Google Istio Security Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service Total issues 18 Category Breakdown Access Controls 7 Configuration 5 Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical Communications Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-004 Category Data Exposure Component Istio Location Istio Control Plane: • controlPlaneSecurityEnabled istioctl configuration

usage of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars. err := url.Parse(srcURL) if err != nil { return "", fmt.Errorf("invalid chart URL: %s", srcURL) } data, err := httprequest.Get(u.String()) if err != nil { return "", err } name := filepath.Base(u.Path) err := os.Mkdir(dir, 0o755) if err != nil { return "", err } } if err := os.WriteFile(destFile, data, 0o644); err != nil { return destFile, err } return destFile, nil } Exploitation To exploit this

生命周期（PA） u启动envoy u热重启envoy u监控envoy u优雅关闭envoy启动envoy ü监听/etc/certs目录 ü生成envoy静态配置文件envoy-rev0.json ü通过exec.Command启动 envoy并监听状态 • 文件配置文档 • 启动参数文档热重启envoy热重启涉及以下步骤 • Pilot-Agent只是负责启动S，其他步骤由envoy完成。 u触发配置生效方式v1版本和v2版本之间的区别 V1 HTTP1 REST JSON/YAML 弱类型 轮询 SDS/CDS/RDS/LDS 奠定控制平面基础 V2 HTTP2 GRPC Proto3 强类型 Push SDS/CDS/RDS/LDS/HDS/ADS/KDS 和Google强强联手 官方博客：The universal data plane API缓存Istio和k8s配置 ü一个小型的非持久性key/value数据库

istio-proxy -- pilot-agent request GET /config_dump > config.json • 查看listener：istioctl pc listener backend-welink-649fdfd55d-2xhzw --port 8123 -o json • 查看endpoint：istioctl pc endpoint backend-welink-649fdfd55d-2xhzw http://backend-welink:8123 #http1 • nighthawk #http2 • perf record -F 2000 -g -p $pid; perf script -i perf.data > out.perf; stackcollapse-perf.pl out.perf > out.folded; flamegraph.pl out.folded > cpu.svg • 镜像修改

cn-hangzhou.cr.aliyuncs.com/asm/asm- test:v0.1 --manifest-config runtime- config.json:application/vnd.module.wasm.config.v1+json example- filter.wasm:application/vnd.module.wasm.content.layer.v1+wasm ○ Wasm kubectl create secret generic asmwasm-cache -n istio-system --from- file=.dockerconfigjson=myconfig.json --type=kubernetes.io/dockerconfigjson 16 ��������� ������������� ASMFilter Deployment 资源对象 Controller

"spiffe:///ns//sa/” ● istioctl proxy-config secret -o json | jq '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.i nlineBytes' -r | base64 jwksUri: "https://raw.githubusercontent.com/istio/istio/re lease-1.8/security/tools/jwt/samples/jwks.json" apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt

tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) A Proxy Proxy Service B Service C Proxy Mesh Dynamics Data Store Deploy: kubectl apply -f Capture using Lua filter All API data + TraceIDs | CONFIDENTIAL 11 Assemble API request traces

from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters

(Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift services in the cluster ○ DNS name resolved ■ gets routed through the gateway to the service ● The data plane traffic ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple for sensitive data ○ Strong isolation for multi-vendor services ○ End-to-end security! (not just between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra