enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components. Istio is a modern service mesh technology stack often used within Kubernetes clusters to provide it exposes. One of which is the “/debug” API hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication to anything that is able to access it’s network Pilot. This has a risk of containing certificates, keys, and secrets used by Pilot at runtime. This web interface also allows unauthenticated users to force force all Istio objects to sync their current

Istio in favour of non-security-sensitive parts. Some components that are particularly exposed had been tediously audited, whereas other components had practically been le� unaudited. There are pros and exhaustion issues and other issues stemming from improper usage of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and Egress Sidecar External Apis High to low Traffic leaving the dataplane for external APIs. Security Components One of the advantages of using Istio is that it offers a series of security features related to

Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving and Eventing) that introduce event-driven and serverless capabilities for Kubernetes issue. • Tune CPU/MEM to ensure enough capacity Leveraged Metrics to monitor Istio & Knative components’ CPU and MEM under workload to avoid CPU throttling and OOM and ensure enough capacity. In Istio

configs for VMs, incl. `cluster.env`, DNS config, Istio authN secrets etc. ○ Setup dnsmasq, Istio components in the VM and verify functionality ○ Configure sidecar interception; restart Istio and manually Protection ● SDS (Secret Discovery Service) ● A stricter security model ○ Protections for inline components & workflows ○ Trust model augmentation ■ Impersonating ■ Secret clear in memory ■ Secret persistence

Namespace isolation helps reduce Istio proxy resources #IstioCon Next Steps ● Move stateful components in to mesh discovery and routing ● Expose gateway services via Istio Gateway ● Towards RESTRICTED

understanding of how monitored services are interacting, both with other services and with the Istio components themselves. Metrics Distributed Traces Access Logs #IstioCon Excellent Observability Istio(envoy)

NodePort service type instead of a LoadBalancer Architecture ● Multi cluster ● Multi mesh ● Components ○ Management plane ○ Global control plane ○ Local control plane TSB Management Plane ● Front

MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) – Early testing of services components auto-generated from end-to-end tests – Significantly reduced time and cost for API testing for

hardware Load-Balancers (LB) ● Application-Tier LB ○ K8s service realized on Application-Tier LBs ● Web-Tier LB to control - ○ Percentage of traffic sent to an AZ, region, etc. ○ L7 routing ○ Hardware closest Web-Tier LB based on DNS lookup Application-Tier Load-Balancer Web-Tier Load-Balancer Application-Tier Load-Balancer Web-Tier Load-Balancer Application-Tier Load-Balancer Web-Tier Load-Balancer apps.cloud.io/v1 kind: AccessPoint metadata: name: my-accesspoint spec: accessPoints: - name: web-tier scopeIDs: - az1 scopeType: AvailabilityZone traffic: gateways: - apiVersion:

Copyright © 2020 Portable Secure Fast Any Language Outside the Web Web Assembly 7 | Copyright © 2020 Extend Envoy Proxy with Web Assembly (Wasm) Polyglot: Envoy Filters are written in C++ and Wasm Copyright © 2020 SECURITY Technology User Experience 11 | Copyright © 2020 11 | Copyright © 2020 Web Assembly lifecycle 12 | Copyright © 2020 Build > meshctl wasm init addheader-filter --language 20 | Copyright © 2020 Build Store Deploy Debug Debug in Production 21 | Copyright © 2020 Web Assembly Envoy Filter: User Experience Simplified tooling to bootstrap Wasm modules in Rust, C++,