○ As of Istio 1.7.7+, 1.8.2+ and 1.9.0+ there is no longer the restriction that a plugged in CA certificate must use ECC cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported certificateChain.inlineBytes' | \ sed 's/"//g' | base64 --decode | openssl x509 -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: … Signature Algorithm: prime256v1 NIST CURVE: P-256 istiod will generate a self-signed CA certificate using RSA if plugged in custom CA certificates aren’t specified #IstioCon MeshConfig support In Istio

was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts. Istio does not currently have a reference Sidecar Envoy Administrative Interface Exposed To Workload Containers 018 Low DestinationRules Without CA Certificates Field Do Not Validate Certificates 019 Low Default Injected Init Container Requires Sensitive but the only options included are how to “Harden Docker Container Images” and “Extending Self-Signed Certificate Lifetime”. There’s an op- portunity to highlight the impact of different securty options

issues found ● 5 system resource exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping ● 1 case unhandled errors ● 1 case of using a deprecated library ● 1 race condition FuzzIstioCASign istio.io/istio/security/pkg/ pki/ca https://github.com/istio/istio/blob/6 5478ea81272c0ceaab568974aff7 00aef907312/security/pkg/pki/ca/f uzz_test.go#L24 5 FuzzValidateCSR istio.io/istio/security/pkg/ go#L23 9 Istio Security Audit, 2023 6 FuzzBuildSecurityCaller istio.io/istio/security/pkg/ server/ca https://github.com/istio/istio/blob/6 5478ea81272c0ceaab568974aff7 00aef907312/security/pkg/server/c

(Pilot, Mixer, CA) accessible from the VMs ○ (optional) Kubernetes DNS server accessible from the VMs ● Onboard steps ○ Setup Internal Load Balancers (ILBs) for Kube DNS, Pilot, Mixer and CA ○ Generate VM's mesh identity (certificate) ■ based on a platform-specific identity ■ w/o a platform-specific identity ● using a short-lived K8s service account token ● Automatic certificate rotation ● Validation Alternative opts ○ Current: Fetch and exchange a k8s token for a bootstrap certificate, then place that bootstrap certificate on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation

mutual TLS (mTLS) Option to encrypt intra-CNF traffic via mTLS Autonomous PKI service for certificate lifecycle management at scale What Do You Get From Istio? Traffic Management Powerful avoid escalated pod privileges ● Integrate with PKI minted Intermediate CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated rights reserved. ● Istio architectural changes ● SPIFFE only certificates ● Configuring workload certificate TTLs ● RSA to ECC migration ● Missing www-authenticate header ● Tuning per-workload proxy concurrency

Envoy 2. Request Cert (SDS)) 3. CSR Auth: JWT 4. Cert signed with SPIFFE format Istio-proxy CA server #IstioCon Istio identity – how to get configuration ● Format: "spiffe:///ns Using ingress host and secure ingress port to send request: From curl command: need attaching certificate file Access productpage 1) Generate client and server certificates and keys 2) Create a secret

communication using mTLS between all services • Configurable short-lived certificates • On the fly certificate renewals with no service downtime • Unified simplified configuration to enable mTLS for all services and certificate pairs • Private keys and certificates are stored in keystore and truststore files in JKS or PKCS12 or PEM format Challenges – Kafka broker SSL with client auth 5 • Certificate renewal Challenges – Certificate renewal 6 • Client certificates has be created for each separate client identity • Client certificates may take different formats (JKS, PEM, etc) • Client certificate renewal may

Gojek Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate Management ○ Ingress mutual TLS ○ Egress mutual TLS ● Challenge & Future Works GoPay & Istio used by all services) Implementing Mutual TLS Centralized Certificate Management ● Central certificate management manage our certificate lifecycle for HTTPS and mutual TLS communication. ● Renew AuthorizationPolicy to add IP allow listing Egress Mutual TLS ● Using Egress TLS origination ● Certificate is mounted in the client deployments using annotation sidecar.istio.io/userVolumeMount sidecar

restarts (#16768) 2. Be careful with secrets rotation 1. Hot restarts for TCP-traffic 2. Root certificate reissue (#14516) 3. Istio Discovery overload (#25495) 3. Sidecar & ExportTo tuning is required

Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission