Description A cryptographic hash is a function which takes a string of bytes and returns a small, fixed-size value. Hash functions guarantee that the same input always results in the same output. When used com/" 21 | Google Istio Security Assessment Google / NCC Group Confidential BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-

tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) – Early testing of services components auto-generated Develop • Wait for all API updates Test • Run E2E API tests to identify problems Iterate • Fix bugs • Repeat Testing starts late in the API development process. That’s not good!! | CONFIDENTIAL and services Dev Usage Staging/UAT Env API catalog | CONFIDENTIAL #Rollbacks MTTR #Bugs Release Velocity Scale API Functional & Integration Testing Improve productivity of each of your

particular Istio questions to the gamified wizards of Stack Overflow. Bugs And Security ● Read this quick explanation on how to report bugs, in code or in documentation. ● The Istio security team responds

an http request smuggling attack vector. The issue was disclosed to the Golang security team who fixed the vulnerability and assigned it CVE-2022-41721. 3 Istio Security Audit, 2023 Project summary 2022 Status meeting #3 October 17 2022 Status meeting #4 December 15 2022 All issues have been fixed 5 Istio Security Audit, 2023 Audit scope The following assets were in scope of the audit. Istio Issues found In total, the audit found 11 security issues in Istio. # Name Severity Difficulty Fixed 1 Possible disk exhaustion when extracting archive file Medium High Yes 2 Arbitrary file write

Contract testing ? At a scale of 800+ providers ? Mocks are like any other software: ● Bugs ● Maintenance Why don’t you ? #IstioCon Can we do better ? #IstioCon What if ? #IstioCon

shows long latencies. • Detect and analyze Istio scalability issue #IstioCon o Radom peaks are fixed in istio 1.7.1 (istio #23029, envoyproxy #13037) o envoy still suffers from overload of XDS pushes scalability optimization during Knative Service provisioning • Random missing endpoint issue is fixed #IstioCon • Tuning debounce time could mitigate the envoy overload issue Istio scalability optimization

Future Works Challenge ● Client egress communication sometime got 503 error (Istio #26990). This is fixed by adding retry mechanism in the Virtual Service object. Future Works ● Migrating Egress TLS origination

Desire tooling to ensure frictionless upgrade https://istio.io/latest/blog/2020/tradewinds-2020/ ● Fixed budget for infrastructure maintenance ● Desire predictability ● Longer support windows ● Skip

Unfortunately, Kubernetes is (was) not very smart at scaling out pods with multiple containers with HPA. ● Fixed in Kubernetes 1.20 by specifying a container resource as an HPA target ● In the meantime, we need