Security Related Documentation 016 High Lack of VirtualService Gateway Field Validation Enables Request Hijacking 017 High Ingress Gateway Configuration Generation Enables Route Hijacking 023 High Pilot Google / NCC Group Confidential Finding Lack of VirtualService Gateway Field Validation Enables Request Hijacking Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-017 Category intercept requests for services run from other namespaces, while leveraging the ingress gateway’s handling of TLS secrets. It is worth noting that the current behavior runs counter to the Gateway documentation

requests made on an h2c connection, which could lead to a denial of service scenario if a large request was sent. This is a vulnerability, however, to be vulnerable, users would need the MultiplexHTTP H2c requests which is: “The first request on an h2c connection is read entirely into memory before the Handler is called. To limit the memory consumed by this request, wrap the result of NewHandler in in an http.MaxBytesHandler.” John found that when the recommended MaxBytesHandler was used, the request body was not fully consumed, meaning that when a server attempts to read HTTP2 frames from the connection

Access productpage #IstioCon Istio Identity Istiod Istio Agent Envoy 1. Start Envoy 2. Request Cert (SDS)) 3. CSR Auth: JWT 4. Cert signed with SPIFFE format Istio-proxy CA server #IstioCon server side mTLS mTLS in Istio - PeerAuthenticati on Using ingress port and ingress host to send request: can access reviews-v1, reviews-v2 and reviews-v3 can reach v2 as peer-authentication only defines client side mTLS mTLS in Istio - Destination rule Using ingress port and ingress host to send request: can access reviews-v1, reviews-v3 can not access reviews-v2 since we have enabled ISTIO_MUTUAL

#IstioCon EnvoyFilter - #IstioCon Envoy HTTP LuaFilter function envoy_on_request(request_handle) function envoy_on_response(request_handle) #IstioCon Who and where to reroute ? #IstioCon The contract 12:8001” } Accept: */* #IstioCon Pseudo implementation 1 function envoy_on_request(request_handle) 2 contract = request_handle:headers():get("x-devroute") 3 if string.match(contract, "foo") == nil contract match 7 address = contract[“foo”] 8 headers = request_handle:headers() 9 -- send the request somewhere else 10 response = request_handle:httpCall(address,headers,..) 11 -- respond immediately

types of tests with low effort 7 What we need… End-to-end Component Service | CONFIDENTIAL REQUEST RESPONSE API MOCKS ASSERTION RULES CONTEXT RULES … … … … … … Test Driver TEST ENVIRONMENT -f Capture using Lua filter All API data + TraceIDs | CONFIDENTIAL 11 Assemble API request traces Service A Proxy Proxy Service B Service C Proxy req req[A B], trace:r, span:s1 res[A req[B->C] Construct request trace | CONFIDENTIAL 12 At this point, we have: • Full trace of every request from the gateway • Complete request and response data for every API request in a trace From

External Authorization #IstioCon Secure Platform #IstioCon Secure Platform – JWT Verify Using request authentication policy to Verify end-user JWT easily #IstioCon Secure Platform – mutual TLS Using enables access control on workloads in the mesh. For request from ingressgateway, need verify token For request from same tenant, allow For request from another tenant, not allow #IstioCon Secure Platform

Kubernetes console search &analysis Prometheus TSDB基于请求和日志的关联性改进架构 A Agent B Agent C Agent Request(Transaction ID) A(application) Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) 2018-0930(time) 日志输出 Get the corresponding logs for one time request by transaction ID Request(Transaction ID)Java探针的基本原理 A.class 1 2 3 4 5 8 9 Request Response JVM 6 10 7 Class Loader Engine Agent

to an Istio VirtualService file. ● Golang service ○ Convert .csv to VirtualService ○ Open Pull Request on Github ○ Fetch info from Kubernetes cluster ○ Expose an API to be used with REST or a CLI ● files and generates the Istio VirtualService files. Then, it automatically creates the Pull Request on GitHub on on our GitOps repo How does it work ? #IstioCon Creating the .csv Importing the

whether a pull request has user facing changes. ● If it does, the developer can easily add a release note. ● If it doesn’t, then the developer can check a box and the pull request will merge.

port int64 The recipient port on the server IP address. 8080 request.time timestamp The timestamp when the destination receives the request. This should be equivalent to Firebase “now”.上报的原始数据 üreq