Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s security Edge Security Cluster security Service Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application firewall to defend against DDoS, injection injection, remote execution attacks. Edge security Egress 2. Define egress security policies to defend against data exfiltration, botnet attacks. 3. Define firewall and virtual private network to

to pass further security policies. Proxy Service Low to high Incoming traffic to proxy can be coming from outside the cluster and is validated against the specified policies before it reaches the service trust boundary as it passes the proxy. Controlplane Dataplane High to low Policies are created by users with privileges. The policies are propagated to the dataplane. Egress Sidecar External Apis High to the advantages of using Istio is that it offers a series of security features related to identity, policies, TLS encryption, authentication, authorization and internal auditing to enhance the security in

the Cluster such as pods, services, IPs as well as specific Istio configurations such as routing policies, networking rules, and the configuration of the Istio sidecar injected into each workload. As discussed avenue to escalate access. Specifically sudo should not be used as it makes it easier to evade some policies that have a weak privilege escalation policy set in the cluster. The Istio Hardening Documentation BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy- policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic istio-proxy@example-pod:/$ Recommendation

Controllers watch K8s clusters and translate policies into K8s NetworkPolicies to be enforced in the clusters ○ There are also other enforcers to enforce L4 policies on - ■ hardware Firewalls, Bare Metals AZs ○ Mutual TLS between Pods of same environment across AZs ● Scaling Authorization Policies ○ Millions of policies ○ Global Identity federation #IstioCon Thank you! Contact us: DL-eBay-ServiceMesh@ebay

for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See VM metrics alongside containers a service in your mesh ■ Traffic redirect and forward ■ Retry, timeout, fault injection, mtls policies ■ VM service, multicluster Istio mesh support ● Service + Endpoints ○ Usually for internal traffic

clusters ● High availability & resiliency enabling active-active deployments ● Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery across multiple