its control plane. The goal of the assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective areas of focus for subsequent phases of the assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) architectures were used to provide testers with a way of validating that security expectations in the code were implemented when deployed. Each environment was deployed following Istio Documentation using

r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 9 Process flow using Istio Deploy Lua filters (kubectl apply -f ) Capture traces for E2E test requests Create tests & mocks Capture API interactions with lua filters Service A Proxy Proxy Service B Service C Proxy Mesh Dynamics Data Store Deploy: kubectl apply -f Capture using Lua filter All API data + TraceIDs API request • Context propagation rarely obvious Challenge • Dependencies require lot of time to code • Many dependencies in a test suite • Dependency maintenance is effort intensive Solution • ML-driven

listeners in all sidecars Or Istio gateway The Lua code that Envoy will execute. Which port number the filter will apply to #IstioCon Wise Platform – lua #IstioCon Wise Platform Using envoyfilter to

onNewConnection新连接建立，可以决定是否拒绝 • onData处理连接数据到达 • onWrite处理连接数据发送 • L7 HTTP过滤器 • 修改HTTP请求头，限流处理，Lua扩展、WASM扩展、开发调试支持、压缩、元数据交换、 路由等。 • decodeHeaders处理HTTP请求头部 • decodeData处理HTTP请求数据 • decodeTrailers处理HTTP请求结束位置 L4网络过滤器 专门用于处理HTTP请求的网络过滤器，根据协议类型 处理HTTP编解码并调用L7层HTTP过滤器。 envoy.filters.http.lua L7 HTTP过滤器 基于Lua脚本语言，处理HTTP请求及相应，每个Lua运 行时运行在工作线程中。 envoy.filters.http.local_ratelimit L7 HTTP过滤器 基于L4层请求限流，通过令牌桶防止定期时间间隔内 Envoy采用每个工作线程独立处理网络及定时器事件，线程间无数据共享，提升性 能。 过滤器架构 Envoy采用可扩展插件架构实现监听过滤器、L4网络过滤器、L7 HTTP过滤器；同时 支持基于L4/L7 WASM及L7 Lua过滤器的二次扩展。 版权所有©2021，华为技术有限公司，保留所有权利。 本资料所有内容仅供华为授权的培训使用，禁止用于任何其他用途。未经许可，任何人 不得对本资料进行复制、修改、改编、也不得将本资料或其任何部分或基于本资料的衍

with application layer error codes ○ HTTP status code ○ Redis Get error ○ ... ● Observability with application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer AwesomeRPC in Istio? #IstioCon How to Manage AwesomeRPC Traffic in Istio? Pilot Envoy Code changes at the Pilot side: ● Add AwesomeRPC support in VirtualService API ● Generate LDS/RDS for Mutation、负载均衡、断路器、多路复用、流量镜像 等。 ● 基于 MetaProtocol 实现一个自定义协议时，只需要实现 Decode 和 Encode 扩展点的少量代码 (C++)。 ● 提供基于 WASM 和 Lua 的 L7 filter 扩展点，用户可以实现一些灵活的自定义协议处理逻辑，例如认证授权等。 #IstioCon MetaProtocol: 请求处理路径 处理流程： 1. Decoder 解析

● Your laptop is not part of the mesh club #IstioCon A dummy proxy for the mesh ● Called by Lua code ● Parses the contract header and makes http call #IstioCon #IstioCon Wait … What about VirtualService

model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code audit for security issues. 3. Review the fixes for the issues found in an audit from 2020. 4. Review obtained in parts of code bases that receive less attention. Our assessment is that, not counting the Operator, Istio is a very well-maintained and secure project with a sound code base, well-established test coverage with little to no room for improvement. We identified a few APIs in security-critical code parts that would benefit from fuzzing and wrote fuzzers for these. In total, 6 fuzzers were written

com/gracezhang1110, www.linkedin.com/in/gong-zhang-75560670/ Advisory Software Engineer of IBM Cloud Code Engine team focusing on Knative Serving and Istio, contributor of the Knative and Cloud Foundry com/in/yu-zhuang- 51915287/ Architect and Senior Software Engineer in IBM Cloud. Working on IBM Cloud Code Engine (Serverless platform), focusing on Knative, Istio, and Tekton, community, leading team to running, and managing serverless, cloud- native applications. It provides benefits: Focus on code Scale to zero Quick entry to serverless computing … … traffic management observability security

wizards of Stack Overflow. Bugs And Security ● Read this quick explanation on how to report bugs, in code or in documentation. ● The Istio security team responds rapidly to vulnerability reports. Read how Contributor ● The Istio Community README is the starting point for contributors who want to work on code, docs or other parts of Istio. ● You can access our trove of technical content and working documents the Value of Community Housekeeping • View the full IstioCon-VIRTUAL schedule • Abide by CNCF Code of Conduct • Use the official #IstioCon in your social conversations • Join #istiocon slack channel

service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 200 Istio & Kubernetes: 总结 对于云原生应用，采用Kubernetes构建微服务部署和集群管理能力，采用 Istio构建服务治理能力，将逐渐成为应用微服务转型的标准配置。