of Disillusionment Slope of Enlightenment Plateau of Productivity Istio 1.1 Don’t Forget about HA & DR Tracing Store Logging Store Event Hub DBs Istio Egress Other External Services Istio Ingress

○ 10,000+ K8s services - including prod, pre-prod, staging, etc. ● Applications deployment for HA ○ In all regions ○ In multiple AZs in each region ○ Capability to run all applications from a single

High Yes 10 H2c handlers are uncapped High High Yes 11 STS server is susceptible to DoS if debug mode is enabled High Medium Yes 17 Istio Security Audit, 2023 1: Possible disk exhaustion when extracting code where a user has explicitly opted into insecure mode, InsecureSkipVerify mode is enabled. As stated by the crypto/tls documentation: “In this mode, TLS is susceptible to machine-in-the-middle attacks Walk(srcDir, func(file string, fi os.FileInfo, err error) error { if err != nil { return err } if !fi.Mode().IsRegular() { return nil } header, err := tar.FileInfoHeader(fi, fi.Name()) if err != nil { return

– reviews-v1 & v3 ○ Otherwise, send plain text – reviews-v2 ● Server side will be in PERMISSIVE mode by default #IstioCon mTLS in Istio - PeerAuthentication Defines what type of traffic the server "demo-peer-policy“ namespace: "default“ spec: selector: matchLabels: app: reviews mtls: mode: STRICT 1) Apply destination rule to enable client side mTLS mTLS in Istio - Destination rule Using can access reviews-v1, reviews-v3 can not access reviews-v2 since we have enabled ISTIO_MUTUAL mode on client side Access productpage 1) Apply destination rule enable client side mTLS mTLS in Istio

Gateways. Note: The underlying implementation of the at-issue behavior appears to exist within the proxy mode of istio-agent. This may imply that any Istio sidecar — and, by extension, any Istio control plane into each workload. As discussed in finding NCC-GOIST2005-013 on page 18, by default, the “profiling” mode is also enabled which runs go trace profiling tools5 on the pilot binary itself which contains stack data that it collects in this mode (i.e. full URL strings), and whether it should be turned on in production. In a hardened profile this should be disabled. sds SDS mode is for secret discovery within

listeners configured in PLAINTEXT mode Security layer provided by Istio 8 Security layer provided by Istio 9 • Kafka does not process client certificate in PLAINTEXT mode • Envoy WASM filter extracts

control plane and related tooling ● Sidecar injection by namespace or on-demand ● Passthrough mode during rollout ● Service entry to connect internal proxy ● Kubernetes Cluster-IP services deployed improvements ● POCs for all known use-cases and features say mTLS, Outlier detection etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection and TCP settings ● Handle signals gracefully

minimal declarative configuration describing where to onboard the workload to Bridged Mode vs Direct Mode ● Bridged: Indicates that the configurations to be added to the group will use macro APIs

Multiplayer Istio WASM 1:15 What’s New Since 2022 CNCF Graduation Ambient Mesh A new dataplane mode for Istio without sidecars. Graduated Announcing Istio's graduation within the CNCF Join CNCF

is also used by our partners as well. Ingress Mutual TLS ● Using Istio Gateway mechanism with mode MUTUAL ● Leverage subjectAltNames to verify client SAN ● Additional AuthorizationPolicy to add