categorization, see Appendix A on page 38. Title ID Risk Inability To Secure Control Plane Network Communications 004 High Lack of Security Related Documentation 016 High Lack of VirtualService Assessment Google / NCC Group Confidential Finding Details Finding Inability To Secure Control Plane Network Communications Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-004 Category Istio should not have any plaintext endpoints exposed via its control plane and should enforce all network communications use mTLS (or at minimum, TLS) for communi- cations within the istio-system namespace

Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Plane to defend against data exfiltration, botnet attacks. 3. Define firewall and virtual private network to lock down external access. Edge security best practices Cluster security Access control 3. use k8s network policies to limit traffic bypassing sidecars Cluster security best practices: safely handle policy exceptions Cluster security Access control Edge security Policy exceptions

proxies deployed as sidecars. The proxies consist of Envoy proxies and an Istio-agent and manage network traffic between microservices. The control plane is responsible for applying user configuration to this report, we list them below: ● Certificate management ● Authentication ● Authorization ● Policy Enforcement Points (PEPs) ● A set of Envoy proxy extensions to manage telemetry and auditing Certificate specified by mesh administrators. Istiod propagates the policies to the proxies and checks whether the policy of each proxy is up to date. Authentication has two core features in Istio: 1. Peer authentication:

Access-control Policy store, etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e.g., AZ IPAM, Network Load-balancers 1 AZ 2 AZ n Client #IstioCon What about Security? ● L4 Micro-segmentation Solution ○ Central Policy store capturing Application-to-Application dependencies ○ Controllers watch K8s clusters and translate & Firewalls ● Evolve into AZ based architecture ● Dial-tone security with Trust Domain ● L7 policy enforcement Step 1 Step 2 Step 3 Step 4 Declarative Intent Replace Hardware AZ Architecture

Mutual TLS • Authorization Policy • Envoy External Authorization #IstioCon Secure Platform #IstioCon Secure Platform – JWT Verify Using request authentication policy to Verify end-user JWT easily TLS Using mutual TLS for service-to-service authentication. • When a service receives or sends network traffic, the traffic always goes through the Envoy proxies first. • When mTLS is enabled between locally to the actual destination service. #IstioCon Secure Platform – Authorization Policy Using Authorization Policy enables access control on workloads in the mesh. For request from ingressgateway

Add VMs to the Mesh? ● = Why Service Mesh? ○ More services = more complexity ○ Need consistent policy enforcement ○ Need consistent metrics aggregation ● Traffic management ○ Load balancing for VMs to lift and shift ● Packaged software ○ Non-Linux ○ unikernels ● Domain specific workloads ○ Network Functions (NFV) #IstioCon Hybrid and Multi Clouds #IstioCon Istio VM Integration is? A Tumultuous about connecting virtual machine workloads to Kubernetes workloads. #IstioCon VM Support – Single Network #IstioCon VM Support – Multiple Networks #IstioCon Current State of VM Support ● Traffic flow

mesh discovery and routing ● Expose gateway services via Istio Gateway ● Towards RESTRICTED network policy ● On-board services to Authentication and Authorization as applicable #IstioCon Thank you

Analysis Core Query CoreIstio telemetry Attribute Vocabulary https://istio.io/docs/reference/config/policy-and- telemetry/attribute-vocabulary/Metric settings in Istio bypass adaptor• Service. Represent ENTITY TYPE DESCRIPTION INVENTORAY Inventory includes service, service_instance, endpoint, network_address. They are metadata for SkyWalking. Don’t delete these. INDICATOR All metric data belong

trust app app app app app app app app app app app app app Kubernetes Network Policy Istio RBAC naiscar Lessons learned What’s next? @nais_io @linemoseng @j_hrv

apiVersion: "security.istio.io/v1beta1“ kind: "PeerAuthentication“ metadata: name: "demo-peer-policy“ namespace: "default“ spec: selector: matchLabels: app: reviews mtls: mode: STRICT 1) Apply deny-all authorization policy 2) Apply prouctpage-viewer policy 3) Apply details-viewer policy 4) Apply reviews-viewer policy 5) Apply ratings-viewer policy 6. Authorize in mesh traffic 1) Apply deny-all authorization policy 2) Apply prouctpage-viewer policy 3) Apply details-viewer policy 4) Apply reviews-viewer policy 5) Apply ratings-viewer policy Redeploy bookinfo sample services