PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski International (CC BY 4.0) Istio Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 previous audit 50 Istio SLSA compliance 52 1 Istio Security Audit, 2023 Executive summary In September and October 2022 Ada Logics carried out a security audit of the Istio project. The audit was sponsored

whole array of useful features such as Kafka protocol level metrics, extended client throttling, audit logs to name a few Takeaway 13 Q&A Thank you

Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Automatically manage source of truth for mesh policies. Audit log Cluster security Edge security Workload security Operation security 3. Monitor audit log. 3 Lifecycle of service mesh security and demo Lifecycle of service mesh security Edge Cluster Workload Operation GitOps Gatekeeper RBAC Audit log Metrics Security testing tools Security dashboard Prometheus Kiali Security Lifecycle

grow Customer services Order services Catalog Customer history … Order details Payments Audit Search Suggest … Order validation Fraud Alerts … | CONFIDENTIAL Service testing Test a single

limited to Istio agent (no support of other provisioner tools and HSM incompatible) ■ Limitations to audit (proactively secure) ● VM cert extensibility ○ No support for workload certificate attributes #IstioCon

Intelligence Platform for Multiple Tenant Support • Support multi-tenants (Add extra http header/ logs wisely) • Verify whether JWT token in blacklist or not • Different Rate Limits for each tenant Access Logs #IstioCon Excellent Observability Istio(envoy) can generate access logs for service traffic in a configurable set of formats #IstioCon Excellent Observability - Access logs Log Files Elastalert #IstioCon Excellent Observability - Access logs Istio-proxy log showed in kibana after parse #IstioCon Excellent Observability - Access logs API Error In last 30 days #IstioCon Thank you

Production 19 | Copyright © 2020 Build Store Deploy Debug Debug in Production Debug Logs Access Logs Metrics 20 | Copyright © 2020 Build Store Deploy Debug Debug in Production 21 | Copyright

plane proxies Troubleshooting Istio CNI Check the istio proxy container through nsenter Check CNI logs in kubelet (journalctl) Will do: grafana board istio CNI logging on daemonset istioctl scanning

Administration 5,2 million nais.io github.com/nais CD CD metrics alerts deploy cache events logs secrets storage runtime app dev prod dev prod internal

SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出 Get the corresponding logs for one time request by transaction ID Request(Transaction ID)Java探针的基本原理 A.class 1 2 3 4 5