holistic security audit that had several high-level goals: 1. Formalise a threat model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code audit for security Istio-agent and manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio authentication to verify the client making the connection. 2. Request authentication: Used for end-user authentication to verify the credential attached to the request. Authorization Istio allows users

production-ready approach. Having a secured profile with an opinionated cluster configuration will help guide users towards building secured environments. • Expand hardening documentation: While there were a composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation, and other factors. For an explanation of NCC Group’s Configure a cluster per Appendix E on page 49, with a restricted user confined to a "rest rict-test" namespace per the Istio cluster setup guide2 2. Obtain the output of the following command (run with administrative

anything larger or bug fixes, create an issue and ask around for opinions ● General Contributing Guide ● Contributing Documentation: https://istio.io/latest/about/contribute/ #IstioCon Design Docs Istio.io page content is automatically verified through tests, and you can help by creating one! ● Guide for creating tests ● Sample page with a test ● make test_status ● make snips #IstioCon The Pull

SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 Service SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 Service ISTIO VIRTUAL SERVICE + Destination Rules Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Destination Rule:

Cluster Global Service Failover Multi Mesh 4 | Copyright © 2020 Orders Citadel Pilot Galley User Account Istiod Understanding Istio: Control and data planes data plane control plane 5 | Copyright WebAssembly? 8 | Copyright © 2020 8 | Copyright © 2020 User Experience 9 | Copyright © 2020 10 | Copyright © 2020 SECURITY Technology User Experience 11 | Copyright © 2020 11 | Copyright © 2020 Store Deploy Debug Debug in Production Cluster 1 Acco unt User Cluster 2 Istiod Order s User AWS EKS Istiod Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane

spec: hosts: - reviews.prod.svc.cluster.local awesomeRPC: - name: ”canary-route" match: - headers: user: exact: jason route: - destination: host: reviews.prod.svc.cluster.local subset: v2 - name: ”default" cluster.local", "reviews" ], "routes": [ { "name": ”canary-route" "match": { "headers": [ { "name": ":user", "exact_match": "jason" } ], }, "route": { "cluster": "outbound|9080||reviews.default.svc.cluster • Telemetry collecting Reviews v1 Reviews v2 AwesomRPC （header: user:jason) AwesomRPC （header: user:others) Envoy AwesomRPC （header: user: ***) Pilot 代码改动 • 解析 CRD • 生成 xDS 配置下发 优点： • 控制面改动小，可以快速实现对新协议的支持

TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING chain intercept packet and send it to INPUT ③ connection between user and real server #IstioCon HAPROXY- Transparent Transport ① user send traffic to haproxy ② HAPROXY works on userspace ③ Listen on vip + port and accept user connection ④ Loadbalancing: Loadbalancing: select a endpoint and init a connection to server with original user’s address (IP_TRANSPARENT) ⑤ Server’s response packet is flowing through the same path (TPROXY + Custom Route) #IstioCon

AwesomeRPC ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header: user = Jason) AwesomeRPC (header: user = XXX) Reviews v2 Let’s say that we’re running a bookinfo EnvoyFilter ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header: user = Jason) AwesomeRPC (header: user = XXX) Reviews v1 Pilot EnvoyFilter ● Match:

Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use Istio authorization policy to #IstioCon o User cases: no service access cross user namespace. o The sidecar CR helps to limit the known egress hosts for sidecars, sidecar needs to knows mesh in his own user namespace only only. o We can limit the mesh size to namespace scope for all user namespaces easily. Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled • Enable Istio

on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation limited to Istio agent (no support of other provisioner tools dedicated gateway support (architectural changes) ○ No separating out the gateway used for untrusted user traffic from the internal mesh traffic ○ One of the viable solutions to communicate between Legacy by C/S #IstioCon (eBPF-based) TCP/IP Stack Bypass ● eBPF ○ In-kernel virtual machine ○ Running user code in kernel space safety ○ Tracing, security ○ Networking ● Hooks ○ sock_ops ■ Construct