#IstioCon Istio Project Update Lin Sun @linsun_unc #IstioCon Speaker Intro #IstioCon Istio Community Number of contributors last 12 months: 350+ contributing companies 500+ PR authors 1900+

Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup.com/feedback/67b627f7-a0a2-43b7-ad68-af515a9ed2e0 Executive Summary Synopsis five weeks along with the help of multiple shadows (provided at no additional cost) worked on the project in tight partnership with Google’s Istio subject matter experts. Scope NCC Group’s evaluation of user or application would not be able to tell the difference between the legitimate and malicious files based on the hash. The following hash functions are not considered cryptographically secure and should

Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review Executive summary In September and October 2022 Ada Logics carried out a security audit of the Istio project. The audit was sponsored by the CNCF and facilitated by OSTIF as a step towards graduation for Istio team who fixed the vulnerability and assigned it CVE-2022-41721. 3 Istio Security Audit, 2023 Project summary Ada Logics auditors Name Title Email Adam Korczynski Security Engineer Adam@adalogics

Horizon Platform HP has lots of projects, deployed on cloud. They have common features, also have project specified feature. We provide a common platform includes all common features, connect all projects Common services are in core cluster Projects shared solution cluster • Different namespace • Project runs as tenant, need control rights Solution cluster connect core cluster with Istio multi-cluster traffic in a configurable set of formats #IstioCon Excellent Observability - Access logs Log Files Parse Istio-proxy Log • Each API Access Count • Each API Fail Rate • Each API Latency Easy to

configuration Deploy to production 1 4 2 3 Istio-redirector takes the .csv files and generates the Istio VirtualService files. Then, it automatically creates the Pull Request on GitHub on on our csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 The files are reviewed, merged and deployed! How does it work ? #IstioCon >26k redirections are now running

majority of participants agree that they had enough information about the future of Isito project. Most participants felt empowered to use Istio after attending the conference. “It was an hour fun! Impact for the project 23% Audience growth on Twitter, which is 10 percentile points higher than other conference months. 18.6% New users to the project from beginning of Jan to to end of Feb. 87% Of Istio users are new users at the end of February 2021. Impact for the project Source: http://eng.istio.io/ The team (1/3) Organizer’s Committee Co-lead Aizhamal Nurmamat

specific developments in the project. Participant feedback The majority of participants agree that they had enough information about the future of Istio project. Most participants felt empowered fun time and teamwork, where participants solve together different challenges. Impact for the project 1,818 New followers on Twitter since event was announced (January to date). 383,428 Twitter 81% Of Istio.io users were first-time users during the month of April 2022. Impact for the project Source: http://eng.istio.io/ The team (1/3) Program Committee Co-lead Lin Sun (Solo.io) Co-lead

private-key and certificate pairs • Private keys and certificates are stored in keystore and truststore files in JKS or PKCS12 or PEM format Challenges – Kafka broker SSL with client auth 5 • Certificate truststore regeneration • Broker pods need restarting to pick up the modified keystore and truststore files • May cause service degradation Challenges – Certificate renewal 6 • Client certificates has be

leveraged for Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving and Eventing) that introduce event-driven and serverless capacity. In Istio 1.5.4: Istio scalability optimization during Knative Service provisioning Project Component CPU MEM HorizontalPodAutoscaler (HPA) request limit request limit Istio (1.7.3) istio-

Service config. ● Hard to manage when having hundreds of services. #IstioCon Abstracting to proto files Annotations API definition Greeting service example #IstioCon Please Build System ● https://github