Jason Webb Vrushali Joshi Istio Service Mesh at Enterprise Scale Feb, 2021 Who are we? Founded 5,000 Developers 50M Customers 1993 IPO $6.8B FY19 Revenue 20 Locations 1983 Why Service varies with autoscaling Hub and Spoke API Gateway Book Info Payments Product Info ✓ Security ✓ Visibility ✓ Traffic Shaping ✘ Latency ✘ Single Point of Failure Service Mesh API Gateway Product Info Proxy Proxy Proxy Proxy + k8s Istio mTLS mTLS mTLS ✓ Security ✓ Visibility ✓ Traffic Shaping ✓ Latency ✓ Single Point of Failure Adoption Challenges

Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective on whether security features sufficiently subsequent phases of the assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts

Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift and shift ● Packaged software ○ Non-Linux ○ unikernels

OSS to Enterprise Service Mesh 宋净超（Jimmy Song） September 24, 2022 Shanghai, China Cloud Native Application Networking Secure, Observe and manage microservices Outline ● Background ● Enterprise Service Co-founder Chair CNCF SIG Security Varun Talwar Co-founder Co-creator gRPC, Istio Lizan Zhou Senior Maintainer, Envoy Community & Industry Leaders ● Founded CNCF SIG Security ● Secure and Hardened Istio ● Training and Certification Collaboration with NIST ● Author SP 800-204 series on microservice security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud

generation 5G platform I want to sketch a mesh for you Istio service mesh at enterprise scale Improving security with Istio What Envoy hears when Istio speaks Company presenting Google and using Kiali” (by RedHat). Office hours On the following topics: ● Istio debugging, ● Istio Security, ● WebAssembly, ● Multi Cluster, ● Istio Roadmap and ● Istio in production. Participant feedback

Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Load-Balancer Web-Tier Load-Balancer Pods Pods Pods AZ 1 AZ 2 AZ n Client #IstioCon What about Security? ● L4 Micro-segmentation Solution ○ Central Policy store capturing Application-to-Application Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Enforcement

… ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer security ○ HTTP JWT Auth ○ Redis Auth ○ ... IP Data IP Header TCP Data TCP Header Layer-7 Observability - only TCP metrics ○ TCP sent/received bytes ○ TCP opened/closed connections ● Security ○ Connection level authentication: mTLS ○ Connection level authorization: Identity/Source IP/

PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski This report is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0) Istio Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project previous audit 50 Istio SLSA compliance 52 1 Istio Security Audit, 2023 Executive summary In September and October 2022 Ada Logics carried out a security audit of the Istio project. The audit was sponsored

routing [Todo] Rate limit [Todo] RDS 需数据面配合 Redis [Todo] Sharding [Todo] Traffic mirroring [Todo] MySql [Todo] MongoDB [Todo] Postgres [Todo] RocketMQ [Todo] ZooKeeper 16 THANK YOU! 感谢聆听！