#IstioCon Istio-redirector: the way to go to manage thousands of HTTP redirections Etienne Fontaine (@etifontaine) #IstioCon Istio-redirector 301-redirection from /bus/routes/bruxelles/lille [...] spec: gateways: - istio-system/istio-ingressgateway hosts: - www.blablacar.fr http: - match: - uri: exact: /co2 redirect: uri: /blablalife/lp/zeroemptyseats

Istio Security Assessment Google / NCC Group Confidential - "*" gateways: - test/bookinfo-gateway http: - match: - uri: exact: /productpage route: - destination: host: details.restrict-test.svc.cluster the following 7. Run the following command and observe that a normal HTML page is returned curl -v "http://$GATEWAY/productpage" 8. Use an administrative account to run the following commands kubectl -n commands curl -v "http://$GATEWAY/productpage" curl -v "http://$GATEWAY/login" 10. Observe that the first command now returns a 404 error and the second command returns a redirect to http://www.nccgroup

NewHandler in an http.MaxBytesHandler.” John found that when the recommended MaxBytesHandler was used, the request body was not fully consumed, meaning that when a server attempts to read HTTP2 frames from from the connection it will instead be reading the body. As such, the MaxBytesHandler introduces an http request smuggling attack vector. The issue was disclosed to the Golang security team who fixed the slice controlled by potentially untrusted file size Low High Yes 5 Possible memory exhaustions in http utilities Low Medium Yes 6 Istio skips certificate verification Low High Yes 7 Unhandled errors

SERVICE MESH Proxy Proxy sidecar sidecar Configuration for proxy Certs, ACLs… Raw metrics HTTP/1 HTTP/2 gRPC Why? Innovation trigger Peak of inflated Expectations Though of Disillusionment Slope 1.6 Service Mesh Operator Lessons Learned 1. Init containers maybe not the best option • NET_RAW and NET_ADMIN • Traffic failures due to init restarts (#16768) 2. Be careful with secrets rotation 1

Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon Content 1. TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon What is transparent mode, two connections  L4 • Add IP in TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING per-connection basis which of the two versions is present. - Proxy Protocol Transport Socket #IstioCon HTTP XFF x-forwarded-for (XFF) is a standard proxy header which indicates the IP addresses that a request

Knative and Istio Istio is the default networking layer solution of Knative. It is leveraged for Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides gress-gateway - knative-serving/knative-local-gateway hosts: - blue.51ch62kjrnd.svc.cluster.local http: route: - destination: host: {revision-3}. 51ch62kjrnd.svc.cluster.local weight: 10 - destination:

the Kubernetes pod life-cycle’s network setup phase, ● Removing the requirement for the NET_ADMIN and NET_RAW capabilities for users deploying pods into the Istio mesh. ● The Istio CNI plugin replaces

isidecar network routing rule to workload iptable Benefits of Istio CNI No need for CAP_NET_ADMIN and CAP_NET_RAW permission No need for istio-init container means faster startup speed （need validation

Solo.io @christianposta christian@solo.io https://blog.christianposta.com https://slideshare.net/ceposta 3 | Copyright © 2020 4 | Copyright © 2020 5 | Copyright © 2020 6 | Copyright ©

Istio/Envoy for retries and timeouts without knowing it. #IstioCon Thank you! vlad@thoughtmachine.net