Google Istio Security Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service Total issues 18 Category Breakdown Access Controls 7 Configuration 5 Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical Communications Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-004 Category Data Exposure Component Istio Location Istio Control Plane: • controlPlaneSecurityEnabled istioctl configuration

Service Service Service Service Service Message Broker RPC RPC RPC Message Message Message Cache RDB NoSQL We need to manage multiple types of layer-7 traffic in a service mesh, not just HTTP ● RPC：HTTP, gRPC, Thrift, Dubbo, Proprietary RPC Protocol … ● Messaging: Kafka, RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... ○ ... IP Data IP Header TCP Data TCP Header Layer-7 Header Data #IstioCon What Do We Get From Istio? IP Data IP Header TCP Data TCP Header Layer-7 Header Data Traffic Management

(Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift 10.4.4.4 DNS queries to the system configured name servers. Envoy does not use the agent’s DNS cache. http req to 10.4.4.4 GET /status/200 httpbin.ns1.svc.cluster.local SVC IP: 10.4.4.4 http req services in the cluster ○ DNS name resolved ■ gets routed through the gateway to the service ● The data plane traffic ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple

Welfare Administration 5,2 million nais.io github.com/nais CD CD metrics alerts deploy cache events logs secrets storage runtime app dev prod

ent。 Ø rpc框架查询bns-agent IP与治理策略数据。 Ø bns-agent判断否使用envoy进行服务治理。 Ø rpc框架根据反馈的IP，治理策略信息请求对 应IP，会cache数据，需要即时更新。 Ø envoy离线或者被干预则立即通知bns-agent， fallback会使用原有治理策略。 #IstioCon 架构介绍 Ø Mesh控制中心： ü 运维中心：基于Mesh的统一运维操作中心。

盘到对应的节点上; 15 创建私钥仓库登录Secret ● 获取私有仓库登录信息之后, 按照如下命令创建Secret ○ kubectl create secret generic asmwasm-cache -n istio-system --from- file=.dockerconfigjson=myconfig.json --type=kubernetes.io/dockerconfigjson

usage of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars. err := url.Parse(srcURL) if err != nil { return "", fmt.Errorf("invalid chart URL: %s", srcURL) } data, err := httprequest.Get(u.String()) if err != nil { return "", err } name := filepath.Base(u.Path) err := os.Mkdir(dir, 0o755) if err != nil { return "", err } } if err := os.WriteFile(destFile, data, 0o644); err != nil { return destFile, err } return destFile, nil } Exploitation To exploit this

tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) A Proxy Proxy Service B Service C Proxy Mesh Dynamics Data Store Deploy: kubectl apply -f Capture using Lua filter All API data + TraceIDs | CONFIDENTIAL 11 Assemble API request traces

from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters

75% 25% POD POD POD POD S E R V I C E (ClusterIP) 75% 25% POD POD Cross-version Traffic My-data-service Service Demo-canary Service Canary Releases Using Spring Cloud Demo-canary Service Service Service Instance V1 Service Instance V1 My-data-service Service Service Instance V2 SPRING EUREKA Cross-version Traffic Load Balancer My-data-service Service Demo-canary Service Canary Releases V1 Service Instance V2 Service Instance V1 Service Instance V1 Service Instance V1 My-data-service Service Service Instance V2 SPRING EUREKA Same-version Traffic SPRING EUREKA Service