4. Review and improve Istio's fuzzing suite. 5. Perform a SLSA review of Istio. The audit was started with a kickoff meeting, and following that, Ada Logics had weekly meetings with the Istio team to largely from having a substantial fuzz test suite that runs continuously on OSS-Fuzz. Ada Logics started the fuzzing assessment by prioritising security-critical parts of Istio. We found that many of these run the file with go run main.go. The resulting stack trace should be: 2022/10/12 15:56:26 server started Creating fetcher Fetching size of returned body: 1.86GB main.go 1 package main 30 Istio Security

Engine (GKE) cluster ● 12k+ pods ● 750+ nodes Istio at Mercari 7 Istio at Mercari Apr 2019 Started Istio PoC Sep 2019 First release in production Feb 2021 ~25% production services ~50% During pod creation ○ During pod deletion ● To prevent it, we need to make sure that: 1. Envoy is started before any other container in a pod 2. Envoy is stopped after any other container in a pod 14 Workaround: Use postStart and preStop lifecycle hooks Stabilizing Istio 1. Ensure that Envoy is started before any other container in a pod ● Use a `postStart` lifecycle hook in the istio-proxy container

Istio has applied to become a CNCF project Release v1.0 Istio is ready for production Started Started by teams from Google and IBM 2017 2018 2022-04 2023 2022-09 Community Growth New Contributors

Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Pod could get started in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Pod could get started in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing

schooler who loves learning about everything related to computers, especially interface design. I started working on Istio last summer. Istio.io Work Automation Indicator #7734 Add IBM Cloud Kubernetes

Inspiration #IstioCon Questions #istiocon @ istio.slack.com @lfundaro #IstioCon How it all started Omio is ● Flights + Buses + trains: all under a single transaction ● Integrates 800+ transportation

DNS_AUTO_ALLOCATE ○ Decoupled from DNS_CAPTURE ● Documents available ○ Virtual Machine Installation to get started. ○ Virtual Machine Architecture to learn about the high level architecture of Istio’s virtual machine

services • Istio Documentation: The documentation and secu- rity guides hosted on istio.io. NCC Group started the assessment with an overall architecture review which extrapolated areas of focus for subsequent