usage of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars. err := url.Parse(srcURL) if err != nil { return "", fmt.Errorf("invalid chart URL: %s", srcURL) } data, err := httprequest.Get(u.String()) if err != nil { return "", err } name := filepath.Base(u.Path) err := os.Mkdir(dir, 0o755) if err != nil { return "", err } } if err := os.WriteFile(destFile, data, 0o644); err != nil { return destFile, err } return destFile, nil } Exploitation To exploit this

Cluster-IP services deployed across clusters #IstioCon Rollout - Istio setup and Microservices ● Export metrics to central prometheus ● Outlier detection for better reliability ● Enable Zonal routing

Google Istio Security Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service Total issues 18 Category Breakdown Access Controls 7 Configuration 5 Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical Communications Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-004 Category Data Exposure Component Istio Location Istio Control Plane: • controlPlaneSecurityEnabled istioctl configuration

tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) A Proxy Proxy Service B Service C Proxy Mesh Dynamics Data Store Deploy: kubectl apply -f Capture using Lua filter All API data + TraceIDs | CONFIDENTIAL 11 Assemble API request traces

from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters

(Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift services in the cluster ○ DNS name resolved ■ gets routed through the gateway to the service ● The data plane traffic ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple for sensitive data ○ Strong isolation for multi-vendor services ○ End-to-end security! (not just between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra

○ ... IP Data IP Header TCP Data TCP Header Layer-7 Header Data #IstioCon What Do We Get From Istio? IP Data IP Header TCP Data TCP Header Layer-7 Header Data Traffic Management

75% 25% POD POD POD POD S E R V I C E (ClusterIP) 75% 25% POD POD Cross-version Traffic My-data-service Service Demo-canary Service Canary Releases Using Spring Cloud Demo-canary Service Service Service Instance V1 Service Instance V1 My-data-service Service Service Instance V2 SPRING EUREKA Cross-version Traffic Load Balancer My-data-service Service Demo-canary Service Canary Releases V1 Service Instance V2 Service Instance V1 Service Instance V1 Service Instance V1 My-data-service Service Service Instance V2 SPRING EUREKA Same-version Traffic SPRING EUREKA Service

collection of security controls and an attack target. Workload Cluster Edge Operations Workload Data Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Application Compromise Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image execution attacks. Edge security Egress 2. Define egress security policies to defend against data exfiltration, botnet attacks. 3. Define firewall and virtual private network to lock down external

Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload Central -> Edge ● TSB CR -> Istio CR TSB Config Data Flow Cluster Onboarding Flow 1. Creating cluster object 2. Deploy Operators: Control plane & data plane 3. Configuring Secrets 4. Installing control Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload