system facilitated by its control plane. The goal of the assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide Title ID Risk Inability To Secure Control Plane Network Communications 004 High Lack of Security Related Documentation 016 High Lack of VirtualService Gateway Field Validation Enables Request Hijacking 6 | Google Istio Security Assessment Google / NCC Group Confidential Finding Lack of Security Related Documentation Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-016 Category

Components One of the advantages of using Istio is that it offers a series of security features related to identity, policies, TLS encryption, authentication, authorization and internal auditing to enhance create authorization policies to specify mesh-, namespace-, and workload-wide access control for workloads in the mesh. Authorization policies are created by users and are enforced at runtime using Envoys Envoy with either ALLOW or DENY. Policy Enforcement Points Istio authenticates traffic between workloads with mTLS. 14 Istio Security Audit, 2023 Threat actors In this part of the threat model we identify

Compatibility (non-Linux, unikernels) ○ Business reasons ■ Legacy applications ■ Deterministic workloads with strong requirements ● For Istio ○ What is Istio? A service mesh. But more: an open service applications ○ Hard to lift and shift ● Packaged software ○ Non-Linux ○ unikernels ● Domain specific workloads ○ Network Functions (NFV) #IstioCon Hybrid and Multi Clouds #IstioCon Istio VM Integration object combined the lifecycles of both the service and the workloads implementing it, w/o giving a first-class representation for the workloads themselves #IstioCon V1.6-1.8 Better VM Workload Abstraction

● Each workload may be different, even in a same product. Some examples: ○ Latency-sensitive workloads ○ Long-lived batches (ML) ○ Web platforms ● How do you define a common answer to the previous default value for sidecar resources - Bigger default size = bigger cost ● Case 2: Adjust based on workloads + Resource cost is low - Tremendous cost in load-testing and adjusting values 59 Istio proxy Default -> 2 ● For minimal performance impact -> Workers = vCPU (1 worker/vCPU) ● Load test your workloads at different level of concurrency and resources ● Account for RPS/pod when calculating the capacity

certificates that use Elliptical Curve Cryptography (ECC) is a requirement ● In Istio 1.6, support for workloads to use ECC certificates for mTLS in sidecar-to-sidecar communication was added ○ As of Istio 1 for each chart, but not for base #IstioCon Inspection of Workload Certificates Ensure that workloads within your cluster are using ECC $ istioctl proxy-config secret . -o json |

tracing, service mesh telemetry analysis, metric aggregation and visualization for cloud-native workloads in a single platform. Leading Cloud Native Varun Talwar Co-founder/CEO Co-creator gRPC, Istio service IP addresses (which are static) into Pod IP addresses CNI plugins: allocate ip addresses for workloads exist in nodes CNI interface Calico Antrea Flannel Istio CNI CNI Daemonset Calico Antrea Flannel

with Istio 11 Kafka client authentication with Istio 12 • Istio provides a security layer for workloads in a uniform way • Envoy WASM filters opens the gates for a whole array of useful features such

telemetry/attribute-vocabulary/Metric settings in Istio bypass adaptor• Service. Represent a set/group of workloads to provide the same behaviors for incoming requests. You can define the service name when you

Kubernetes • Multi-cluster Service Topology • Cloud-Native Event Hub • Full Support for VM-Based Workloads • UX Simplification CONTACT US Head of integration department Igor Gustomyasov Sber IVGustomyasov

Secure Platform – Authorization Policy Using Authorization Policy enables access control on workloads in the mesh. For request from ingressgateway, need verify token For request from same tenant,