case: Telco & Edge computing ○ where VMs play a crucial role now and later ○ where service mesh is a key paradigm for solving challenges [1] ■ Traffic steering (network slicing) ■ Fault injection (resilience pick extensions) [1] Service Mesh use cases for Telco and Edge – Google, ServiceMeshCon NA 2020 Key Drivers [1] #IstioCon What Do We Need Else to Augment Istio? ● Strong security and privacy guarantees Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation limited to Istio agent (no support of other provisioner tools and HSM incompatible)

c51fe751a17441b5ab3f5487c37e129e44eec823 • github.com/istio/istio.io – 26dacdde40968a37ba9eaa864d40e45051ec5448 Key Findings • There was a lack of validation on the VirtualService Gateway fields that could allow route Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical High Medium Low Informational 3 | Google Istio Security Assessment Google / NCC Group Confidential { return fmt.Errorf( "the input private key, cert chain, and root cert are nil") } if privateKey != nil { if err := ioutil.WriteFile(path.Join(dir, "key.pem"), privateKey, 0777); err != nil { return

结构封包 6. 将请求发送给 Upstream L7 filter 共享数据结构： ● Metadata： decode 时填充的 key:value 键值对，用于 l7 filter 的处理逻辑中 ● Mutation：L7 filter 填充的 key:value 键值对，用于 encode 时修改请求数据包 #IstioCon MetaProtocol: 响应处理路径 处理流程： 结构封包 6. 将响应发送到 Downstream L7 filter 共享数据结构： ● Metadata： decode 时填充的 key:value 键值对，用于 l7 filter 的处理逻辑中 ● Mutation：L7 filter 填充的 key:value 键值对，用于 encode 时修改响应数据包 #IstioCon MetaProtocol：流量管理示例（Canary ry + Header Mutation） ● 路由规则协议无关：七层协议名是路由规则中的字段值，而不是字段名称 ● 采用通用的 key:value 键值对来配置路由匹配条件 #IstioCon Aeraki 后续开源计划 ● Istio 增强工具集 ○ 协议扩展：Dubbo、Thrift、Redis、 MetaProtocol ○ 性能优化：LazyXDS ○ 注册表对接：dubbo2istio、consul、

SDS/CDS/RDS/LDS/HDS/ADS/KDS 和Google强强联手 官方博客：The universal data plane API缓存Istio和k8s配置 ü一个小型的非持久性key/value数据库 ü借助k8s.io/client-go建立缓存 ü缓存Istio：route-rule，virtual-service，gateway等 ü缓存k8s：node，Servi ip_address Source workload instance IP address. 10.0.0.117 source.labels map[string, string] A map of key-value pairs attached to the source instance. version => v1 destination.port int64 The recipient 使用主题订阅模式，减少阻塞问题Istio_Ca——安全证书管理（ICA） u证书生成 u证书挂载 u证书过期证书生成 ü生成root-cert.pem ü生成cert-chain.pem ü生成key.pem证书挂载 üICA以Name为istio.default在k8s创建Secrets对象 ü应用服务获取Secrets对象证书，并挂载到/etc/certs • volumeMounts:

Problem In the case of Inbound, 4-tuple key may conflict due to same src/dst ip address #IstioCon Use pod ip as hash key Use pod_ip to generate a unique key is a way to distinguish socket from different

sha256WithRSAEncryption … Subject: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: …

#IstioCon Developer (service owner) Platform owner Mesh operator (could be your cloud provider) 3 Key Personas install verify-install upgrade Istio simplify install helm3 #IstioCon Pilot Mixer Citadel

cross-cluster interaction between client apps and Kafka Security goals 4 • Kafka brokers require private-key and certificate pairs • Private keys and certificates are stored in keystore and truststore files

Istio from PoC to production Igor Gustomyasov, Sber Maksim Chudnovskii, IBM Sber position across key areas Best client experience Technological leadership In financial services 98+ mn retail clients

#IstioCon IstioCon 2021 Report By María Cruz and Aizhamal Nurmamat kyzy #IstioCon Key metrics 4,021 Registrants 84 Countries 4.4/5 Satisfaction score 2,836 Unique livestream viewers