"${NAMESPACE}-access", "namespace": "$NAMESPACE" }, "rules": [{ "apiGroups": [ "", "extensions", "apps", "networking.k8s.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "config kind: ServiceAccount metadata: name: sleep-restrict namespace: jtd-restrict-test --- apiVersion: apps/v1 kind: Deployment metadata: name: sleep-restrict spec: replicas: 1 selector: matchLabels: app: verbs: - '*' - apiGroups: 44 | Google Istio Security Assessment Google / NCC Group Confidential - apps - extensions resources: - daemonsets - deployments - deployments/finalizers - ingresses - replicasets

External APIs Istio enables learning tests from API usage Learnt by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 9 Process flow External APIs Creating test suites from API traffic Created by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 16 ML-assisted

• Kubernetes service account based authn/authz • Secure cross-cluster interaction between client apps and Kafka Security goals 4 • Kafka brokers require private-key and certificate pairs • Private

attendance Workshop Istio 0 to 60 Workshop Hands-on practices for Controlling Kubernetes Native Apps with Service Mesh Manage and Secure Distributed Services with Anthos Service Mesh Multi-tenant

Kubernetes cluster ● VM integration ● On-prem, AWS, Azure, GCP, OpenShift ● 10000+ core business apps ● Plan to move to public cloud in 18 months ● Using F5 to distribute traffic at the DMZ zone Solving

Specs ○ Leverage Istio object model: Gateway, VirtualService, DestinationRules, etc. apiVersion: apps.cloud.io/v1 kind: AccessPoint metadata: name: my-accesspoint spec: accessPoints: - name: web-tier