TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon Content 1. TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon skip_xff_append is set false. xff_num_trusted_hops : If use_remote_address is true and xff_num_trusted_hops is set to a value N that is greater than zero, the trusted client address is the Nth address from from the right end of XFF. #IstioCon Content 1. TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon Preserve TCP Original Src Addr - inner svcA svcB envoy

traffic to the cluster through the ingress Gateway. 15 Istio Security Audit, 2023 2. Partially trusted users that have been granted a level of privilege and that are able to escalate to higher privileges If we detect gRPC, serve using grpcServer if r.ProtoMajor == 2 && strings.HasPrefix(r.Header.Get("content-type"), "application/grpc") { s.grpcServer.ServeHTTP(w, r) return } // Otherwise, this is meant if req.Header.Get("Content-Type") != URLEncodedForm { return reqParam, fmt.Errorf("request content type is invalid, should be %s but get %s", URLEncodedForm, req.Header.Get("Content-type")) } if parseErr

verify the integrity of the input; for example, to ensure that a downloaded file has the correct content and was not modified or corrupted. If a weak hash is used for this purpose, an attacker could create consider providing an option to use a built- in common denominator CA chain consisting of the major trusted CAs, such as Mozilla’s CA chain.17 16https://istio.io/latest/docs/reference/config/networking/destination-rule/ implementation does not perform output encoding specific to JSON, enabling injection of raw JSON content through string fields parsed from annotations and other workload spec properties. In general, only

○ Envoy QUIC support in early stages ■ Security ● Both the downstream and upstream need to be trusted ■ Stability (quite a few issues/broken functionalities) ● Concurrency limitations ■ Lack of docs

ibute/ #IstioCon Design Docs Hongyi Zhang - Link #IstioCon Writing Tests ● Istio.io page content is automatically verified through tests, and you can help by creating one! ● Guide for creating

who want to work on code, docs or other parts of Istio. ● You can access our trove of technical content and working documents by joining the istio-team-drive-access@ Google Group. ● Interested in helping

Zhonghu Xu (Huawei) The team (3/3) Event Production (Software Guru) Event Manager Mara Ruvalcaba Content Coordination Pedro Galván Streaming and website Alberto Rodríguez Streaming Alex Palomo Speaker

Bush (Google) The team (3/3) Event Production (Software Guru) Event manager Mara Ruvalcaba Content coordination Pedro Galván Streaming and website Alberto Rodríguez Streaming Ximena Cruz, Luis Sánchez

of 2.5 hours each for US TZ ● 1 Workshop of 2.5 hours for China TZ 1. Getting involved - Content 2. Getting involved - Financial support The following table describes the event bundles that allow

json:application/vnd.module.wasm.config.v1+json example- filter.wasm:application/vnd.module.wasm.content.layer.v1+wasm ○ Wasm Artifact镜像规范参考 ■ https://github.com/solo-io/wasm/blob/master/spec/README.md