Building resilient systems inside the mesh: abstraction and automation of Virtual Service generation Vladimir Georgiev, Thought Machine #IstioCon Sync calls failures inside the mesh ● Everyone

its control plane. The goal of the assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective areas of focus for subsequent phases of the assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) architectures were used to provide testers with a way of validating that security expectations in the code were implemented when deployed. Each environment was deployed following Istio Documentation using

wizards of Stack Overflow. Bugs And Security ● Read this quick explanation on how to report bugs, in code or in documentation. ● The Istio security team responds rapidly to vulnerability reports. Read how Contributor ● The Istio Community README is the starting point for contributors who want to work on code, docs or other parts of Istio. ● You can access our trove of technical content and working documents Multi-cluster orchestration JP Morgan SLO Generation Reflecting on the Value of Community Housekeeping • View the full IstioCon-VIRTUAL schedule • Abide by CNCF Code of Conduct • Use the official #IstioCon

model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code audit for security issues. 3. Review the fixes for the issues found in an audit from 2020. 4. Review obtained in parts of code bases that receive less attention. Our assessment is that, not counting the Operator, Istio is a very well-maintained and secure project with a sound code base, well-established test coverage with little to no room for improvement. We identified a few APIs in security-critical code parts that would benefit from fuzzing and wrote fuzzers for these. In total, 6 fuzzers were written

Istio community didn’t have a process #IstioCon Led To ● Upgrade Working Group ● Release Note Generation ● Definition of Done #IstioCon Upgrade Working Group Mission: To improve the stability, user level: experimental, alpha, beta, and stable ● Ensuring appropriate documentation, testing, and code completion is done for each level ● Making sure that features continue to mature #IstioCon Release

API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation limited to Istio agent (no support of other provisioner tools and HSM incompatible) ■ Limitations #IstioCon (eBPF-based) TCP/IP Stack Bypass ● eBPF ○ In-kernel virtual machine ○ Running user code in kernel space safety ○ Tracing, security ○ Networking ● Hooks ○ sock_ops ■ Construct map​

#IstioCon Most popular sessions in English Session Welcome Keynote Using Istio to build the next generation 5G platform I want to sketch a mesh for you Istio service mesh at enterprise scale Improving

Certification Collaboration with NIST ● Author SP 800-204 series on microservice security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference Best in

com/gracezhang1110, www.linkedin.com/in/gong-zhang-75560670/ Advisory Software Engineer of IBM Cloud Code Engine team focusing on Knative Serving and Istio, contributor of the Knative and Cloud Foundry com/in/yu-zhuang- 51915287/ Architect and Senior Software Engineer in IBM Cloud. Working on IBM Cloud Code Engine (Serverless platform), focusing on Knative, Istio, and Tekton, community, leading team to running, and managing serverless, cloud- native applications. It provides benefits: Focus on code Scale to zero Quick entry to serverless computing … … traffic management observability security

API request • Context propagation rarely obvious Challenge • Dependencies require lot of time to code • Many dependencies in a test suite • Dependency maintenance is effort intensive Solution • ML-driven ML-driven identification of candidate relationships • Supervised system to accept true positives • No code! | CONFIDENTIAL 17 ML-assisted Assertion Rule Learning createOrder Response: Recording { results • ML-driven identification of decision rules • Human review to accept the learned rules • No code! Test data | CONFIDENTIAL 18 Summary: create different types of tests efficiently by learning