Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio lei-tang Session agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture architecture ● Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster

How eBay is building a massive Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full isolation by confining service failures to AZ boundary AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s balancing & Traffic Flow ● Two tiers of hardware Load-Balancers (LB) ● Application-Tier LB ○ K8s service realized on Application-Tier LBs ● Web-Tier LB to control - ○ Percentage of traffic sent to an

Availability Security Multiple Platforms goharbor.io � VMware �� ������, ������ �������� ���:VIC�PKS GitHub Repo: https://github.com/goharbor /harbor/ Apache 2.0 ���� ������������ Project history ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Storage Persistence components Local or Remote Storage (block, file, object) Users (GUI/API) Container Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging

Availability Security Multiple Platforms goharbor.io � VMware �� ������, ������ �������� ���:VIC�PKS GitHub Repo: https://github.com/goharbor /harbor/ Apache 2.0 ���� ������������ Project history ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Storage Persistence components Local or Remote Storage (block, file, object) Users (GUI/API) Container Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging

in version 4.2. Django CMS is headless-ready. This means that you can use django CMS as a backend service to provide content to the frontend technology of your choice. Traditionally, django CMS serves the limit_choices_to causes errors due to excessively long URLs if you have many thousands of users (the PKs are all included in the URL of the popup window). For this reason, we only apply this limit if the holder mymodel_instance.my_placeholder language 'en' %} {% show_placeholder "footer" "footer_container_page" %} {% show_placeholder "content" request.current_page.parent_id %} {% show_placeholder "teaser"

using only one login and password. This is possible if you use SSO - Single Sign-On authentication service. You do not need to manage, store, and transfer user credentials. When a user connects to the database default simple mode for all connections (to show only schemas and tables and hide all system and service objects). How to manage preferences The best way to manage user access, restrictions, and permissions The configuration here is similar to the standard SSH setup, but it's integrated within your cloud service provider's Configuring Cloud SSH Tunnels DBeaver Ultimate User Guide 24.2.ea. Page 95 of 1171

using only one login and password. This is possible if you use SSO - Single Sign-On authentication service. You do not need to manage, store, and transfer user credentials. When a user connects to the database default simple mode for all connections (to show only schemas and tables and hide all system and service objects). How to manage preferences The best way to manage user access, restrictions, and permissions The configuration here is similar to the standard SSH setup, but it's integrated within your cloud service provider's Configuring Cloud SSH Tunnels DBeaver User Guide 24.2.ea. Page 95 of 1171. 1.

2021 ● Version 1.3.0 is in-progress ○ Tons of new features and improvements ■ Erasure Coding ■ Container Balancer ■ S3 Multi-Tenancy ■ S3 gRPC improvements ○ 1000+ new commits since 1.2.1 release and blocks) ● RocksDB - container metadata • Supported by and battle-tested at Facebook. • OM – a namespace manager (also uses RocksDB to store the namespace) • HDDS – a distributed container management layer Namespace} Container Container DataNodes {Store Data Blocks In Containers} Container Container Storage Container Manager {Manage Containers, allocate blocks, certificates, datanodes} Container Container

Node 42 Starting/Stopping Cassandra as a Stand-Alone Process 42 Starting/Stopping Cassandra as a Service 42 Upgrading Cassandra 43 Best Practices for Upgrading Cassandra 43 Upgrading Cassandra: 0.8.x INSERT_HISTORICAL_PRICES -n 100 Running the Portfolio Demo Sample Application 6 4. Start the web service (must be in the $DSCDEMO_HOME/website directory to start). $ cd $DSCDEMO_HOME/website $ java -jar Debian packages start the Cassandra service automatically. To stop the service and clear the initial gossip history that gets populated by this initial start: $ sudo service cassandra stop $ sudo bash -c 'rm

Istio scalability optimization during Knative Service provisioning ○ Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled ● Reference Agenda #IstioCon an Ingress Gateway • By default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress and knative-local-gateway for cluster local access. They use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic