and improved efficiency empower new user experiences and connects new industries. -Qualcomm 3 ©2021 Aspen Mesh. All rights reserved. https://medium.com/5g-nr/5g-service-based-architecture-sba-47900b0ded0a

Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 security audit as well as future security audits. 2. Carry out a manual code audit for security issues. 3. Review the fixes for the issues found in an audit from 2020. 4. Review and improve Istio's fuzzing disclosed to the Golang security team who fixed the vulnerability and assigned it CVE-2022-41721. 3 Istio Security Audit, 2023 Project summary Ada Logics auditors Name Title Email Adam Korczynski

设计及开发工作。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 3 目录 1. Envoy启动及配置文件 2. Envoy流量拦截原理、常用部署方式 3. Envoy可扩展过滤器架构、可观测性 4. Envoy线程模型 5. 生产环境问题分析及解决方法 6. 针对Envoy做的一些优化及效果 7 书更新下发。并且与istiod建立证书更新通道。 • Envoy 通过pilot-agent转发机制与istiod建立长连接，通过xDS协议接收系统下发的监听器、路由、集群节点等更新信息。 • 3. 数据面通信 • 客户端请求进入容器网络，并被iptables规则拦截，经过DNAT后进入Envoy virtualOutbound监听器 • virtualOutbound经过监听过滤器恢复用 INAL_DS T 路 由 上 游 连 接 池 12.localhost app2 15.lo 1 2 3.非本 POD、 非 Envoy 自身 4.DNAT 5 6 7. UID=1337 8 9 10.跳 过普 通端 口 11.DNAT 1 3 14.lo 网络发送 • outbound方向：本POD内发起对外调用流量 • outbound方向增加ISTIO_OUTPUT、

black stars ● Reviews-v3 ○ calls ratings, red stars Initializing services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar （ kubectl label namespace default istio-injection=disabled/enabled access reviews-v1, reviews-v2 and reviews-v3 Access productpage #IstioCon Istio Identity Istiod Istio Agent Envoy 1. Start Envoy 2. Request Cert (SDS)) 3. CSR Auth: JWT 4. Cert signed with SPIFFE

(VM -> Container) 1. Dnsmasq accepts DNS queries 2. Access the built-in Kube DNS (exposed by ILB) 3. Obtain the Cluster IP resolved 4. Traffic intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded communication w/o requiring intermediate Gateway ■ Multiple networks ● all goes though the Gateway ● via L3 networking (if enhanced performance is desired) #IstioCon Demo #IstioCon Istio VM integration seems Egress Gateway ○ Compatibility reasons ○ Performance & Security #IstioCon Legacy VNF  CNF: Option 3 ● Further performance concerns #IstioCon End-to-end Key Protection ● SDS (Secret Discovery Service)

com/istio/istio – 7353c84b560fd469123611476314e4aee553611d • github.com/istio/proxy – c51fe751a17441b5ab3f5487c37e129e44eec823 • github.com/istio/istio.io – 26dacdde40968a37ba9eaa864d40e45051ec5448 Key Findings istio/proxy Istio Envoy Proxy code in the master branch up to July 15th, 2020. Commit: c51fe751a17441b5ab3f5487c37e129e44eec823 istio/istio.io Istio documentation and security guidelines from the master branch Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical High Medium Low Informational 3 | Google Istio Security Assessment

Kubernetes容器应用基于Istio的灰度发布实践 张超盟 @ Huawei Cloud BU 2018.08.25 Service Mesh Meetup #3 深圳站2 Agenda • Istio & Kubernetes • Istio & Kubernetes上的灰度发布3 An open platform to connect, manage, and secure microservices.4 Istio项目5 Controller实现ServcieDiscovery 若干服务发现的接口定义 2. Controller List/Watch KubeAPIserver上service、 endpoint等资源对象 3. DiscvoeryServer使用 ServcieDiscovery接口上的服务发 现方法和用户配置的规则构造xDS 4. Envoy从Discovery获取xDS，动态 更新 Kubernet 灰度发布：A/B Testing19 灰度发布：Canary releases20 灰度发布：基于Kubernetes RC Version2 SVC SVC Pod1 Pod2 Pod3 SVC Pod1 Pod2 Version1(canary) 40% svcB svcA KubeAPIServer 60% Scheduler Controller- Managerr21

Kubernetes容器应用基于Istio的灰度发布实践 张超盟 @ Huawei Cloud BU 2018.08.25 Service Mesh Meetup #3 深圳站 Agenda • Istio & Kubernetes • Istio & Kubernetes上的灰度发布 An open platform to connect, manage, and secure microservices Controller实现ServcieDiscovery 若干服务发现的接口定义 2. Controller List/Watch KubeAPIserver上service、 endpoint等资源对象 3. DiscvoeryServer使用 ServcieDiscovery接口上的服务发 现方法和用户配置的规则构造xDS 4. Envoy从Discovery获取xDS，动态 更新 Kubernetes 灰度发布：蓝绿 灰度发布：A/B Testing 灰度发布：Canary releases 灰度发布：基于Kubernetes RC Version2 SVC SVC Pod1 Pod2 Pod3 SVC Pod1 Pod2 Version1(canary) 40% svcB svcA KubeAPIServer 60% Scheduler Controller- Managerr

capabilities we mentioned on the previous slide Traffic Management for non-HTTP/gRPC - only layer-3 to layer-6 ● Routing based on headers under layer-7 ○ IP address ○ TCP Port ○ SNI ● Observability application 配置中为 Provider 增加 service_group 自定义属性 2. 通过 Provider 的 deployment 设置 SERVICE_GROUP 环境变量 3. 在 consumer 发起调用时设置 batchJob header 4. 设置相应的 DR 和 VS 流量规则 https://docs.qq.com/doc/DVnlqUVB1ek1laFBQ region，不同zone 3. 再次：不同 region #IstioCon Aeraki Demo: 地域感知负载均衡(Dubbo) 1. 在 dubbo: application 配置中为 Provider 增加 aeraki_meata_locality 自定义属性 2. 在 provider 的 deployment 中通过环境变量设置其所属地域 3. 在 consumer 的 deployment

/bus/routes/bruxelles/lille to /bus/routes/bruxelles-1/lille-3 Why do we need redirections? BEFORE : /bus/routes/bruxelles/lille New /bus/routes/bruxelles-1/lille-3 Old - 404 Page /bus/routes/bruxelles/lille 1 1 2 AFTER /bus/routes/bruxelles-1/lille-3 #IstioCon And the result is ?????? Happy users: I will be automatically redirected to the new page instead of seeing an error page Happy Googlebot: I don’t Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 ? SEO specialist creates the file manually Matching old URLs with the new ones based on different