● Result: cert generated automatically with Istio identity 1) Apply peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on Using ingress port and ingress reviews-v3 can reach v2 as peer-authentication only defines behavior of server side and auto-mTLS is on by default Access productpage 1) Apply peer-authentication to enable server side mTLS mTLS curl command ： 1) Invalid token can not pass the gateway, only valid token does 2) Delete JWT authentication request, invalid token can pass the gateway Access productpage #IstioCon Authorize ingress

certificate and passes it to Kafka Kafka client authentication with Istio 10 Kafka client authentication with Istio 11 Kafka client authentication with Istio 12 • Istio provides a security layer

hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication to anything that is able to access it’s network interface. This means that all workloads from "rules": [{ "apiGroups": [ "", "extensions", "apps", "networking.k8s.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "config.istio.io" ], "resources": [ "*" ], "verbs": ["*"] } ] } assessment of rights. Auditing and Logging Related to auditing of actions, or logging of problems. Authentication Related to the identification of users. Configuration Related to security configurations of

balancing ● Improve performance and resilience ● Stricter zonal routing ● Capability for service authentication and authorisation ● Improved Observability ● Extendable to multi-region setup #IstioCon Approach gateway services via Istio Gateway ● Towards RESTRICTED network policy ● On-board services to Authentication and Authorization as applicable #IstioCon Thank you! Rajath Ramesh rajathramesh@carousell

JWT Verify Using request authentication policy to Verify end-user JWT easily #IstioCon Secure Platform – mutual TLS Using mutual TLS for service-to-service authentication. • When a service receives

environments #IstioCon Step 4: Evolving Security ● Origin or Request Authentication ○ Internal OpenID implementation for origin authentication ○ Plan to integrate with Istio #IstioCon How does it all scale

Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication ● Traffic Splitting ● Canary Deployment ● Traffic Mirroring ● Rate Limiting ● TLS Termination

Sidecar Pilot Agent Ingress Egress Istio Single Cluster Simplified #IstioCon Service Proxy Authentication Authorization Telemetry Extensibility New Extension Model Mixer #IstioCon Istiod Cluster

security Access control Service Proxy Ingress Token exchange 1. Istio authentication and authorization policies for every service: mTLS to defend against data exfiltration; deny