009 Medium Go Trace Profiling Enabled By Default 013 Medium Permissive Kubernetes RBAC within a Namespace 015 Medium Default Sidecar Image Not Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp network communications use mTLS (or at minimum, TLS) for communi- cations within the istio-system namespace / control plane. As mentioned in finding NCC- GOIST2005-002 on page 13, there are debug interfaces global.controlPlaneSecurityEnabled=true • Deploy the customized default policy • Start a Pod in a namespace that is not managed by Istio 1https://istio.io/latest/news/releases/1.5.x/announcing-1.5/upgra

2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar （ kubectl label namespace default istio-injection=disabled/enabled ） Initializing services 1) Deploy bookinfo services 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar （ kubectl label namespace default istio-injection=disabled/enabled ） http http http http http http http Result: can server #IstioCon Istio identity – how to get configuration ● Format: "spiffe:///ns/<namespace>/sa/” ● istioctl proxy-config secret -o json | jq '.dynamicActiveSecrets[0]

written in the official documentation, and actually, reference values are only disclosed for when namespace isolation is enabled. 34 The Sidecar CRD to save the mesh Stabilizing Istio The Sidecar CRD configuration to a specific proxy, based on namespace or labels. apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: configuration to a specific proxy, based on namespace or labels. apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: default namespace: mercari-echo-jp-dev spec: egress: - hosts:

Architecture Options 9 ©2021 Aspen Mesh. All rights reserved. Namespace Level Tenancy Control Plane AMF Frontend Namespace AMF Namespace SMF SQL DB AMF App B AMF App A SMF Mesh. All rights reserved. How to Make Legacy NFs Talk to CNFs in the Mesh UDM Virtual Machine Namespace SMF SMF Frontend UDM Egress Gateway Redis DB SMF App X 15 ©2021 Aspen Mesh. All rights reserved. Deep Packet Inspection AMF Frontend Namespace AMF Namespace SMF SQL DB AMF App B AMF App A SMF Frontend SMF Ingress

Service 1 Proxy Service 2 Proxy Namespace foo Istio authn & authz policies Namespace bar 2. Enforce k8s RBAC policies: roles bound to namespace, only mesh admins are allowed to have ClusterRole ClusterRole. 1. Use k8s network policies to limit the traffic in & out of a namespace. Cluster security Access control Edge security Policy exceptions Enforce boundaries Cluster security best Enforce Verify Demo: mesh security lifecycle Sleep Proxy Httpbin Proxy Namespace foo mTLS Demo Security Lifecycle Concepts Secure Monitor Enforce Verify Demo: mesh security

Service account - spiffe:///ns/<namespace>/sa/ ■ Following assertions enforced through admission checks - ● Each namespace is globally unique across all clusters ● Each for on-demand config pushes to Envoy via Incremental XDS ● Support for multiple trust domains & namespace isolation natively in Istio ● Bridging trust between gateways of different AZs ○ Mutual TLS between

user namespace. o The sidecar CR helps to limit the known egress hosts for sidecars, sidecar needs to knows mesh in his own user namespace only. o We can limit the mesh size to namespace scope

● Split rollout in to phases ● Setup control plane and related tooling ● Sidecar injection by namespace or on-demand ● Passthrough mode during rollout ● Service entry to connect internal proxy ● for easy management of setup across environments ● Ignore ports / IP as applicable - consul ● Namespace isolation helps reduce Istio proxy resources #IstioCon Next Steps ● Move stateful components

Use pod_ip to generate a unique key is a way to distinguish socket from different network namespace #IstioCon Outbound Acceleration #IstioCon Envoy to Envoy Acceleration(same host) #IstioCon

k8s Istio Istio Validation Webhooks ● Allow configuration only related to owned namespace ○ Only allow configuration for a “service’s” hostname ● Validated ○ Deployments ○ Virtual Service