Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio lei-tang Session agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture architecture ● Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster

How eBay is building a massive Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full isolation by confining service failures to AZ boundary AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s balancing & Traffic Flow ● Two tiers of hardware Load-Balancers (LB) ● Application-Tier LB ○ K8s service realized on Application-Tier LBs ● Web-Tier LB to control - ○ Percentage of traffic sent to an

������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Debian Security Bug Tracker § Ubuntu CVE Tracker § Red Hat Security Data § Oracle Linux Security Data § Alpine SecDB API Registry V2 Job Service Console DB Harbor Save Data Pull Layers Scan �� § �� § �� • ��������� • �������� § Debian Security Bug Tracker § Ubuntu CVE Tracker § Red Hat Security Data § Oracle Linux Security Data § Alpine SecDB 20 Confidential � ©2018 VMware, Inc

������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Debian Security Bug Tracker § Ubuntu CVE Tracker § Red Hat Security Data § Oracle Linux Security Data § Alpine SecDB API Registry V2 Job Service Console DB Harbor Save Data Pull Layers Scan �� § �� § �� • ��������� • �������� § Debian Security Bug Tracker § Ubuntu CVE Tracker § Red Hat Security Data § Oracle Linux Security Data § Alpine SecDB 20 Confidential � ©2018 VMware, Inc

Configure connection Network configuration settings DBeaver Lite User Guide 24.2.ea. Page 3 of 1010. AWS SSM configuration Shell commands Changing current user password Authentication models overview authentication models Authentication Salesforce Mysql two-factor authentication Managing AWS permissions Working with AWS SSO AWS credentials System operations and security Databases authentication models Cloud SSPI authentication (Windows SSO) Redis Salesforce Salesforce authentication SQLite Teradata AWS Athena DocumentDB Keyspaces Redshift Timestream Azure CosmosDB Databricks Cloud DBeaver Lite

connection Network configuration settings DBeaver Ultimate User Guide 24.2.ea. Page 3 of 1171. AWS SSM configuration Shell commands Changing current user password Authentication models overview authentication models Authentication Salesforce Mysql two-factor authentication Cloud Explorer overview AWS Cloud Explorer Azure Cloud Explorer Google Cloud Explorer System operations and security Databases User Guide 24.2.ea. Page 4 of 1171. Cloud Storage Managing AWS permissions Working with AWS SSO Working with Google Cloud Explorer SSO AWS credentials Google Cloud Explorer credentials Database drivers

Network configuration settings DBeaver User Guide 24.2.ea. Page 3 of 1171. Kubernetes configuration AWS SSM configuration Shell commands Changing current user password Authentication models overview authentication models Authentication Salesforce Mysql two-factor authentication Cloud Explorer overview AWS Cloud Explorer Azure Cloud Explorer System operations and security Databases authentication models 4 of 1171. Google Cloud Explorer Cloud Storage Managing AWS permissions Working with AWS SSO Working with Google Cloud Explorer SSO AWS credentials Google Cloud Explorer credentials Database drivers

Photos ...................... 238 7.2.3. Organising Photos .................. 239 7.2.4. Removing Red Eye ................. 240 7.3. The GIMP ........................................ 242 7.4. Drawing and the surrounding infrastructure. The pre-requisites to connect to the Internet are an Internet Service Provider (ISP) subscription and a functional Internet connection in your area. Configuring the Internet hosts, which maps a host name to an IP address successfully. For this, select the Use the Internet service provider nameservers check box. If the Internet connection breaks, your modem will automatically

Node 42 Starting/Stopping Cassandra as a Stand-Alone Process 42 Starting/Stopping Cassandra as a Service 42 Upgrading Cassandra 43 Best Practices for Upgrading Cassandra 43 Upgrading Cassandra: 0.8.x INSERT_HISTORICAL_PRICES -n 100 Running the Portfolio Demo Sample Application 6 4. Start the web service (must be in the $DSCDEMO_HOME/website directory to start). $ cd $DSCDEMO_HOME/website $ java -jar the same region. Instead of using the node's IP address to infer node location, this snitch uses the AWS API to request the region and availability zone of a node. The region is treated as the data center

in version 4.2. Django CMS is headless-ready. This means that you can use django CMS as a backend service to provide content to the frontend technology of your choice. Traditionally, django CMS serves the Headless support Django CMS 5.0.0 is headless-ready, allowing you to use django CMS as a backend service to provide content to the frontend technology of your choice. Traditionally, django CMS serves the colours that will cause the fewest issues for colour-blind people, so we don’t use green (since we use red) or yellow (since we use blue) labels, but we are aware it’s not ideal. django CMS ticket processing