handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio issues 4 Medium issues 5 Low issues 7 Informational issues 2 Total issues 18 Category Breakdown Access Controls 7 Configuration 5 Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown when all the security features are enabled, there does not appear to be a way to restrict a Pod’s access to them. Attempts to modify the settings to “controlPlaneAuth Policy: MUTUAL_TLS” did not appear

istio-injection=disabled/enabled ） http http http http http http http Result: can access reviews-v1, reviews-v2 and reviews-v3 Access productpage #IstioCon Istio Identity Istiod Istio Agent Envoy 1. Start to send request: can access reviews-v1, reviews-v2 and reviews-v3 can reach v2 as peer-authentication only defines behavior of server side and auto-mTLS is on by default Access productpage 1) Apply and ingress host to send request: can access reviews-v1, reviews-v3 can not access reviews-v2 since we have enabled ISTIO_MUTUAL mode on client side Access productpage 1) Apply destination rule

with Istio multi-cluster - Replicated control planes Some standalone cluster without Istio can access core cluster also, as tenant. HP Horizon Platform Connect With Istio #IstioCon Secure Platform service. #IstioCon Secure Platform – Authorization Policy Using Authorization Policy enables access control on workloads in the mesh. For request from ingressgateway, need verify token For request Version 1 : Istio Mixer authz adapt Implement role-based authorization – whether this user can access this api based on its role => Version 2: Envoyfilter ext_authz #IstioCon Wise Platform #IstioCon

Istio is platform and language agnostic, but is o�en used on top of Kubernetes. It offers users easy access to features such as observability, traffic management and security without requiring users to add It also offers more advanced features to support A/B testing, canary deployments, rate limiting, access control, encryption and end-to-end authentication. Istio itself is implemented in Go which shields Istio allows users to create authorization policies to specify mesh-, namespace-, and workload-wide access control for workloads in the mesh. Authorization policies are created by users and are enforced at

Global Control-Plane ○ Syncs specs to AZ control-planes ○ Hosts global services - Global IPAM, Access-control Policy store, etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ Architecture Evolving Security Current Status #IstioCon Step 1: Access Point Spec ● Capture Traffic Management & Routing intent as “Access Point” Specs ○ Leverage Istio object model: Gateway, VirtualService AccessPoint Spec Step 1: Access Point Spec ● Create the Specs on our Global Control Plane ● Realized on hardware LBs ● Internal orchestration & UI tools to use Access Point specs ● Standardization

support of multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway for cluster local access. They use Istio gateway service istio-ingressgateway as its underlying traffic end to end in production • Allow platform to use Istio authorization policy to control the access to each Knative service based on Istio service roles. How Istio is leveraged in a Knative based default. Not a scalability solution. o Activator needs to probe the service endpoint since it cannot access pods by IP directly. And it takes time for Istiod to discover the endpoint of ready pods and then

Define firewall and virtual private network to lock down external access. Edge security best practices Cluster security Access control Service Proxy Ingress Token exchange against token replay attacks. Internal JWT mTLS Edge security Cluster security best practices: access control Service 2 Service 1 1. Ensure traffic is natively encrypted, such as HTTPS 3. use k8s bypassing sidecars Cluster security best practices: safely handle policy exceptions Cluster security Access control Edge security Policy exceptions 2. Define policy constraints to automatically validate

V0.2 Mesh Expansion (cont.) ● Traffic flow (VM -> Container) 1. Dnsmasq accepts DNS queries 2. Access the built-in Kube DNS (exposed by ILB) 3. Obtain the Cluster IP resolved 4. Traffic intercepted create a ServiceEntry (to select specific workloads) #IstioCon What Else Did Not Solve? ● VM access to K8s services ○ needs convoluted workarounds ○ exposes security risks ● External TCP services support for workload certificate attributes #IstioCon Security & Usability Limitations (cont.) ● Access management: CNI needs improvements ○ Much required to avoid escalated Pod privileges ○ No support

work on code, docs or other parts of Istio. ● You can access our trove of technical content and working documents by joining the istio-team-drive-access@ Google Group. ● Interested in helping with Chinese

conference as well as the very quick access to playbacks. It allows me to not have to choose between sessions but if I do I have very quickly access to the playbacks." "Great to see how common