Google Istio Security Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service Total issues 18 Category Breakdown Access Controls 7 Configuration 5 Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical Communications Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-004 Category Data Exposure Component Istio Location Istio Control Plane: • controlPlaneSecurityEnabled istioctl configuration

io Didier Grelin Sr. Technical Program Manager dgrelin@google.com Ethan Jackson Staff Engineer jethan@google.com Francis Zhou Senior Technical Program Manager francisz@google.com Greg Hanson So�ware jdpettit@google.com Lei Tang Technical Lead leitang@google.com Neelima Balakrishnan So�ware Engineering Manager neelimabk@google.com Shankar Ganesan So�ware Engineer shankgan@google.com OSTIF 4 Istio Security usage of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars.

local_rateli mit L4网络过滤器 基于L4层网络限流，通过令牌桶防止定期时间间隔内 过多下游连接。 envoy.filters.network.http_conne ction_manager L4网络过滤器 专门用于处理HTTP请求的网络过滤器，根据协议类型 处理HTTP编解码并调用L7层HTTP过滤器。 envoy.filters.http.lua L7 HTTP过滤器 基于 iptables :15001 original _dst 10.110. 59.75:8 0 tls_ins pector http_in spector http_connecti on_manager … router upstream conn pool codec codec metadata_ex change iptables http/1.x h2c cluster 器（不真正监听网络）地址并传递新建下游连接。 • 下游连接过滤器判断TLS，ALPN（应用协议名），HTTP版本后匹配到L4层http_connection_manager网络过滤器。 • http_connection_manager使用http codec解码http协议header/body/tailer等并触发回调函数。 • http header/body处理回调中将调用L7层HT

attendees links to the live stream, communicate important event details and collect aggregate attendance data. ● This PII will not be shared with any other third parties. ● This PII will be deleted right after social media mentions, 1 slack mention during the event. ● The sponsor(s) are responsible for the data collection, production and distribution is a responsibility of the sponsoring vendor. ● The t-shirt to produce those items. Thank you! Aizhamal Nurmamat kyzy Program manager, Google Open Source María Cruz Program manager, Google Open Source

IP（通配）和端口（9080）转发到 0.0.0.0_9080 这个 outbound listener。 5. 根据 0.0.0.0_9080 listener 的 http_connection_manager filter 配置，该请求采用 9080 route 进行分发。 6. 9080 这个 route 的配置中，host name 为 reviews:9080 的请求对应 的 cluster 为 端口上监听的 VirtualInbound listener 收到了该请求。 11.根据匹配条件，请求被 VirtualInbound listener 内部配置的 Http connection manager filter 处理，该 filter 设置的路由配置为将其发送给 inbound|9080|http|reviews.default.svc.cluster.local 这个 inbound Istio 协议支持现状 • 七层服务治理 – 服务发现（基于服务的逻辑名称） – LB、基于应用协议的错误码进行 Retries 和 Circuit Breaker – 基于七层协议 Meta data 的路由（RPC协议中的调用 服务名、方法名等） – Fault Injection（RPC 协议层的错误码） – RPC 调用的 Metrics（调用次数，调用失败率等） – Tracing •

张之晗 Tetrate ⼯程师/Istio 社区 Release Manager 服务⽹格安全—— 理解 Istio CNI Istio Meetup China About me Istio 1.10 Release Manager, Istio Community, 2021-Present GetMesh(GetIstio) core contributor, Istio Community Could happen in suddenly increased nodes and premptable nodes Bypassing all iptable rules set by data plane proxies Troubleshooting Istio CNI Check the istio proxy container through nsenter Check CNI

Proxy Protocol client Server Establish TCP connection Proxy Protocol binary header Application data - The client and server side must support proxy protocol simultaneously - The client here can be configuration use_remote_address: Envoy will only append to XFF if the use_remote_address HTTP connection manager option is set to true and the skip_xff_append is set false. xff_num_trusted_hops : If use_remote_address

America 1.5% from Oceania Participant demographics 20.4% of attendees were CxO / Engineering manager / Tech Lead 43.8% of attendees were either evaluating Istio for production use, or have tried (Tetrate) Member Zhonghu Xu (Huawei) The team (3/3) Event Production (Software Guru) Event Manager Mara Ruvalcaba Content Coordination Pedro Galván Streaming and website Alberto Rodríguez Streaming Luis Sánchez Streaming Uriel García #IstioCon María Cruz Program manager mpcruz@google.com Aizhamal Nurmamat kyzy Program manager aizhamal@google.com Thank you!

Where did people join from? Participant demographics 28% of attendees were CxO / Engineering manager / Tech Lead 57% of attendees were either evaluating Istio for production use, or have tried (Solo.io) Member Alex Bush (Google) The team (3/3) Event Production (Software Guru) Event manager Mara Ruvalcaba Content coordination Pedro Galván Streaming and website Alberto Rodríguez Streaming

tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) A Proxy Proxy Service B Service C Proxy Mesh Dynamics Data Store Deploy: kubectl apply -f Capture using Lua filter All API data + TraceIDs | CONFIDENTIAL 11 Assemble API request traces