Istio audit report - ADA Logics - 2023-01-30 - v1.0Results summarised 6 fuzzers written and added to Istio's OSS-Fuzz integration 1 CVE found in Golang 1 vulnerability found that affected Googles managed Istio offering 11 issues found ● 5 system Googleʼs managed Istio offering, and it led to further investigation that revealed a vulnerability in Golang itself. The finding was reported by the auditing team to the Istio maintainers, because Istio does MaxBytesHandler introduces an http request smuggling attack vector. The issue was disclosed to the Golang security team who fixed the vulnerability and assigned it CVE-2022-41721. 3 Istio Security Audit0 码力 | 55 页 | 703.94 KB | 1 年前3- Istio Security Assessmentand Code-Assisted Security Assessment Type Kubernetes Service Mesh Method Code-assisted Platforms Golang, Kubernetes Dates 2020-07-06 to 2020-07-31 Environment Local Test Environment Consultants 4 Level be disabled in a production environment. See also finding NCC-GOIST2005-013 on page 18. 5https://golang.org/pkg/net/http/pprof/ 13 | Google Istio Security Assessment Google / NCC Group Confidential Finding access to the control plane can obtain unauthenticated access to this information. Description The Golang trace profiling library used by Pilot provides administrators debug information about Pilot itself0 码力 | 51 页 | 849.66 KB | 1 年前3
- Automate mTLS
communication with
GoPay partners with
IstioAPI calls ● 3000+ deployments every week ● REST as well as gRPC services ● Services written in Golang, Java, Clojure, Ruby gRPC, Envoy, and ● GoPay has been using gRPC since 2016 ● GoPay had services0 码力 | 16 页 | 1.45 MB | 1 年前3
- Istio-redirector: the way
to go to manage
thousands of HTTP
redirectionsBy creating a tool to ease the transition from a .csv file to an Istio VirtualService file. ● Golang service ○ Convert .csv to VirtualService ○ Open Pull Request on Github ○ Fetch info from Kubernetes0 码力 | 13 页 | 1.07 MB | 1 年前3
- Istio 在 Free Wheel 微服务中的实践产 品需要对接客户,提供视频广告投放优化界面,类似于 Web ERP,是一个典型 的三层架构。 微服务之痛 • 两年来,我们将若干复杂的Rails单体应用拆分、迁移到微服务架构, 逻辑用Golang重写,引入了Kubernetes。随着模块越来越多,复杂 的通信带来矛盾日渐突出:流量管理、监控… 最初的尝试:Gateway • 如右图,最初我们尝试用一个自研的 简单Gateway来提供统一的认证、授0 码力 | 31 页 | 4.21 MB | 1 年前3
- Envoy原理介绍及线上问题踩坑• 查看listener:istioctl pc listener backend-welink-649fdfd55d-2xhzw --port 8123 -o json • 查看endpoint:istioctl pc endpoint backend-welink-649fdfd55d-2xhzw • 运行期日志 • Accesslog:格式 https://www.envoyproxy.0 码力 | 30 页 | 2.67 MB | 1 年前3
- Istio is a long wild river: how to navigate it safelyat the TCP level. Build your Istiod image, push your tag and use it in the IstioOperator manifest. 55 Istio proxy performance and capacity Adopting Istio ● Putting sidecars everywhere has a cost ○0 码力 | 69 页 | 1.58 MB | 1 年前3
共 7 条
- 1