Istio Security Assessment Google / NCC Group Confidential kubectl exec -it {YOURPOD} -n {YOURNS} -- curl istiod.istio-system.svc.clus ter.local:15014/debug • This will return the plaintext debug endpoing result of the following 7. Run the following command and observe that a normal HTML page is returned curl -v "http://$GATEWAY/productpage" 8. Use an administrative account to run the following commands samples/bookinfo/networking/bookinfo-gateway.yaml 9. Run the following two commands curl -v "http://$GATEWAY/productpage" curl -v "http://$GATEWAY/login" 10. Observe that the first command now returns a 404

-noout -text -in - ● Part of cluster config in envoy config-dump ○ kubectl exec -c istio-proxy curl localhost:15000/config_dump #IstioCon Istio identity – check configuration result ● Result: cert ingress gateway via TLS terminating Using ingress host and secure ingress port to send request: From curl command: need attaching certificate file Access productpage 1) Generate client and server certificates gateway Authorize ingress traffic via JWT https + JWT http http http mTLS mTLS Send request via curl command ： 1) Invalid token can not pass the gateway, only valid token does 2) Delete JWT authentication

wasm/envo y.wasm.metad ata_exchange Istio_authn kubectl exec -it [productpage-xxx] -c istio-proxy curl localhost:15000/config_dump envoy.filters .http.cors envoy.filters .http.fault envoy.filters .http 在ASM中开启 wasm能力 确认Workload部 署变更生效 1.可以登录到proxy container进行查看 wasm filter是否挂载成功 2.调整wasm log level： curl -X POST http://localhost:15000/logging?wasm=debug #IstioCon Thank you!

and where to reroute ? #IstioCon The contract GET / HTTP/1.1 Host: example.com User-Agent: curl/7.64.1 X-devroute: { “foo”:”192.168.1.12:8001” } Accept: */* #IstioCon Pseudo implementation