for Integrity 009 Medium Go Trace Profiling Enabled By Default 013 Medium Permissive Kubernetes RBAC within a Namespace 015 Medium Default Sidecar Image Not Hardened 001 Low The Sidecar Does Not Use a Kubernetes cluster. This would also enable hostnames to be more easily protected via Kubernetes’ RBAC. Regardless, care should be taken with how canonicalization and prioritiza- tion between Hostnames | Google Istio Security Assessment Google / NCC Group Confidential Finding Permissive Kubernetes RBAC within a Namespace Risk Medium Impact: Medium, Exploitability: Low Identifier NCC-GOIST2005-015

Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Service 2 Proxy Namespace foo Istio authn & authz policies Namespace bar 2. Enforce k8s RBAC policies: roles bound to namespace, only mesh admins are allowed to have ClusterRole. 1. Use status. Lifecycle of service mesh security Edge Cluster Workload Operation GitOps Gatekeeper RBAC Audit log Metrics Security testing tools Security dashboard Prometheus Kiali Security Lifecycle

Keynote 7:30 Ambient As Managed Infra 9:25 Roadmap Update 9:35 Pre-Sail Checks 10:10 Fine Grained RBAC + NGAC 9:25 Schedule Preview Istio Fault Tolerance 11:25 Ambient Q&A 10:50 Istio Feature Gates

app app app app app app app app app app app Kubernetes Network Policy Istio RBAC naiscar Lessons learned What’s next? @nais_io @linemoseng @j_hrv

place that bootstrap certificate on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation limited to Istio agent (no support