Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

Local client configuration Connection types Multiple datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration configuration Proxy configuration Kubernetes configuration User Guide Table of contents Configure connection Network configuration settings DBeaver Lite User Guide 24.2.ea. Page 3 of 1010. AWS SSM SSM configuration Shell commands Changing current user password Authentication models overview Database native DBeaver profile Kerberos authentication Microsoft Entra ID Authentication MongoDB PostgreSQL

Local client configuration Connection types Multiple datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration User Guide Table of contents Configure connection Network configuration settings DBeaver User Guide 24.2.ea. Page 3 of 1171. Kubernetes configuration AWS SSM configuration Shell AWS Cloud Explorer Azure Cloud Explorer System operations and security Databases authentication models Cloud databases configuration Cloud Explorer tools DBeaver User Guide 24.2.ea. Page 4 of 1171

Local client configuration Connection types Multiple datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration configuration Proxy configuration Kubernetes configuration User Guide Table of contents Configure connection Network configuration settings DBeaver Ultimate User Guide 24.2.ea. Page 3 of 1171. AWS AWS SSM configuration Shell commands Changing current user password Authentication models overview Database native DBeaver profile Kerberos authentication Microsoft Entra ID Authentication MongoDB

Planning 24 Calculating Usable Disk Capacity 24 Calculating User Data Size 24 Choosing Node Configuration Options 25 Storage Settings 25 Gossip Settings 25 Purging Gossip State on a Node 25 Partitioner Steps 32 Initializing a Cassandra Cluster on Amazon EC2 Using the DataStax AMI 32 Creating an EC2 Security Group for DataStax Community Edition 33 Launching the DataStax Community AMI 34 Connecting to 67 Deleting Columns and Rows 67 Dropping Column Families and Keyspaces 68 Configuration 68 Node and Cluster Configuration (cassandra.yaml) 68 Node and Cluster Initialization Properties 70 auto_bootstrap

[https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-DATABASES] for the appropriate configuration for your chosen database backend. Confirming that you are not migrating a version 3 project Add necessary, but it’s useful. If included, should be at the start of the list. add the following configuration to your settings.py: Context processors Add "cms.context_processors.cms_settings" to TEMPLATES['OPTIONS'] unable to identify any further issues with your project. Some additional configuration is required however. Further required configuration URLs "sekizai.context_processors.sekizai",

1. The Ubuntu Promise • Ubuntu will always be free of charge, including enterprise releases and security updates. • Ubuntu comes with full commercial support from Canonical and hundreds of companies around • Separate Professional and Home editions • Less frequent and less visible re- lease schedule Security • Locked administrative user root • Rarely targeted by malware and viruses • Enables easy access downgrade • User data stored in home directory • Easy to migrate and replicate user data and configuration to another computer • User data saved in multiple loca- tions • Difficult to backup and migrate

Load-Balancer Web-Tier Load-Balancer Pods Pods Pods AZ 1 AZ 2 AZ n Client #IstioCon What about Security? ● L4 Micro-segmentation Solution ○ Central Policy store capturing Application-to-Application Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Enforcement applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Security, Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions:

code Scale to zero Quick entry to serverless computing … … traffic management observability security … Knative design based on knative.dev #IstioCon r How Istio is leveraged in a Knative based {revision-2}. 51ch62kjrnd.svc.cluster.local weight: 90 Knative Service Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to duration from Knative Ingress and istio VirtualService are created to Knative probe thinks the configuration works. o [Istio 1.5.4] Istio is picking up new VirtualService slowly 30s #IstioCon Istio

management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support with Added Security ● Secure bootstrapping process ○ Automate provisioning a VM's mesh identity (certificate) ■ based