requests for services run from other namespaces, while leveraging the ingress gateway’s handling of TLS secrets. It is worth noting that the current behavior runs counter to the Gateway documentation, which states and other process information about Pilot. This has a risk of containing certificates, keys, and secrets used by Pilot at runtime. This web interface also allows unauthenticated users to force force all enabling the workload container to claim its ports. 7https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external- services 27 | Google Istio Security Assessment

used on top of Kubernetes. It offers users easy access to features such as observability, traffic management and security without requiring users to add these to their application code. It also offers more ● Certificate management ● Authentication ● Authorization ● Policy Enforcement Points (PEPs) ● A set of Envoy proxy extensions to manage telemetry and auditing Certificate management Alongside each satisfied because the build can access secrets from the build service, where SLSA requirements state that: “It MUST NOT be possible for a build to access any secrets of the build service”. The Build requirements

TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload Architecture ● Multi cluster ● Multi mesh ● Components ○ Management plane ○ Global control plane ○ Local control plane TSB Management Plane ● Front Envoy ● Multi Cluster support ● XCP Central -> Flow 1. Creating cluster object 2. Deploy Operators: Control plane & data plane 3. Configuring Secrets 4. Installing control plane TSB Control Plane Pods ● Operators: Istio, Onboarding, TSB, XCP

complexity ○ Need consistent policy enforcement ○ Need consistent metrics aggregation ● Traffic management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security Pilot, Mixer and CA ○ Generate configs for VMs, incl. `cluster.env`, DNS config, Istio authN secrets etc. ○ Setup dnsmasq, Istio components in the VM and verify functionality ○ Configure sidecar workload certificate attributes #IstioCon Security & Usability Limitations (cont.) ● Access management: CNI needs improvements ○ Much required to avoid escalated Pod privileges ○ No support for smart

benefits: Focus on code Scale to zero Quick entry to serverless computing … … traffic management observability security … Knative design based on knative.dev #IstioCon r How Istio is leveraged it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress gateway which contains credentials for https support of multi tenants

5,2 million nais.io github.com/nais CD CD metrics alerts deploy cache events logs secrets storage runtime app dev prod dev prod internal external liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a app apiVersion: "nais liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a nais.yaml cluster kubectl apply

• Sidecar Injection: 注入initContainer, Sidecar, istio-certs volume • Citadel: 自动刷新secrets, k8s自动加 载istio-secrets volume • Pilot: 和Sidecar建立连接，管理动态配 置 • Mixer: 和Sidecar建立连接，管理授权 、Quota和审计数据 • Istio的架构和基本原理

u证书过期证书生成 ü生成root-cert.pem ü生成cert-chain.pem ü生成key.pem证书挂载 üICA以Name为istio.default在k8s创建Secrets对象 ü应用服务获取Secrets对象证书，并挂载到/etc/certs • volumeMounts: • - mountPath: /etc/certs/ • name: istio-certs • readOnly:

option • NET_RAW and NET_ADMIN • Traffic failures due to init restarts (#16768) 2. Be careful with secrets rotation 1. Hot restarts for TCP-traffic 2. Root certificate reissue (#14516) 3. Istio Discovery

Mesh 中的七层流量管理能力 ❏ 几种扩展 Istio 流量管理能力的方法 ❏ Aeraki - 在 Isito 服务网格中管理所有七层流量 ❏ Demo - Dubbo Traffic Management ❏ MetaProtocol - Service Mesh 通用七层协议框架 #IstioCon Protocols in a Typical Microservice Application Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 Header Layer-7 Header Data Traffic Management for HTTP/gRPC - all good ● We get all the capabilities we mentioned on the previous slide Traffic Management for non-HTTP/gRPC - only layer-3 to layer-6