finding, NCC Group uses a composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation, and other factors. For an Modify the default policy mesh config map for “controlPlaneAuthPolicy: MUTUAL_TLS” • Create a istio setup with control plane security enabled: istioctl install --set values.global.controlPlaneSecurityEnabled=true could be expanded to reference other documentation that provides deeper insight. • /docs/setup/additional-setup/config-profiles/: The configuration profiles provided by isti octl simply describe the features

Scala, etc. ● Running on variety of Hardware ○ General-purpose x86 servers ○ GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters in an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes Region Rn #IstioCon Application Specs Region R1 Application Deployment: Federation ● Hierarchy of control planes ● Global Control Plane ○ Users provide application specs to Global Control-Plane

use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic Splitting, blue/green deployment How Istio is leveraged Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use Istio authorization policy to control flow with Istio mesh/mTLS #IstioCon o Init-container added which cost ~5 seconds for Knative application pod code start. o Every sidecar needs full mesh information by default. Not a scalability solution

Onboard steps ○ Setup Internal Load Balancers (ILBs) for Kube DNS, Pilot, Mixer and CA ○ Generate configs for VMs, incl. `cluster.env`, DNS config, Istio authN secrets etc. ○ Setup dnsmasq, Istio components No first-class support for VM Multiple Networks ○ All traffic goes though the Gateway ○ Need to setup L3 networking if enhanced performance is desired ● Overheads introduced ● No high performance data always [1] Http3 Full Stack Fest, Daniel Stenberg #IstioCon HTTP/3 ● HTTP/3 = HTTP over QUIC ● Application protocol over QUIC ● HTTP – same but different ○ HTTP/1 in ASCII over TCP ○ HTTP/2 – binary

Reliability of central proxy layer (HAProxy/Envoy) ● More control over load balancing ● Offload application services from networking and configuration ● Avoid other sources of failures (Consul etc) ● Possible Observability ● Extendable to multi-region setup #IstioCon Approach #IstioCon Rollout - Istio setup and Microservices ● Split rollout in to phases ● Setup control plane and related tooling ● Sidecar internal proxy ● Kubernetes Cluster-IP services deployed across clusters #IstioCon Rollout - Istio setup and Microservices ● Export metrics to central prometheus ● Outlier detection for better reliability

the Istio maintainers, and the documentation also mentions this1: 1 https://istio.io/latest/docs/setup/install/operator/ 7 Istio Security Audit, 2023 It was also stated by the Istio maintainers throughout as observability, traffic management and security without requiring users to add these to their application code. It also offers more advanced features to support A/B testing, canary deployments, rate limiting pilot/cmd/pilot-agent /status/server.go#L4 99 if envoy != nil { envoy.Close() } if application != nil { application.Close() } https://github.com/is tio/istio/blob/959887 237eee77be3e2715 2438c479aa4c4712

Networking lifecycle (Istio CNI) Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Istio CNI install isidecar network routing rule to workload iptable Benefits of Istio instead) Issue in Istio CNI Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Pod could get started in here and bypassing istio sidecar proxy(race condition) Istio CNI workload iptable Issue in Istio CNI Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Pod could get started in here and bypassing istio sidecar proxy(race condition) Istio CNI

plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup phase, ● Removing the requirement for the NET_ADMIN and NET_RAW capabilities for users deploying

abstraction concept that make manage things easier. Before Mutual TLS? HTTPS + Allowlisting Our previous setup is using https with allow listing to only allow specific IP addresses to access our endpoints. Drawback:

are over localhost + Reproducible configuration with other developers and Istio tests + Easy to setup bespoke clusters, including enabling alpha features and multicluster - Local resource utilization