The OSS-Fuzz build is maintained to avoid disruption. ● Istio does not run the fuzzers in its CI pipeline. Istio has had its fuzzing suite for around a year and has previously found high severity security responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio Security Audit, 2023 Trust boundaries We identify the following trust boundaries: provenance would need improvement. The slsa-github-generator can be integrated into Istio's build pipeline as a first step to start 53 Istio Security Audit, 2023 work on provenance generation. This would

by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 9 Process flow using Istio Deploy Lua filters (kubectl apply -f ) by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 16 ML-assisted Context Rule Learning createProduct(…): Response { “productId”:

Use your CD tooling (i.e. Spinnaker) to automate this migration ● Ask users to use the migration pipeline when onboarding with Istio This approach is quite similar to canary release so you gain time by Istio Adopting Istio ● We are using Terraform to handle the Sidecar CRD Policy and GitOps CI/CD pipeline to apply them ● We are exploring Cuelang to template a simple DSL for managing various features

Aspen Mesh. All rights reserved. https://medium.com/5g-nr/5g-service-based-architecture-sba-47900b0ded0a 5G Architecture 4 ©2021 Aspen Mesh. All rights reserved. Key Platform Requirements Multi-Vendor Implementation 5G Architecture Looks a Lot Like a Mesh? 6 ©2021 Aspen Mesh. All rights reserved. https://medium.com/5g-nr/5g-service-based-architecture-sba-47900b0ded0a 5G Architecture with Istio 7 Management Powerful Layer 7 (HTTP/2) routing 8 ©2021 Aspen Mesh. All rights reserved. Architecture Options 9 ©2021 Aspen Mesh. All rights reserved. Namespace Level Tenancy Control Plane

Google’s Istio subject matter experts. Scope NCC Group’s evaluation of Istio included: • Istio Architecture: The overall design and archi- tecture of Istio as it is deployed within common environments such documentation and secu- rity guides hosted on istio.io. NCC Group started the assessment with an overall architecture review which extrapolated areas of focus for subsequent phases of the assessment. A test plan Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service Mesh Method Code-assisted

Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack vectors. ● ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations Workload Service Privilege Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall

etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full Evolve into AZ based architecture ● Dial-tone security with Trust Domain ● L7 policy enforcement Step 1 Step 2 Step 3 Step 4 Declarative Intent Replace Hardware AZ Architecture Evolving Security Ingress Gateways One Istio Deployment per workload K8s cluster #IstioCon Step 3: Evolve into AZ architecture ● One Istio deployment per K8s cluster is simple, but traffic between clusters in same AZ

traffic ● Summary #IstioCon Istio Architecture Connect, secure, control, and observe services. #IstioCon Security Architecture #IstioCon Bookinfo architecture without service mesh ● Reviews-v1

available ○ Virtual Machine Installation to get started. ○ Virtual Machine Architecture to learn about the high level architecture of Istio’s virtual machine integration. ○ Debugging Virtual Machines to security model for end-to-end key protection #IstioCon Legacy VNF  CNF: Option 1 ● Recommended architecture ● But… not adorable for legacy service owners sometimes #IstioCon Legacy VNF  CNF: Option

Internet egress bandwidth over 100 TB/month ● Internal egress bandwidth ~2 PB/month #IstioCon Architecture Overview ● User traffic infrastructure - TW region, all 3 zones ● REST APIs for client traffic inter-service traffic ● Around 100+ microservices ● Majority of services written in Go #IstioCon Architecture Overview - Discovery and Routing ● Service Discovery and Configuration using Consul ● HTTP/TCP