2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review of fixes for issues from previous audit 50 Istio SLSA compliance 52 engagement was a holistic security audit that had several high-level goals: 1. Formalise a threat model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code finding was reported by the auditing team to the Istio maintainers, because Istio does not cap the size of requests made on an h2c connection, which could lead to a denial of service scenario if a large

PushContext.mergeGateways methods and the sortConfigByCreationTime function within istio/pilot/pkg/model/push_context.go Impact An attacker that is able to create an Istio Gateway within a Kubernetes cluster gatewaysByNamespace[proxy.ConfigNamespace] } else { configs = ps.allGateways } Listing 1: istio/pilot/pkg/model/push_context.go Recommendation While this issue can likely be remediated by using per-namespace ingress Description A cryptographic hash is a function which takes a string of bytes and returns a small, fixed-size value. Hash functions guarantee that the same input always results in the same output. When used for

Extension Model Mixer #IstioCon Istiod Cluster 1 Istiod Cluster 2 API server API server Ingress Ingress Service A Service B Service B Mirror Simplified Istio Multicluster Model #IstioCon Istio Innovation Simplified installation Simplified control plane New extension Model Unified multicluster model Simplified VM onboarding Simplified troubleshooting #IstioCon 2021: Year of Istio

the viable solutions to communicate between Legacy VNFs and new CNFs ● Need a stricter security model for end-to-end key protection #IstioCon Legacy VNF  CNF: Option 1 ● Recommended architecture Protection ● SDS (Secret Discovery Service) ● A stricter security model ○ Protections for inline components & workflows ○ Trust model augmentation ■ Impersonating ■ Secret clear in memory ■ Secret

● Capture Traffic Management & Routing intent as “Access Point” Specs ○ Leverage Istio object model: Gateway, VirtualService, DestinationRules, etc. apiVersion: apps.cloud.io/v1 kind: AccessPoint

there are n sidecars ● Case 1: One size fits all (need to fit the biggest workload) + Easy to set, one default value for sidecar resources - Bigger default size = bigger cost ● Case 2: Adjust based performance and capacity Adopting Istio ● One size fits all is too costly for us (and should probably be for you too) ● So how can we adjust the sidecar size? ○ VPA? Not working ○ HPA? Not applicable

sidecars, sidecar needs to knows mesh in his own user namespace only. o We can limit the mesh size to namespace scope for all user namespaces easily. Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled • Enable Istio mesh on Knative – Reduce mesh size in app sidecar #IstioCon o Knative needs to access POD by IP directly for performance and efficiency

run on the same node Configurations ◦ mTLS enabled ◦ Number of Envoy workers: 2 ◦ Response payload size: 1KB Latency ◦ 11-17% improvement Istio Meetup China Summary ● eBPF functionality enabled with

tuning is required 1. Resource consumption 2. Resource Mounts (#15517) 4. Tests on the production-size environment aren’t a waste of time 1. Istio Discovery Restarts (#25495) 2. Proxy Probes (#26792)