Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective on whether security features sufficiently subsequent phases of the assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts

Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

Optimal Canary Deployments using Istio and how it scores over Spring Cloud and Kubernetes Presented by Archna Gupta What is a Canary Release or Deployment? • A canary deployment, or canary release My-data-service Service Demo-canary Service Canary Releases Using Spring Cloud Demo-canary Service Service Instance V1 SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin My-data-service Service Service Instance V2 SPRING EUREKA Cross-version Traffic Load Balancer My-data-service Service Demo-canary Service Canary Releases Using Spring Cloud – Across application Layers using

platform I want to sketch a mesh for you Istio service mesh at enterprise scale Improving security with Istio What Envoy hears when Istio speaks Company presenting Google and IBM Aspen Mesh Lightning talks China Secure your microservices with Istio step by step Best practice: from Spring Cloud to Istio Preserve original source address within Istio Performance tuning and best using Kiali” (by RedHat). Office hours On the following topics: ● Istio debugging, ● Istio Security, ● WebAssembly, ● Multi Cluster, ● Istio Roadmap and ● Istio in production. Participant feedback

PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski This report is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0) Istio Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project previous audit 50 Istio SLSA compliance 52 1 Istio Security Audit, 2023 Executive summary In September and October 2022 Ada Logics carried out a security audit of the Istio project. The audit was sponsored

code Scale to zero Quick entry to serverless computing … … traffic management observability security … Knative design based on knative.dev #IstioCon r How Istio is leveraged in a Knative based {revision-2}. 51ch62kjrnd.svc.cluster.local weight: 90 Knative Service Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to enabled • Enable Istio mesh on Knative – Impact without optimization #IstioCon o With istio CNI plugin, we can move the iptables configuration parts to CNI. But another init- container, the istio-validation

mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer security ○ HTTP JWT Auth ○ Redis Auth ○ ... IP Data IP Header TCP Data TCP Header Layer-7 Observability - only TCP metrics ○ TCP sent/received bytes ○ TCP opened/closed connections ● Security ○ Connection level authentication: mTLS ○ Connection level authorization: Identity/Source IP/

gamified wizards of Stack Overflow. Bugs And Security ● Read this quick explanation on how to report bugs, in code or in documentation. ● The Istio security team responds rapidly to vulnerability reports sail What about the rest of the boat? Upcoming Talks: Aperture - Load Management Meshery - WASM plugin management Argo - Multi-cluster orchestration JP Morgan SLO Generation Reflecting on the Value

of ebpf ● Acceleration for Inbound/Outbound/Envoy to Envoy #IstioCon Istio-CNI ● The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup NET_ADMIN and NET_RAW capabilities for users deploying pods into the Istio mesh. ● The Istio CNI plugin replaces the functionality provided by the istio-init container. #IstioCon Tcp/ip stack overhead

management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support with Added Security ● Secure bootstrapping process ○ Automate provisioning a VM's mesh identity (certificate) ■ based