Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy itself was not part of the assessment) did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default services exposed within the cluster. • The default Istio sidecar and would allow a malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated profiles for security: Istio allows a variety

K8s Cluster K8s Cluster #IstioCon Step 2: Replace Hardware LBs with Software K8s API Server NLB Controllers Istiod Network Load Balancer (NLB) Network Load Balancer (NLB) Ingress Gateway Request Traffic Response Traffic Specs synced from Federated Access Point L4 Configuration L7 Route Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per Primary-Remote configuration within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway watch API Server Pods, Services Workload Cluster API Server Pods, Services

CSR Auth: JWT 4. Cert signed with SPIFFE format Istio-proxy CA server #IstioCon Istio identity – how to get configuration ● Format: "spiffe:///ns//sa/” #IstioCon Istio identity – check configuration result ● Result: cert generated automatically with Istio identity 1) Apply peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati peer-authentication only defines behavior of server side and auto-mTLS is on by default Access productpage 1) Apply peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati

filter. LDS with AwesomeRPC filter EnvoyFilter is an Istio configuration CRD, by which we can apply a “patch” to the Envoy configuration generated by Pilot. #IstioCon EnvoyFilter Example - Dubbo Traffic proxy in the outbound listener Replace TCP proxy in the inbound listener client Server v1 30% 70% Server v2 9090 9090 #IstioCon EnvoyFilter is Powerful, But ... It’s very difficult if HTTP and gRPC. You can think of Aeraki as the “Controller" to automate the creation of envoy configuration for layer-7 protocols #IstioCon Aeraki: Manage any layer-7 traffic in an Istio service mesh

multi-containers pods Stabilizing Istio CPU: 1 Pod App container Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container resources HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type:

packet dest ip + port and forward it to POSTROUTING ④ send out to real server Note: Only one connection between user and real server #IstioCon HAPROXY- Transparent Transport ① user send traffic to haproxy connection ④ Loadbalancing: select a endpoint and init a connection to server with original user’s address (IP_TRANSPARENT) ⑤ Server’s response packet is flowing through the same path (TPROXY + Custom Protocol v2 #IstioCon Proxy Protocol client Server Establish TCP connection Proxy Protocol binary header Application data - The client and server side must support proxy protocol simultaneously

recommended MaxBytesHandler was used, the request body was not fully consumed, meaning that when a server attempts to read HTTP2 frames from the connection it will instead be reading the body. As such, the FuzzBuildSecurityCaller istio.io/istio/security/pkg/ server/ca https://github.com/istio/istio/blob/6 5478ea81272c0ceaab568974aff7 00aef907312/security/pkg/server/c a/authenticate/fuzz_test.go#L21 The fuzzers manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio Security

through the Envoy proxies first. • When mTLS is enabled between two services, the client side and server side’s “envoy proxies” verify each other’s identities before sending requests. • If the verification is successful, then the client-side proxy encrypts the traffic, and sends it to the server- side proxy. • The server-side proxy decrypts the traffic and forwards it locally to the actual destination service level, reduce workload of developers. EnvoyFilter provides a mechanism to customize the Envoy configuration generated by Istio Pilot. Use EnvoyFilter to modify values for certain fields, add specific filters

Istio 技术点7/23 MCP MCP（Mesh Configuration Protocol）提供了一套用于订阅、推送的 API。 分为 Source 和 Sink： • Source 是资源提供方（server），资源变化了推送给订阅者（Pilot），Istio 1.5 之前这个 角色就是 Galley 或者自定义 MCP Server； • Sink 资源的订阅者（client），在 资源的订阅者（client），在 Istio1.5 之前这个角色就是 Pilot 和 Mixer，都是订阅 Galley 或者自定义 MCP Server 的资源；8/23 MCP mcpserver demo: https://github.com/champly/mcpserver9/23 Pilot Pilot 负责网格中的流量管理以及控制面和数据面之间的配置下发，在 Istio1.5 之后合并了 Galley

certificates • On the fly certificate renewals with no service downtime • Unified simplified configuration to enable mTLS for all services • Kubernetes service account based authn/authz • Secure cross-cluster require client application restarts Challenges – Client certificates 7 • mTLS provided by Istio • Server certificate provided by Istio Proxy sidecar container • Each Kafka client request gets a client