hardening controls and should be replaced with a more secure-by-default option. • The Pilot admin interface exposes unnecessary ser- vices and is accessible to anyone within a default cluster. • The Envoy composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation, and other factors. For an explanation of NCC Group’s 017 High Ingress Gateway Configuration Generation Enables Route Hijacking 023 High Pilot Debug Interface Exposes Sensitive Information 002 Medium Default Production Profile Not Sufficiently Hardened 003

balancing at requet level ○ HTTP host/header/url/method, ○ Thrift service name/method name ○ Dubbo Interface/method/attachment ○ ... ● Fault Injection with application layer error codes ○ HTTP status code AwesomeRPC ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header: user = Jason) AwesomeRPC (header: user = XXX) Reviews v2 Let’s say that we’re running a bookinfo EnvoyFilter ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header: user = Jason) AwesomeRPC (header: user = XXX) Reviews v1 Pilot EnvoyFilter ● Match:

Cluster Global Service Failover Multi Mesh 4 | Copyright © 2020 Orders Citadel Pilot Galley User Account Istiod Understanding Istio: Control and data planes data plane control plane 5 | Copyright WebAssembly? 8 | Copyright © 2020 8 | Copyright © 2020 User Experience 9 | Copyright © 2020 10 | Copyright © 2020 SECURITY Technology User Experience 11 | Copyright © 2020 11 | Copyright © 2020 rust -t webassemblyhub.io/yuval/addheader-rust:v1 ./addheader-filter ABI: Application Binary Interface 13 | Copyright © 2020 > meshctl wasm push webassemblyhub.io/yuval/addheader-rust:v1 Build Store

on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation limited to Istio agent (no support of other provisioner tools dedicated gateway support (architectural changes) ○ No separating out the gateway used for untrusted user traffic from the internal mesh traffic ○ One of the viable solutions to communicate between Legacy by C/S #IstioCon (eBPF-based) TCP/IP Stack Bypass ● eBPF ○ In-kernel virtual machine ○ Running user code in kernel space safety ○ Tracing, security ○ Networking ● Hooks ○ sock_ops ■ Construct

Me I’m a high schooler who loves learning about everything related to computers, especially interface design. I started working on Istio last summer. Istio.io Work Automation Indicator #7734 Add

static) into Pod IP addresses CNI plugins: allocate ip addresses for workloads exist in nodes CNI interface Calico Antrea Flannel Istio CNI CNI Daemonset Calico Antrea Flannel Istio CNI Networking lifecycle

Istio-agent and manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio authentication to verify the client making the connection. 2. Request authentication: Used for end-user authentication to verify the credential attached to the request. Authorization Istio allows users trust boundaries. This could be a user that has been granted limited cluster privileges and seeks to perform harmful actions they should not have actions to perform. This user may have permission to perform

SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 Service SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 Service ISTIO VIRTUAL SERVICE + Destination Rules Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Destination Rule:

spec: hosts: - reviews.prod.svc.cluster.local awesomeRPC: - name: ”canary-route" match: - headers: user: exact: jason route: - destination: host: reviews.prod.svc.cluster.local subset: v2 - name: ”default" cluster.local", "reviews" ], "routes": [ { "name": ”canary-route" "match": { "headers": [ { "name": ":user", "exact_match": "jason" } ], }, "route": { "cluster": "outbound|9080||reviews.default.svc.cluster • Telemetry collecting Reviews v1 Reviews v2 AwesomRPC （header: user:jason) AwesomRPC （header: user:others) Envoy AwesomRPC （header: user: ***) Pilot 代码改动 • 解析 CRD • 生成 xDS 配置下发 优点： • 控制面改动小，可以快速实现对新协议的支持

TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING chain intercept packet and send it to INPUT ③ connection between user and real server #IstioCon HAPROXY- Transparent Transport ① user send traffic to haproxy ② HAPROXY works on userspace ③ Listen on vip + port and accept user connection ④ Loadbalancing: Loadbalancing: select a endpoint and init a connection to server with original user’s address (IP_TRANSPARENT) ⑤ Server’s response packet is flowing through the same path (TPROXY + Custom Route) #IstioCon