provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal of the assessment was to identify security issues related to the Istio code base, highlight (NOTE: Envoy itself was not part of the assessment). • Istio Control Plane: Istio operator, side car injector, and other Istio control plane services • Istio Documentation: The documentation and secu- rity could allow route hijacking • In testing, it did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default

from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters

Istio? TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Components ○ Management plane ○ Global control plane ○ Local control plane TSB Management Plane ● Front Envoy ● Multi Cluster support ● XCP Central -> XCP Edge TSB Control Plane ● VM integration ● TSB Config Data Flow Cluster Onboarding Flow 1. Creating cluster object 2. Deploy Operators: Control plane & data plane 3. Configuring Secrets 4. Installing control plane TSB Control Plane Pods ●

(Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift Mesh Expansion ● Prerequisites ○ IP connectivity to the endpoints in the mesh ○ Istio control plane services (Pilot, Mixer, CA) accessible from the VMs ○ (optional) Kubernetes DNS server accessible control plane through a Gateway ○ WorkloadEntry created ■ VM sidecar is made aware of all services in the cluster ○ DNS name resolved ■ gets routed through the gateway to the service ● The data plane

服务网格数据平面热升级技术分享 ServiceMesh Data-Plane Hot-Upgrade 阿里云服务网格团队 – 史泽寰 • 为什么需要服务网格数据面热升级 • 实现热升级 • 实践热升级 目录 Catalog 2 为什么需要服务网格数据面热升级 Why do we need Hot-Upgrade for ServiceMesh Data-Plane • 造成请求失败，影响业务质量 • 捷度上取 得令人满意的平衡 传统Sidecar升级方式的缺点 3 为什么需要服务网格数据面热升级 Why do we need Hot-Upgrade for ServiceMesh Data-Plane • 只替换/重启Sidecar • 替换/重启过程中进/出不会出现请求失败，连接失败 • 易于运维，可以控制升级策略 理想的Sidecar升级 4 • 为什么需要服务网格数据面热升级

Citadel Pilot Galley User Account Istiod Understanding Istio: Control and data planes data plane control plane 5 | Copyright © 2020 Extend Envoy Proxy with Filter Develop: Envoy Filters are User AWS EKS Istiod Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane SRE / Platform Team Deploy Wasm WasmDeployment Wasm Registry Istiod 18 | Copyright © 2020

usage of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars. The of Envoy proxies and an Istio-agent and manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates err := url.Parse(srcURL) if err != nil { return "", fmt.Errorf("invalid chart URL: %s", srcURL) } data, err := httprequest.Get(u.String()) if err != nil { return "", err } name := filepath.Base(u.Path)

Workload Cluster Edge Operations Workload Data Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Plane Hardening Istio Security Releases Complete Security Coverage Consistency Depth Visibility

Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect From a Service Mesh ○ ... IP Data IP Header TCP Data TCP Header Layer-7 Header Data #IstioCon What Do We Get From Istio? IP Data IP Header TCP Data TCP Header Layer-7 Header Data Traffic Management injection ● Stats ● ... Pros: ● It’s relatively easy to add support for a new protocol to the control plane, given than envoy filter is already there Cons: ● You have to maintain a fork of Istio, which makes

Is 5G and Why Does It Matter? 5G wireless technology is meant to deliver higher multi-Gbps peak data speeds, ultra low latency, more reliability, massive network capacity, increased availability, Architecture Options 9 ©2021 Aspen Mesh. All rights reserved. Namespace Level Tenancy Control Plane AMF Frontend Namespace AMF Namespace SMF SQL DB AMF App B AMF App A SMF Frontend UDM Egress Gateway Redis DB SMF App X Control Plane UDM Identity 11 ©2021 Aspen Mesh. All rights reserved. ● CNI to avoid escalated pod privileges