#IstioCon Preserve Original Source Address within Istio Zhonghu Xu @hzxuzhonghu #IstioCon About me Zhonghu Xu：an open source engineer from Huawei Cloud. - Github：https://github.com/hzxuzhonghu com/hzxuzhonghu - Istio steering committee member - Istio Core Maintainer & Contributor - Open source enthusiastic, previously Kubernetes active contributor and Volcano maintainer #IstioCon Agenda 1. TCP Original Proxy Protocol client Server Establish TCP connection Proxy Protocol binary header Application data - The client and server side must support proxy protocol simultaneously - The client here can be

Synopsis In the summer of 2020, Google enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components. Istio is a modern service mesh technology stack often environment was deployed following Istio Documentation using istioc tl. The assessment included many open source compo- nents that were actively being updated during testing so testers used the latest release at Google Istio Security Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service

PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski Engineering Leader ajayaram@google.com Andrea Ma So�ware Engineer ayma@us.ibm.com Craig Box VP of Open Source and Community craigb@armosec.io Didier Grelin Sr. Technical Program Manager dgrelin@google.com usage of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars.

奠定控制平面基础 V2 HTTP2 GRPC Proto3 强类型 Push SDS/CDS/RDS/LDS/HDS/ADS/KDS 和Google强强联手 官方博客：The universal data plane API缓存Istio和k8s配置 ü一个小型的非持久性key/value数据库 ü借助k8s.io/client-go建立缓存 ü缓存Istio：route-rule，virt Kubernetes Example source.id string Platform-specific unique identifier for the source workload instance. kubernetes://redis- master-2353460263- 1ecey.my-namespace source.ip ip_address Source workload instance instance IP address. 10.0.0.117 source.labels map[string, string] A map of key-value pairs attached to the source instance. version => v1 destination.port int64 The recipient port on the server

attendees links to the live stream, communicate important event details and collect aggregate attendance data. ● This PII will not be shared with any other third parties. ● This PII will be deleted right after social media mentions, 1 slack mention during the event. ● The sponsor(s) are responsible for the data collection, production and distribution is a responsibility of the sponsoring vendor. ● The t-shirt items. Thank you! Aizhamal Nurmamat kyzy Program manager, Google Open Source María Cruz Program manager, Google Open Source

Cloud Foundry community, maintainer of a Knative benchmarking tool called kperf, speaker of Open Source Summit China 2019 about Istio integration with containerized Cloud Foundry Yu Zhuang, yuzcdl@cn Knative. It is leveraged for Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving and Eventing) that introduce event-driven Knative which can generate specific Knative Service provisioning workload and provides aggregated data of Knative Service ready duration. o Knative Performance Testing Framework 2 Design #IstioCon o

○ ... IP Data IP Header TCP Data TCP Header Layer-7 Header Data #IstioCon What Do We Get From Istio? IP Data IP Header TCP Data TCP Header Layer-7 Header Data Traffic Management ● Security ○ Connection level authentication: mTLS ○ Connection level authorization: Identity/Source IP/ Dest Port ○ Request level auth is impossible #IstioCon BookInfo Application - AwesomeRPC

collection of security controls and an attack target. Workload Cluster Edge Operations Workload Data Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Application Compromise Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image execution attacks. Edge security Egress 2. Define egress security policies to defend against data exfiltration, botnet attacks. 3. Define firewall and virtual private network to lock down external

Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload Central -> Edge ● TSB CR -> Istio CR TSB Config Data Flow Cluster Onboarding Flow 1. Creating cluster object 2. Deploy Operators: Control plane & data plane 3. Configuring Secrets 4. Installing control Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload

Using Istio to Build the Next 5G Platform David Lenrow Open Source Service Mesh Evangelist Neeraj Poddar Co-founder & Chief Architect, Aspen Mesh February 22, 2021 2 ©2021 Aspen Mesh. All rights reserved Is 5G and Why Does It Matter? 5G wireless technology is meant to deliver higher multi-Gbps peak data speeds, ultra low latency, more reliability, massive network capacity, increased availability, Mesh. All rights reserved. ● 4G to 5G translation (Protocols like Diameter, SCTP, GTP) ● High speed data path (SR-IOV/DPDK) ● Customizing workload certificate attributes ● Multi-cluster/site visibility