findings Issue 10 - “H2c handlers are uncapped” - was an interesting finding, in that it affected Googleʼs managed Istio offering, and it led to further investigation that revealed a vulnerability in Golang assigned this vulnerability. Some managed service providers were vulnerable to the issue, including Googleʼs managed Istio offering which has MultiplexHTTP configured. A�er issue 10 had been reported to Leader ajayaram@google.com Andrea Ma So�ware Engineer ayma@us.ibm.com Craig Box VP of Open Source and Community craigb@armosec.io Didier Grelin Sr. Technical Program Manager dgrelin@google.com Ethan Jackson

a CNCF project Release v1.0 Istio is ready for production Started Started by teams from Google and IBM 2017 2018 2022-04 2023 2022-09 Community Growth New Contributors up 32% YoY 2022 2023 access our trove of technical content and working documents by joining the istio-team-drive-access@ Google Group. ● Interested in helping with Chinese language documentation? Join the Cloud Native Community(China) sail What about the rest of the boat? Upcoming Talks: Aperture - Load Management Meshery - WASM plugin management Argo - Multi-cluster orchestration JP Morgan SLO Generation Reflecting on the Value

Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup com/feedback/67b627f7-a0a2-43b7-ad68-af515a9ed2e0 Executive Summary Synopsis In the summer of 2020, Google enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components multiple shadows (provided at no additional cost) worked on the project in tight partnership with Google’s Istio subject matter experts. Scope NCC Group’s evaluation of Istio included: • Istio Architecture:

of ebpf ● Acceleration for Inbound/Outbound/Envoy to Envoy #IstioCon Istio-CNI ● The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup NET_ADMIN and NET_RAW capabilities for users deploying pods into the Istio mesh. ● The Istio CNI plugin replaces the functionality provided by the istio-init container. #IstioCon Tcp/ip stack overhead purpose ● We choose SOCK_OPS & SK_SKB to implement function #IstioCon ebpf Background Knowledge map ● Share collected information and to store state ● Accessed from eBPF programs as well as from

Haoyuan Ge #IstioCon Quick Summary (from Google Cloud Next ’19 [1]) VM works on Istio! [1] Istio Service Mesh for VM Native, Chris Crall, Jianfei Hu, Google Cloud Next ‘19 #IstioCon Why Add VMs to mtls) ■ Extensibility (to cherry pick extensions) [1] Service Mesh use cases for Telco and Edge – Google, ServiceMeshCon NA 2020 Key Drivers [1] #IstioCon What Do We Need Else to Augment Istio? ● Strong code in kernel space safety ○ Tracing, security ○ Networking ● Hooks ○ sock_ops ■ Construct map​ ○ sk_msg_md ■ Match & redirect ● ~5% improvements #IstioCon TCP/IP Stack Bypass (cont.) ● Leverage

弱类型 轮询 SDS/CDS/RDS/LDS 奠定控制平面基础 V2 HTTP2 GRPC Proto3 强类型 Push SDS/CDS/RDS/LDS/HDS/ADS/KDS 和Google强强联手 官方博客：The universal data plane API缓存Istio和k8s配置 ü一个小型的非持久性key/value数据库 ü借助k8s.io/client-go建立缓存 source.ip ip_address Source workload instance IP address. 10.0.0.117 source.labels map[string, string] A map of key-value pairs attached to the source instance. version => v1 destination.port

enabled • Enable Istio mesh on Knative – Impact without optimization #IstioCon o With istio CNI plugin, we can move the iptables configuration parts to CNI. But another init- container, the istio-validation injection template. Mitigations: o When adding new worker node, make sure daemonset pod of istio CNI plugin is up and running before knative pods scheduling on the node. o Crontab job could help to detect features in Knative with service mesh enabled • Enable Istio mesh on Knative – enable istio CNI plugin #IstioCon o User cases: no service access cross user namespace. o The sidecar CR helps to limit

Demo: Dubbo 协议支持 ● Dubbo2Istio 连接 Dubbo 服务注册表，支持： ○ ZooKeeper ○ Nacos ○ Etcd ● Aeraki Dubbo Plugin 实现了控制面的管理，支持 下述能力： ○ 流量管理： ■ 七层（请求级别）负载均衡 ■ 地域感知负载均衡 ■ 熔断 ■ 基于版本的路由 ■ 基于 Method 的路由 ■ 基于 中支持一个新的七层协议 ● 为七层协议如 Dubbo、Thrift 等等添加 RDS 能力 #IstioCon MetaProtocol：控制面 通过 Aeraki MetaProtocol Plugin 实现控制面的流量管理规则下发 ： 1. Aeraki 从 Istio 中获取 ServicEntry，通过端口命名判断 协议类型（如 tcp-metaprotocol-thrift） 2

scale Improving security with Istio What Envoy hears when Istio speaks Company presenting Google and IBM Aspen Mesh & independent contributor Solo.io Intuit RedHat Descartes Labs # live viewers istio.io/ The team (1/3) Organizer’s Committee Co-lead Aizhamal Nurmamat kyzy (Google) Co-lead María Cruz (Google) Member Rose Sawvel (Aspen Mesh) Member Kevin Conner (RedHat) Member Aditya Prerepa Bueno (RedHat) The team (2/3) Program Committee Co-lead Lin Sun (IBM > Solo.io) Co-lead Craig Box (Google) Member Christian Posta (Solo.io) Member Neeraj Poddar (Aspen Mesh) Member Brain Tannous (RedHat)

sponsor will provide the rewards. 1st place: Bose headset $400 usd 2nd place: Google Nest hub 10" $230 usd 3rd place: Google Nest hub 7" $70 usd Trivia winners gifts Available sponsorship: 1 ● Only available unique piece that combines all the themes that are addressed during the conference. ● Sponsored by Google (Example from the Royal Society of the Arts (London) “Animate” series, “Re-imagining work”) Artist be incorporated during the Roadmap session. It is used to explain a process. ● Sponsored by Google (Example from Wikimedia movement 2030 strategy) Graphic recording Process and implementation