bounds file writes. https://github.com/istio/istio/blob/d0705cf0ed5591cc26c08001f3faab0a880aec48/operato r/pkg/util/tgz/tgz.go#L70 70 71 72 73 74 75 76 77 78 79 80 81 82 83 func Extract(gzipStream io.Reader is not closed: https://github.com/istio/istio/blob/d0705cf0ed5591cc26c08001f3faab0a880aec48/operato r/pkg/util/tgz/tgz.go#L107 103 104 105 106 107 108 109 110 outFile, err := os.Create(dest) if err != 8f08be06ee5f854b30e44da3523992e41/pkg/wasm /imagefetcher.go#L244 244 func extractWasmPluginBinary(r io.Reader) ([]byte, error) { 26 Istio Security Audit, 2023 245 246 247 248 249 250 251 252 253

tests from API usage Learnt by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 9 Process flow using Istio Deploy Lua filters (kubectl Service B Service C Proxy req req[A B], trace:r, span:s1 res[A B], trace:r, span:s1 req[B C], trace: r, parent_span: s1 res[B C], trace: r, parent_span: s1 req req[A->B] from API traffic Created by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 16 ML-assisted Context Rule Learning createProduct(…):

Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup TrimSpace(chunk) if len(chunk) == 0 { continue } r, err := ParseChunk(chunk) if err != nil { log.Errorf("Error processing %s[%d]: %v", path, i, err) continue } if r == nil { continue } resources = append(resources append(resources, &resource{BackEndResource: r, sha: sha1.Sum(chunk)}) } return resources } • istio/istio/pkg/mcp/creds/pollingWatcher.go (line 189) // getHashSum is a helper func to calculate sha1 sum. func

POD POD POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% Deployment Canary Releases Using Kubernetes Deployment POD POD POD S E R V I C E (Load balancer) External Traffic POD 50% 50% Deployment Canary Releases Using Kubernetes Deployment POD S E R V I C E (Load balancer) www.my-application.com External Traffic POD POD 0% 100% Deployment Deployment Across application Layers Deployment POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% POD POD POD POD S E R V I C E (ClusterIP) 75% 25% POD POD Cross-version

locations across globe peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple scenario Region R1 AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster Region Rn #IstioCon Application Specs Region R1 Application specs ● Standardization provides flexibility to switch backend implementations to software Region R1 AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster K8s Cluster AZ

Training and Certification Collaboration with NIST ● Author SP 800-204 series on microservice security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference

A PROXY Protocol plain-text header has the format: PROXY TCP4 192.0.2.0 192.0.2.255 42300 443\r\n  Proxy Protocol v2 #IstioCon Proxy Protocol client Server Establish TCP connection Proxy Protocol

(Service, Endpoints, Pod) 用户 Istio & Kubernetes：统一服务发现 Pilot ServiceController( Kube) DiscoveryServe r clientset Envoy Envoy KubeApiServ er List/Watc h 1. Controller实现ServcieDiscovery 若干服务发现的接口定义 2

Endpoints, Pod) 用户13 Istio & Kubernetes：统一服务发现 Pilot ServiceController( Kube) DiscoveryServe r clientset Envoy Envoy KubeApiServ er List/Watc h 1. Controller实现ServcieDiscovery 若干服务发现的接口定义 2

实际示例中用到的Envoy Filters 端口9080 监听 envoy.filte rs.network .metadata _exchange envoy.http _connectio n_manage r Cluster Productp age服务 Filter Chain envoy.filters.ht tp.wasm/envo y.wasm.metad ata_exchange Istio_authn