#IstioCon Using ECC Workload Certificates (pilot-agent environmental variables) Jacob Delgado / Aspen Mesh #IstioCon ECC workload certificates ● In various environments, the need for x509 certificates cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported #IstioCon pilot-agent environmental variables Disclaimer: Environmental variables and their use are considered experimental set the ECC_SIGNATURE_ALGORITHM environmental variable on sidecar ejection to ECDSA for use by pilot-agent ○ For gateways this environmental variable also must be set on installation/upgrade #IstioCon

common environments such as Kubernetes clusters. • Istio Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts. Istio does not currently have lacks many hardening controls and should be replaced with a more secure-by-default option. • The Pilot admin interface exposes unnecessary ser- vices and is accessible to anyone within a default cluster

Istio 流量管理 – 概览 • 控制面下发流量规则： Pilot • 数据面标准协议：xDS • 集群内Pod流量出入： Sidecar Proxy • 集群外部流量入口：Ingress Gateway • 集群外部流量出口：Egress Gateway（可选,在一个集中点对外部访问进行控制） • Service discovery • Load balancing • Time out • • Retries • Circuit breaker • Routing • Auth • Telemetry collecting 外部流量出口 外部流量入口 Pilot 2 Istio 流量管理 – 控制面 两类数据： q 服务数据（Mesh 中有哪些服务？缺省路由） v Service Registry § Kubernetes：原生支持 § Consul、Eureka 等其他服务注册表：MCP Istio 流量管理 – 控制面 – 服务发现 • K8s Service ： Pilot 直接支持 • ServiceEntry： 手动添加 Service 到 Pilot 内部注册表中 • WorkloadEntry：单独添加 Workload，对于虚机支持更友好 • MCP 适配器： 将第三方注册表中的服务加入到 Pilot 中 Consul MCP Adapter https://github.

#IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent #IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent + Fast! Bottleneck is #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent + Rapid iteration - Very different from production Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery #IstioCon Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery + All of the benefits of running Istiod locally

default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress gateway which contains o Istiod MEM bumped with large numbers of Knative Services (#25532) Mem usage optimization of pilot resolved this issue. • Tune CPU/MEM to ensure enough capacity Leveraged Metrics to monitor Istio Istiod. o From envoy logs, transient 503 UH "no healthy upstream" errors. o From Grafana dashboard, Pilot Pushes shows long latencies. • Detect and analyze Istio scalability issue #IstioCon o Radom peaks

Mesh ○ An architectural pattern to implement common Security, Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Management sidecar Envoys ○ Measure Config convergence time ■ Time taken by all sidecars to get config from Pilot without any errors ■ For thousands of services & endpoints ■ With different churn rates of Pods time from single Pilot instance to 0 - 3,000 sidecars < 1 second ○ Pilot CPU & memory within acceptable limits: < 10 cores, 25 GB memory ○ Pilot can scale horizontally ● Need to tune PILOT_DEBOUNCE_AFTER

觉。目录Pilot-Agent——管理生命周期（PA） u启动envoy u热重启envoy u监控envoy u优雅关闭envoy启动envoy ü监听/etc/certs目录 ü生成envoy静态配置文件envoy-rev0.json ü通过exec.Command启动 envoy并监听状态 • 文件配置文档 • 启动参数文档热重启envoy热重启涉及以下步骤 • Pilot-Agen ü10个令牌用完，没有抢救成功，放弃退出优雅关闭envoy ü K8s发送SIGTERM信号让容器优雅关闭 ü Pilot-Agent接收信号通过context关闭子服务，发送SIGKILL关闭envoy ü Envoy不支持优雅关闭，需要通过金丝雀或蓝绿部署方式实现 Envoy优雅关闭实现方式讨论：#3307 #2920Pilot-Discovery——配置中心（PD） uv1版本和v2版本之间的区别 u建立缓存配置 u触发 ,"150":"AAAAAAAAAAAAAP//rBQDqg=="} üreq.DefaultWords ： • ["istio-pilot.istio-system.svc.cluster.local", • "kubernetes://istio-pilot-8696f764dd-fqxtg.istio-system", • "3a7a649f-4eeb-4d70-972c-ad2d43a680af"

Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints, Pod) 用户 Istio & Kubernetes：统一服务发现 Pilot ServiceController( Kube) DiscoveryServe KubeAPIserver上service、 endpoint等资源对象 3. DiscvoeryServer使用 ServcieDiscovery接口上的服务发 现方法和用户配置的规则构造xDS 4. Envoy从Discovery获取xDS，动态 更新 Kubernetes Service Instance Instance Service Endpoint Endpoint Istio Istio & svcA Rules API Pilot 80% Istio 灰度发布：基于请求内容 Version2 Envoy SVC Envoy SVC Pod1 Pod2 Pod3 Envoy SVC Pod1 Pod2 Version1(canary) group=dev svcB svcA Rules API Pilot apiVersion: … kind:

Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints, Pod) 用户13 Istio & Kubernetes：统一服务发现 Pilot ServiceController( Kube) KubeAPIserver上service、 endpoint等资源对象 3. DiscvoeryServer使用 ServcieDiscovery接口上的服务发 现方法和用户配置的规则构造xDS 4. Envoy从Discovery获取xDS，动态 更新 Kubernet es Service Instance Instance Service Endpoint Endpoint Istio14 Istio svcA Rules API Pilot 80%23 Istio 灰度发布：基于请求内容 Version2 Envoy SVC Envoy SVC Pod1 Pod2 Pod3 Envoy SVC Pod1 Pod2 Version1(canary) group=dev svcB svcA Rules API Pilot apiVersion: … kind:

typically is Istiod. 2. To receive ADS requests from Envoy and forward these to the specified discovery server which typically is Istiod. Istiod handles certificate signing requests via the IstioCAServiceServer Severity: Low Difficulty: High Fixed: Yes Affected components: ● pkg/wasm ● Istio Agent ● Istio Pilot ● Istioctl Vectors: ● CWE-295: Improper Certificate Validation ID: ADA-IST-6 Fix: https://github 37 Istio Security Audit, 2023 tio/istio/blob/a7e57f 950edc9f06b29f977 d82fd8dfa9ae5f35b/ pilot/cmd/pilot-agent /status/server.go#L7 58 w.WriteHeader(http.StatusInternalServerError) } else { w.WriteHeader(http