Using BCC and bpftrace with Performance Co-Pilot Andreas Gerstmayr October 28, 2020 Source: https://pcp.io https://github.com/iovisor/bcc https://bpftrace.org 2 eBPF Compiler Collection bpftrace bpftrace BCC high-level tracing language for eBPF Performance Co-Pilot system performance analysis toolkit Performance Co-Pilot 3 Toolkit for collecting, analyzing, visualizing and responding to the

#IstioCon Using ECC Workload Certificates (pilot-agent environmental variables) Jacob Delgado / Aspen Mesh #IstioCon ECC workload certificates ● In various environments, the need for x509 certificates cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported #IstioCon pilot-agent environmental variables Disclaimer: Environmental variables and their use are considered experimental set the ECC_SIGNATURE_ALGORITHM environmental variable on sidecar ejection to ECDSA for use by pilot-agent ○ For gateways this environmental variable also must be set on installation/upgrade #IstioCon

tecture of Istio as it is deployed within common environments such as Kubernetes clusters. • Istio Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: lacks many hardening controls and should be replaced with a more secure-by-default option. • The Pilot admin interface exposes unnecessary ser- vices and is accessible to anyone within a default cluster Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical High Medium Low Informational 3 | Google Istio Security Assessment Google / NCC

#IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent #IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent + Fast! Bottleneck is #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent + Rapid iteration - Very different from production #IstioCon Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery #IstioCon Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery + All of the benefits of running Istiod

Kiali 1.36.13 spec: runtime: components: pilot: container: env: PILOT_ENABLE_GATEWAY_API: true PILOT_ENABLE_GATEWAY_API_STATUS: true # and and optionally, for the deployment controller PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER: true OpenShift Container Platform 4.8 Service Mesh 6 1.2.2.6. Red Hat OpenShift Service Mesh 2 崩溃并显示以下出错信息：fatal error: concurrent map iteration and map write。 OSSM-1211 为故障转移配置联邦服务网格无法正常工作。 Istiod pilot 日志显示以下错误： envoy connection [C289] TLS error: 337047686:SSL routines:tls_process_server_certificate:certificate

Severity: Low Difficulty: High Fixed: Yes Affected components: ● pkg/wasm ● Istio Agent ● Istio Pilot ● Istioctl Vectors: ● CWE-295: Improper Certificate Validation ID: ADA-IST-6 Fix: https://github 37 Istio Security Audit, 2023 tio/istio/blob/a7e57f 950edc9f06b29f977 d82fd8dfa9ae5f35b/ pilot/cmd/pilot-agent /status/server.go#L7 58 w.WriteHeader(http.StatusInternalServerError) } else { w.WriteHeader(http Close() } https://github.com/is tio/istio/blob/a7e57f 950edc9f06b29f977 d82fd8dfa9ae5f35b/ pilot/cmd/pilot-agent /status/server.go#L4 99 if envoy != nil { envoy.Close() } if application != nil { application

verify-install upgrade Istio simplify install helm3 #IstioCon Pilot Mixer Citadel Node Agent Injector Galley istio-system Node Pod Sidecar Pilot Agent Ingress Egress Istio Single Cluster Simplified

variant of Pilot to inject the Cilium network policy filters into each Is�o sidecar proxy: $ curl -s https://raw.githubusercontent.com/cilium/cilium/v1.5/examples/ku $ awk -f cilium-pilot.awk \ < ${ISTIO_HOME}/install/kubernetes/helm/istio/charts/pilot/templates/ > istio-cilium-helm/charts/pilot/templates/deployment.yaml Configure the Is�o’s sidecar injec�on to setup the transparent Cilium-specific variant of Pilot, and disables unused services: $ helm template istio-cilium-helm --name istio --namespace istio-system \ --set pilot.image=docker.io/cilium/istio_pilot:${ISTIO_VERSION} \

Erica Virtual Assistant (6/18) Note: We assume a start at zero users from Erica’s launch in 6/18. Pilot users excluded. Source: Bank of America (2/21, 4/24, 2/25) Bank of America Erica Virtual Assistant USA Food & Drug Administration, ‘FDA Announces Completion of First AI-Assisted Scientific Review Pilot and Aggressive Agency-Wide AI Rollout Timeline’ (5/25); NITRD.gov (5/25) New AI-Enabled Medical Devices Software Development’ (2024); Anthropic; Katalon; AccelQ; Monday; Quill; Mintlify; Snyk; Ansible; UX Pilot; Ark Design AI AI Developer Use Cases – 2024, per IBM Code Generation Bug Detection & Fixing

send a msg, lookup peer socket o Redirect Istio Meetup China Inbound Acceleration Istio 1.10: PILOT_ENABLE_INBOUND_PASSTHROUGH Istio Meetup China Outbound Acceleration Istio Meetup China Envoy to