#IstioCon Istio-redirector: the way to go to manage thousands of HTTP redirections Etienne Fontaine (@etifontaine) #IstioCon Istio-redirector 301-redirection from /bus/routes/bruxelles/lille automatically redirected to the new page instead of seeing an error page Happy Googlebot: I don’t have to crawl 2 URLs I don’t see an error page Happy SEO specialist: My new URLs get SEO popularity from [...] spec: gateways: - istio-system/istio-ingressgateway hosts: - www.blablacar.fr http: - match: - uri: exact: /co2 redirect: uri: /blablalife/lp/zeroemptyseats

NewHandler in an http.MaxBytesHandler.” John found that when the recommended MaxBytesHandler was used, the request body was not fully consumed, meaning that when a server attempts to read HTTP2 frames from from the connection it will instead be reading the body. As such, the MaxBytesHandler introduces an http request smuggling attack vector. The issue was disclosed to the Golang security team who fixed the slice controlled by potentially untrusted file size Low High Yes 5 Possible memory exhaustions in http utilities Low Medium Yes 6 Istio skips certificate verification Low High Yes 7 Unhandled errors

but appears to be designed to provide support to security problems after they happen or guidance on error messages. This is a great goal and should continue to expand upon it. Consider whether this could Istio Security Assessment Google / NCC Group Confidential - "*" gateways: - test/bookinfo-gateway http: - match: - uri: exact: /productpage route: - destination: host: details.restrict-test.svc.cluster the following 7. Run the following command and observe that a normal HTML page is returned curl -v "http://$GATEWAY/productpage" 8. Use an administrative account to run the following commands kubectl -n

NoSQL We need to manage multiple types of layer-7 traffic in a service mesh, not just HTTP and gRPC ● RPC：HTTP, gRPC, Thrift, Dubbo, Proprietary RPC Protocol … ● Messaging: Kafka, RabbitMQ … ● Cache: requet level ○ HTTP host/header/url/method, ○ Thrift service name/method name ○ Dubbo Interface/method/attachment ○ ... ● Fault Injection with application layer error codes ○ HTTP status code ○ ○ Redis Get error ○ ... ● Observability with application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer security ○ HTTP JWT Auth ○ Redis Auth ○ ... IP Data

to Istio End of 2021 100% services migrated to Istio 8 Features currently used: ● HTTP/2 Load-balancing ● Traffic Shifting ● mTLS Features under investigation: ● Retries ● Circuit fights, start small Stabilizing Istio Start with few simple features such as: ● Injecting sidecars, HTTP/2 LoadBalancing ● Traffic shifting for canaries Build confidence in the system and understanding spreads across the whole mesh ■ Any misconfiguration spread too, be it intentional or not Humans are error-prone, both users and operators are humans so: Errors will happen, with a large blast radius! 40

entirely new listeners, clusters, etc. #IstioCon Wise Platform K8s custom resource definition HTTP filters Network filters UDP listener filters … Match outbound listeners in all sidecars Or Istio application workload. Intelligence Platform for Multiple Tenant Support • Support multi-tenants (Add extra http header/ logs wisely) • Verify whether JWT token in blacklist or not • Different Rate Limits for Istio-proxy log showed in kibana after parse #IstioCon Excellent Observability - Access logs API Error In last 30 days #IstioCon Thank you! WeChat: johnzhengaz Github: johnzheng1975

io/userVolume ● Client talks with HTTP, upgraded automatically to mutual TLS by sidecar. Challenge & Future Works Challenge ● Client egress communication sometime got 503 error (Istio #26990). This is fixed

erd、Traefic。Envoy由于高性能和扩展能力前在数据面遥 遥领先。 • Iptables使Pod间出入应用的流量均由Envoy代理，对应用来说完全透明。支持主要常用网路协议 Http1/Http2/Tls/gRPC/Tcp等。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 6 Envoy原理及总体架构-启动 用于原始目标服务，并找到后端处理器处理新连接。 • 后端处理器在配置中指定处理协议，根据协议相关的网络过滤器处理读取到的数据。 • 如果为http协议，再经过请求过滤器处理http协议头部，如路由选择等功能并创建上游连接池 • 将修改及编码后的http消息通过网络发送到对端Envoy的容器网络。 • Iptables识别为入流量则进入virtualInbound端口。 • ORIGINA 之后Connection对象再次向libevent注册Read/Write回 调onFileEvent，并作为L4层过滤管理器处理 onNewConnection，onData数据接收。 • 对于HTTP协议，将继续经过L7层编解码处理后向上游发 送请求。 • 当请求处理完毕后，将调用deferredDelete删除请求对象 并记录统计观测数据。 • 使用异步I/O方式发送网络数据，降低对线程内其他操作

istio sidecar （ kubectl label namespace default istio-injection=disabled/enabled ） http http http http http http http Result: can access reviews-v1, reviews-v2 and reviews-v3 Access productpage peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on mTLS http http http http mTLS http #IstioCon Auto-mTLS in Istio ● Decide what type of traffic the client sidecar to productpage 1) Apply destination rule enable client side mTLS mTLS in Istio - Destination rule http http http http mTLS mTLS #IstioCon mTLS in Istio - DestinationRule Defines what type of traffic the

Today 1. DNS query httpbin.ns1.svc.cluster.local 2. DNS response – 10.4.4.4 http req to 10.4.4.4 GET /status/200 http req to 172.16.1.3 GET /status/200 httpbin.ns1.svc.cluster.local SVC IP: 10.4 name servers. Envoy does not use the agent’s DNS cache. http req to 10.4.4.4 GET /status/200 httpbin.ns1.svc.cluster.local SVC IP: 10.4.4.4 http req to 172.16.1.3 GET /status/200 #IstioCon V1.8 Smart Performance Limitations: Solutions ● Software techniques ○ (eBPF-based) TCP/IP stack bypass ○ HTTP/3 & QUIC ● Hardware acceleration technologies ○ SRIOV/DPDK ○ Networking/Security offloading ●