practices. Description Istio’s documentation is rather large but also has some gaps related to recent changes. Some blog posts describe security features that are now deprecated and some security features are setting would be configured for the istio-ingressgateway pilot-agent and this would likely break standard Istio configurations from the Istio documentation which rely on a shared istio gateway. This feature Review the recommendations in previous findings referenced above that highlight many of the possible changes that are needed to further lock down the Default profile. Consider providing a hardened profile when

Kubernetes is pretty bad at load-balancing it ● So we solved it by using a client-side load-balancing library + Headless Services Headless services are to us what ClusterIP services are to common people! However Make sure Istio-enabled callers update their config with the ClusterIP service ○ Keep a double standard during migration Compounding to hundreds of services, the cost is terrible so be strategic 47 Calling authn/z service on each call? Depending on the answers, the application RPS measured in library may vary between 2 and n times when using Istio. 61 Istio proxy performance and capacity Adopting

file close ● 1 certificate skipping ● 1 case unhandled errors ● 1 case of using a deprecated library ● 1 race condition 2 Istio Security Audit, 2023 Notable findings Issue 10 - “H2c handlers are verification Low High Yes 7 Unhandled errors Informational n/a Yes 8 Use of deprecated 3rd party library Low High Yes 9 TOCTOU race conditions in file utils Medium High Yes 10 H2c handlers are uncapped 1024*1024*10), f.destDirRoot) } 40 Istio Security Audit, 2023 8: Use of deprecated 3rd party library Severity: Low Difficulty: High Fixed: Yes Affected components: ● pkg/model Vectors: ● CWE-1104:

Redesign Proposal #IstioCon #IstioCon “First and foremost: as a potential contributor, your changes and ideas are welcome at any hour of the day or night, weekdays, weekends, and holidays. Please ● Viewing changes as if they were live ● Linter is pretty specific ● Don't forget to update/create a test if the page changed is tested! #IstioCon Run make lint locally to verify changes and check

without context. GitHub asks developers and maintainers whether a pull request has user facing changes. ● If it does, the developer can easily add a release note. ● If it doesn’t, then the developer Notes #IstioCon Release Notes: As a result... ● Release notes are thought of up-front as part of changes, with context by the people who know the most about what’s being changed. ● Release notes and

io/latest/blog/2020/tradewinds-2020/ #IstioCon Operational Excellence ● Detecting backwards incompatible changes ● Measuring developer efficiency ○ Test flakes ○ Feature and code coverage ● Feature promotion

Istio to Meet 5G Requirements 13 ©2021 Aspen Mesh. All rights reserved. ● Istio architectural changes ● SPIFFE only certificates ● Configuring workload certificate TTLs ● RSA to ECC migration ●

packet inspection (DPI) ○ DDoS defense ○ Firewall ● Lack dedicated gateway support (architectural changes) ○ No separating out the gateway used for untrusted user traffic from the internal mesh traffic

Istio? #IstioCon How to Manage AwesomeRPC Traffic in Istio? Pilot Envoy Code changes at the Pilot side: ● Add AwesomeRPC support in VirtualService API ● Generate LDS/RDS for Envoy

to visualize problem areas, tune performance, and add substrate features. Istio is the industry-standard service mesh control plane that makes it easier to connect, observe, and secure microservices.