communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal of the assessment was to identify security issues related Image Not Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File Permissions Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative Interface Certificates 019 Low Default Injected Init Container Requires Sensitive Capabilities 021 Low Execution of System Commands without Validation 008 Informational Weak Trust Boundary Between Workload Container and

that affected Googles managed Istio offering 11 issues found ● 5 system resource exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping ● 1 case unhandled errors ● 1 case including authentication bypass, reading sensitive information, writing files to the underlying file system, exploiting logical errors. The security components have limited functionality, and it should not archive file Medium High Yes 2 Arbitrary file write during archive extraction Medium High Yes 3 File le� opened Medium High Yes 4 Length of new byte slice controlled by potentially untrusted file size

Google Cloud Load Balancer Gateways Web App How do we use Istio? [...] spec: gateways: - istio-system/istio-ingressgateway hosts: - www.blablacar.fr http: - match: - uri: ..] Istio VirtualService By creating a tool to ease the transition from a .csv file to an Istio VirtualService file. ● Golang service ○ Convert .csv to VirtualService ○ Open Pull Request on Github Specialist #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 ? SEO specialist creates the file manually Matching old URLs with the new ones based

ingress host and secure ingress port to send request: From curl command: need attaching certificate file Access productpage 1) Generate client and server certificates and keys 2) Create a secret for istio.io/v1beta1“ kind: "RequestAuthentication“ metadata: name: "jwt-example“ namespace: istio-system spec: selector: matchLabels: istio: ingressgateway jwtRules: - issuer: testing@secure security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: action: ALLOW rules: - from: - source: requestPrincipals: ["testing@secure

创建私钥仓库登录Secret ● 获取私有仓库登录信息之后, 按照如下命令创建Secret ○ kubectl create secret generic asmwasm-cache -n istio-system --from- file=.dockerconfigjson=myconfig.json --type=kubernetes.io/dockerconfigjson 16 ��������� �������������

Component testing Test a set of services as a single sub-system while isolating them from other services, for example payment processing system | CONFIDENTIAL 5 Current approaches do not scale with ) Capture traces for E2E test requests Create tests & mocks for all services Configure system under test Forward egress requests to mock services | CONFIDENTIAL 10 Capture API interactions is effort intensive Solution • ML-driven identification of candidate relationships • Supervised system to accept true positives • No code! | CONFIDENTIAL 17 ML-assisted Assertion Rule Learning

Injecting sidecars, HTTP/2 LoadBalancing ● Traffic shifting for canaries Build confidence in the system and understanding of Istio. Then you can onboard some users, get feedback, improve, rinse and repeat name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: - ./* - istio-system/* 35 The Sidecar CRD to save the mesh Stabilizing Istio The Sidecar CRD (Custom Resource Definition) name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: - ./* - istio-system/* Only Istio and the local namespace configuration is pushed to namespace-local proxies: ● Listeners

● Release Notes tooling ● Feature Maturity Process ● Release Maturity Process #IstioCon Old System Expectation: Maintainers would populate a Google docs draft throughout a release which is finalized note. ● If it doesn’t, then the developer can check a box and the pull request will merge. New System Release Notes #IstioCon Release Notes: As a result... ● Release notes are thought of up-front

P//rBQDqg=="} üreq.DefaultWords ： • ["istio-pilot.istio-system.svc.cluster.local", • "kubernetes://istio-pilot-8696f764dd-fqxtg.istio-system", • "3a7a649f-4eeb-4d70-972c-ad2d43a680af", • "172.00.00.000"

Abstracting to proto files Annotations API definition Greeting service example #IstioCon Please Build System ● https://github.com/thought-machine/please ● Uses BUILD and allows for creation of miscellaneous