#IstioCon Preserve Original Source Address within Istio Zhonghu Xu @hzxuzhonghu #IstioCon About me Zhonghu Xu：an open source engineer from Huawei Cloud. - Github：https://github.com/hzxuzhonghu com/hzxuzhonghu - Istio steering committee member - Istio Core Maintainer & Contributor - Open source enthusiastic, previously Kubernetes active contributor and Volcano maintainer #IstioCon Agenda 1. TCP Original every connection with a header reporting the client IP address and port. A PROXY Protocol plain-text header has the format: PROXY TCP4 192.0.2.0 192.0.2.255 42300 443\r\n  Proxy Protocol v2 #IstioCon

dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.i nlineBytes' -r | base64 -d | openssl x509 -noout -text -in - ● Part of cluster config in envoy config-dump ○ kubectl exec -c istio-proxy curl lo it ○ If server has a sidecar and allows mTLS, send mTLS – reviews-v1 & v3 ○ Otherwise, send plain text – reviews-v2 ● Server side will be in PERMISSIVE mode by default #IstioCon mTLS in Istio - PeerAuthentication server sidecar will accept ● PERMISSIVE: accepts for both plain text and mTLS ● STRICT: accepts only mTLS ● DISABLE: accept only plain text ● UNSET: inherit from parent, default to PERMISSIVE if no set

Synopsis In the summer of 2020, Google enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components. Istio is a modern service mesh technology stack often environment was deployed following Istio Documentation using istioc tl. The assessment included many open source compo- nents that were actively being updated during testing so testers used the latest release at Local Test Environment Consultants 4 Level of Effort 50 person days Targets istio/istio Istio Source code in the master branch up to July 15th, 2020. Commit: 7353c84b560fd469123611476314e4aee553611d

PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski Engineering Leader ajayaram@google.com Andrea Ma So�ware Engineer ayma@us.ibm.com Craig Box VP of Open Source and Community craigb@armosec.io Didier Grelin Sr. Technical Program Manager dgrelin@google.com cause harm they are not supposed to have permission to cause. Contributors to Istio Istio is an open source project that accepts contributions from any user, vulnerabilities could be introduced innocently

tlsCertificate.certificateChain.inlineBytes' | \ sed 's/"//g' | base64 --decode | openssl x509 -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: … Signature

Kubernetes Example source.id string Platform-specific unique identifier for the source workload instance. kubernetes://redis- master-2353460263- 1ecey.my-namespace source.ip ip_address Source workload instance instance IP address. 10.0.0.117 source.labels map[string, string] A map of key-value pairs attached to the source instance. version => v1 destination.port int64 The recipient port on the server

Http3 Full Stack Fest, Daniel Stenberg HTTP/2 HTTP/3 Transport TCP QUIC Streams HTTP/2 QUIC Clear text version Yes No Independent streams No Yes Header compression HPACK QPACK Server push Yes Yes Early

istio-system spec: value: response.duration | "0ms" dimensions: source_service: source.service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service

istio-system spec: value: response.duration | "0ms" dimensions: source_service: source.service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service

microservices with Istio step by step Best practice: from Spring Cloud to Istio Preserve original source address within Istio Performance tuning and best practices in a Knative based, large-scale Feb. 87% Of Istio users are new users at the end of February 2021. Impact for the project Source: http://eng.istio.io/ The team (1/3) Organizer’s Committee Co-lead Aizhamal Nurmamat kyzy (Google)