#IstioCon Istio Project Update Lin Sun @linsun_unc #IstioCon Speaker Intro #IstioCon Istio Community Number of contributors last 12 months: 350+ contributing companies 500+ PR authors 1900+

Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup.com/feedback/67b627f7-a0a2-43b7-ad68-af515a9ed2e0 Executive Summary Synopsis five weeks along with the help of multiple shadows (provided at no additional cost) worked on the project in tight partnership with Google’s Istio subject matter experts. Scope NCC Group’s evaluation of see https://shattered.io/ Reproduction Steps The following list identifies functions in the Istio project that are using insecure hashing algo- rithms: • istio/istio/mixer/adapter/list/list.go (line 193)

Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review Executive summary In September and October 2022 Ada Logics carried out a security audit of the Istio project. The audit was sponsored by the CNCF and facilitated by OSTIF as a step towards graduation for Istio team who fixed the vulnerability and assigned it CVE-2022-41721. 3 Istio Security Audit, 2023 Project summary Ada Logics auditors Name Title Email Adam Korczynski Security Engineer Adam@adalogics

Announcing Istio's graduation within the CNCF Join CNCF Istio has applied to become a CNCF project Release v1.0 Istio is ready for production Started Started by teams from Google and IBM ιστία) 1. sail What about the rest of the boat? Upcoming Talks: Aperture - Load Management Meshery - WASM plugin management Argo - Multi-cluster orchestration JP Morgan SLO Generation Reflecting on the

Mesh) Louis Ryan (Principal Engineer, Google) #IstioCon Highlights of 2020 ● Better life cycle management ○ Istioctl install & Operator support ● Architectural simplification ○ Monolith control plane https://dzone.com/articles/defining-day-2-operations #IstioCon What does it mean for our users? ● Project maturity ○ Move “slowly and fix things” ○ Sustain the tremendous production adoption of Istio Dual-stack (IPv6/IPv6) ○ Virtual Machine Expansion ○ Multi cluster mesh ○ Helm v3 life-cycle management ● Evaluate current feature status and fix gaps https://istio.io/latest/blog/2020/tradewinds-2020/

leveraged for Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving and Eventing) that introduce event-driven and serverless benefits: Focus on code Scale to zero Quick entry to serverless computing … … traffic management observability security … Knative design based on knative.dev #IstioCon r How Istio is leveraged capacity. In Istio 1.5.4: Istio scalability optimization during Knative Service provisioning Project Component CPU MEM HorizontalPodAutoscaler (HPA) request limit request limit Istio (1.7.3) istio-

Adoption Challenges ● Multi-region deployments ● Non-flat networks ● Multi-tenant configuration ● Management of Istio installation ● Self-service mesh enablement for service owners Demo Admiral API Init modifications to prevent proxy startup race conditions Thank You Admiral Istio Ecosystem Project https://github.com/istio-ecosystem/admiral Istio Slack #admiral

Mesh 中的七层流量管理能力 ❏ 几种扩展 Istio 流量管理能力的方法 ❏ Aeraki - 在 Isito 服务网格中管理所有七层流量 ❏ Demo - Dubbo Traffic Management ❏ MetaProtocol - Service Mesh 通用七层协议框架 #IstioCon Protocols in a Typical Microservice Application Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 Header Layer-7 Header Data Traffic Management for HTTP/gRPC - all good ● We get all the capabilities we mentioned on the previous slide Traffic Management for non-HTTP/gRPC - only layer-3 to layer-6

TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload Architecture ● Multi cluster ● Multi mesh ● Components ○ Management plane ○ Global control plane ○ Local control plane TSB Management Plane ● Front Envoy ● Multi Cluster support ● XCP Central -> Kubernetes Gateway API Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload

Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate Management ○ Ingress mutual TLS ○ Egress mutual TLS ● Challenge & Future Works GoPay & Istio About ● IP that used by all services) Implementing Mutual TLS Centralized Certificate Management ● Central certificate management manage our certificate lifecycle for HTTPS and mutual TLS communication. ●