Summary Synopsis In the summer of 2020, Google enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components. Istio is a modern service mesh technology stack environment was deployed following Istio Documentation using istioc tl. The assessment included many open source compo- nents that were actively being updated during testing so testers used the latest release finding, NCC Group uses a composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation, and other factors. For an

PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review of fixes for issues from previous audit 50 Istio SLSA compliance 52 engagement was a holistic security audit that had several high-level goals: 1. Formalise a threat model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code

Deterministic workloads with strong requirements ● For Istio ○ What is Istio? A service mesh. But more: an open service platform! ○ More use cases! ○ (Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon the viable solutions to communicate between Legacy VNFs and new CNFs ● Need a stricter security model for end-to-end key protection #IstioCon Legacy VNF  CNF: Option 1 ● Recommended architecture Protection ● SDS (Secret Discovery Service) ● A stricter security model ○ Protections for inline components & workflows ○ Trust model augmentation ■ Impersonating ■ Secret clear in memory ■ Secret

Scala, etc. ● Running on variety of Hardware ○ General-purpose x86 servers ○ GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters in an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes Region Rn #IstioCon Application Specs Region R1 Application Deployment: Federation ● Hierarchy of control planes ● Global Control Plane ○ Users provide application specs to Global Control-Plane

and Cloud Foundry community, maintainer of a Knative benchmarking tool called kperf, speaker of Open Source Summit China 2019 about Istio integration with containerized Cloud Foundry Yu Zhuang, yuzcdl@cn Knative. It is leveraged for Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving and Eventing) that introduce event-driven use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic Splitting, blue/green deployment How Istio is leveraged

to Enterprise Service Mesh 宋净超（Jimmy Song） September 24, 2022 Shanghai, China Cloud Native Application Networking Secure, Observe and manage microservices Outline ● Background ● Enterprise Service complexity and lack of operational agility ● You can't be Cloud Native at scale without a modern application- aware network Cloud!=Cloud Native Bare metal VMs Kubernetes VMs ● Monolith was decoupled to different from the perspective of a developer building and operating an application Why is Istio? TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management

About me Zhonghu Xu：an open source engineer from Huawei Cloud. - Github：https://github.com/hzxuzhonghu - Istio steering committee member - Istio Core Maintainer & Contributor - Open source enthusiastic #IstioCon Proxy Protocol client Server Establish TCP connection Proxy Protocol binary header Application data - The client and server side must support proxy protocol simultaneously - The client here --save-mark --nfmask 0xffffffff -- ctmask 0xffffffff # mark connection 1337 according to packet sent to application -A OUTPUT -p tcp -m connmark --mark 0x539 -j CONNMARK --restore-mark --nfmask 0xffffffff -- ctmask

| grep -v envoy | wc -l | xargs) -ne 0 ]; do sleep 1; done”] This preStop hook will wait for application connections to be drained before stopping the container. 18 Workaround: Use postStart and preStop that Envoy is stopped after any other container in a pod ● Use a `preStop` lifecycle hook in the application container manifest: lifecycle: preStop: exec: connection draining may not complete, leading to 5xx errors Example: for sleep 30 + sleep 45 in the application container, we set terminationGracePeriodSeconds to 90 seconds. 20 Warning: These are workarounds

Extension Model Mixer #IstioCon Istiod Cluster 1 Istiod Cluster 2 API server API server Ingress Ingress Service A Service B Service B Mirror Simplified Istio Multicluster Model #IstioCon Istio Innovation Simplified installation Simplified control plane New extension Model Unified multicluster model Simplified VM onboarding Simplified troubleshooting #IstioCon 2021: Year of Istio

balancer) www.my-application.com External Traffic 75% 25% Deployment Canary Releases Using Kubernetes Deployment POD POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic I C E (Load balancer) www.my-application.com External Traffic POD POD 0% 100% Deployment Deployment Deployment Canary Releases Using Kubernetes – Across application Layers Deployment POD POD S S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% POD POD POD POD S E R V I C E (ClusterIP) 75% 25% POD POD Cross-version Traffic My-data-service Service Demo-canary