technology stack often used within Kubernetes clusters to provide service-to-service communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system facilitated by exposed via its control plane and should enforce all network communications use mTLS (or at minimum, TLS) for communi- cations within the istio-system namespace / control plane. As mentioned in finding NCC- restrict a Pod’s access to them. Attempts to modify the settings to “controlPlaneAuth Policy: MUTUAL_TLS” did not appear to have any effect on preventing a Pod not managed by Istio from accessing Istio’s

ic。Envoy由于高性能和扩展能力前在数据面遥 遥领先。 • Iptables使Pod间出入应用的流量均由Envoy代理，对应用来说完全透明。支持主要常用网路协议 Http1/Http2/Tls/gRPC/Tcp等。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 6 Envoy原理及总体架构-启动 Envoy启动配置及xDS listener router upstream pool Envoy cluster istiod pilot-agent LDS RDS CDS EDS tls证书 管理 SDS CSR创建证书 stat tracing 支持采集或 主动上报 监控系统 过滤器 过滤器 连接 连接 xDS 描述 模式 请求路径 LDS 监听器配置 POST /envoy 线程间通信通过post接口发送任务，此任务通过定时器事件激活 • 3. 线程间数据交换通过post更新TLS，这样每个线程内代码都不需要加锁处理 • 4. 每个线程的TLS对象本身只保存真实对象的共享指针进行读操作，减少内存消耗。 • 5. 全局对象更新只发生在主线程，并通过COW方式通知工作线程进行指针修改 • 每个TLS slot通过allocateSlot分配，在使用前通过set在每个线程中创建一个拷贝并保存。

Gojek Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate Management ○ Ingress mutual TLS ○ Egress mutual TLS ● Challenge & Future Works GoPay & Istio About EnvoyFilters into Istio. ● Istio have abstraction concept that make manage things easier. Before Mutual TLS? HTTPS + Allowlisting Our previous setup is using https with allow listing to only allow specific all services) Implementing Mutual TLS Centralized Certificate Management ● Central certificate management manage our certificate lifecycle for HTTPS and mutual TLS communication. ● Renew & sync to

outside of the mesh ● ISTIO_MUTUAL: originate TLS with istio cert ● SIMPLE/MUTUAL: originate TLS with the cert you specified, common if you want to TLS with service outside mesh apiVersion: networking io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: tls: mode: ISTIO_MUTUAL 1) Generate client and server certificates and keys 2) Create a secret define corresponding virtual service which configuring traffic routes Secure ingress gateway via TLS terminating Using ingress host and secure ingress port to send request: From curl command: need

policies on - ■ hardware Firewalls, Bare Metals, legacy OpenStack, etc. ● Transport Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include Enforcement ■ Updating hardware devices is slow ○ Achieving micro-segmentation at scale ○ Enabling TLS for all applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Management, Tracing, Rate Limiting, Protocol Adapter, Circuit breaker, Caching

advantages of using Istio is that it offers a series of security features related to identity, policies, TLS encryption, authentication, authorization and internal auditing to enhance the security in the mesh 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 import ( "bytes" "context" "crypto/tls" "fmt" "io" "log" "net/http" "os" "os/signal" "time" byteSize "github.com/inhies/go-bytesize" "istio Second } transport := http.DefaultTransport.(*http.Transport).Clone() transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} return &HTTPFetcher{ client: &http.Client{ Timeout: requestTimeout

tenant. HP Horizon Platform Connect With Istio #IstioCon Secure Platform • JWT Verify • Mutual TLS • Authorization Policy • Envoy External Authorization #IstioCon Secure Platform #IstioCon Secure authentication policy to Verify end-user JWT easily #IstioCon Secure Platform – mutual TLS Using mutual TLS for service-to-service authentication. • When a service receives or sends network traffic

Trust Strong identity for users, workloads, devices, etc. Encrypting inter-CNF traffic via mutual TLS (mTLS) Option to encrypt intra-CNF traffic via mTLS Autonomous PKI service for certificate lifecycle Intermediate CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways Tuning Istio to Meet 5G Security Requirements

Impersonating ■ Secret clear in memory ■ Secret persistence ● Key protection ○ Private key for TLS ○ Signing key ○ … #IstioCon Performance Limitations ● Some not just limited on VMs, but ○ need across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol ● A little like TCP + TLS, but build on top of UDP ○ Uses UDP like TCP uses IP ○ Adds connections, resends and flow control

外部请求 内部客户端 Service2 Service1 网格内部 定义网格入口 • 服务端口 • Host • TLS 配置 • 路由配置 • 根据 Host 路由 • 根据 Header • 根据 URI 路由 目的地流量策略配置 • LB 策略 • 连接池配置 • 断路器配置 • TLS 配置 Gateway External Service 统一网格出口 • 出口地址（Gateway Workload）