Uniform metrics and tracing for all CNF traffic Enforcement Primitives to Build Zero Trust Strong identity for users, workloads, devices, etc. Encrypting inter-CNF traffic via mutual TLS (mTLS) Option Frontend SMF Ingress Gateway Redis DB SMF App X AMF Identity SMF Identity SMF Identity 10 ©2021 Aspen Mesh. All rights reserved. How to Make Legacy NFs Talk to CNFs in Frontend UDM Egress Gateway Redis DB SMF App X Control Plane UDM Identity 11 ©2021 Aspen Mesh. All rights reserved. ● CNI to avoid escalated pod privileges ● Integrate

microservices with istio step by step JianFeng Ding, LuYao Zhong #IstioCon Agenda ● Istio identity ● mTLS in Isito ● Secure ingress traffic ● Authorize ingress traffic ● Authorize in mesh traffic Istio Identity Istiod Istio Agent Envoy 1. Start Envoy 2. Request Cert (SDS)) 3. CSR Auth: JWT 4. Cert signed with SPIFFE format Istio-proxy CA server #IstioCon Istio identity – how to curl localhost:15000/config_dump #IstioCon Istio identity – check configuration result ● Result: cert generated automatically with Istio identity 1) Apply peer-authentication to enable server side

with an Istio ServiceEntry ● Workload Group ○ a collection of non-K8s workloads ○ metadata and identity for bootstrap ○ mimic the sidecar proxy injection ○ automate VM registration ○ health/readiness bootstrapping process ○ Automate provisioning a VM's mesh identity (certificate) ■ based on a platform-specific identity ■ w/o a platform-specific identity ● using a short-lived K8s service account token ● Auto-scaling ● Automatically add a WorkloadEntry for a VM instance that connects with a valid identity token ● All we have to do is ○ specify a new WorkloadGroup with a template (to create WorkloadEntry)

Challenges – Certificate renewal 6 • Client certificates has be created for each separate client identity • Client certificates may take different formats (JKS, PEM, etc) • Client certificate renewal Kafka does not process client certificate in PLAINTEXT mode • Envoy WASM filter extracts client identity from client certificate and passes it to Kafka Kafka client authentication with Istio 10 Kafka

Domain ■ Trust Domain: Trust root of the system having separate root CA ■ Each workload gets unique identity based on K8s Service account - spiffe:///ns//sa/ ■ same environment across AZs ● Scaling Authorization Policies ○ Millions of policies ○ Global Identity federation #IstioCon Thank you! Contact us: DL-eBay-ServiceMesh@ebay.com https://www.linkedin

○ Admiral cluster registration ● Higher Level Logical Service for Developers ○ Multi-cluster Identity ○ Multi-region Endpoint ○ Istio config integrated with gitops deployment ○ Init modifications

Preview Istio Fault Tolerance 11:25 Ambient Q&A 10:50 Istio Feature Gates 12:00 Ambient + Pod Identity 12:40 Multiplayer Istio WASM 1:15 What’s New Since 2022 CNCF Graduation Ambient Mesh A new

Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Plane Hardening Istio

connections ● Security ○ Connection level authentication: mTLS ○ Connection level authorization: Identity/Source IP/ Dest Port ○ Request level auth is impossible #IstioCon BookInfo Application - AwesomeRPC

One of the advantages of using Istio is that it offers a series of security features related to identity, policies, TLS encryption, authentication, authorization and internal auditing to enhance the security