#IstioCon Using ECC Workload Certificates (pilot-agent environmental variables) Jacob Delgado / Aspen Mesh #IstioCon ECC workload certificates ● In various environments, the need for x509 certificates ECC_SIGNATURE_ALGORITHM: ECDSA Must be done for each chart, but not for base #IstioCon Inspection of Workload Certificates Ensure that workloads within your cluster are using ECC $ istioctl proxy-config

默认 认安装 安装部分说明了这些组件。 用于 用于监 监控用 控用户 户定 定义项 义项目的 目的组 组件 件。在选择性地为用户定义的项目启用监控后，会在 openshift-user- workload-monitoring 项目中安装其他监控组件。这为用户定义的项目提供了监控。下图中的用 用 户 户部分说明了这些组件。 OpenShift Container Platform 4.10 定义 义的 的项 项目的 目的组 组件 件 组 组件 件 描述 描述 第 第 1 章 章 监 监控概述 控概述 7 Prometheus Operator openshift-user-workload-monitoring 项目中的 Prometheus Operator (PO) 在同一项目中创建、配置 和管理 Prometheus 和 Thanos Ruler 实例。 Prometheus ServiceMonitor、 、PodMonitor 和 和 PrometheusRule 对 对象。 象。 修改 修改 openshift-monitoring 或 或 openshift-user-workload-monitoring 项 项目中部署的任何 目中部署的任何资 资源或 源或 对 对象。 象。OpenShift Container Platform 监控堆栈所创建的资源并不是为了供任何其他资源使用，

Upgrade CN2 | 47 Uninstall CN2 | 48 Manage Multi-Cluster CN2 | 49 Attach a Workload Cluster | 50 Detach a Workload Cluster | 55 Uninstall CN2 | 56 5 Appendix Create a Rancher RKE2 Cluster DPDK data plane acceleration The Contrail controller automatically detects workload provisioning events such as a new workload being instantiated, network provisioning events such as a new virtual network cluster that houses the Contrail controller. 5 Table 1: Terminology (Continued) Term Meaning Workload cluster In a multi-cluster deployment, this is the distributed cluster that contains the workloads

Kubernetes clusters to provide service-to-service communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal cluster. • The Envoy Proxy admin port is exposed via the Istio sidecar and would allow a malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative Interface Exposed To Workload Containers 018 Low DestinationRules Without CA Certificates Field Do Not Validate Certificates

kind: Component metadata: name: web-service version: v0.3.0 description: Knative workload spec: workload: apiVersion: serving.knative.dev/v1 kind: Service spec: template: metatdata: *components) Render(ctx context.Context, ac *v1alpha2.ApplicationConfiguration) { workloads := make([]*Workload, 0, len(ac.Spec.Components)) dag := newDAG() for _, acc := range ac.Spec.Components { w, err := ac, dag) � workloads = append(workloads, w) } ds := &v1alpha2.DependencyStatus{} res := make([]Workload, 0, len(ac.Spec.Components)) for i, acc := range ac.Spec.Components { unsatisfied, err := r.handleDependency(ctx

Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress that VM ● Install DEB/RPM package of the Workload Onboarding Agent on that VM ● Provide a minimal declarative configuration describing where to onboard the workload to Bridged Mode vs Direct Mode ● Bridged: Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress

Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations Workload Data Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Plane Hardening

1 ServiceEntry #IstioCon V1.6-1.8 Better VM Workload Abstraction A K8s Service and Pods Two separate object with distinct lifecycles Before Workload Entry, a single Istio Service Entry object combined giving a first-class representation for the workloads themselves #IstioCon V1.6-1.8 Better VM Workload Abstraction Item Kubernetes Virtual Machine Basic schedule unit Pod WorkloadEntry Component selector: app: foo Istio Workload Entries labels: app: foo class: vm #IstioCon V1.6-1.8 Better VM Workload Abstraction ● Workload Entry ○ single non-Kubernetes workload ○ mTLS using service account

[1] r5.4xlarge 16 128 gp3 220 3 us-west-2 Infra [2] m5.12xlarg e 48 192 gp3 100 3 us-west-2 Workload [3] m5.4xlarg e 16 64 gp3 500 [4] 1 us-west-2 Compute m5.2xlarg e 8 32 gp3 100 3/25/250 /500 (GiB)/IOS 数量 数量 control plane/etcd [1] 16 32 io1 每个 GiB 120 / 10 IOPS 3 Infra [2] 16 64 gp2 120 2 Workload [3] 16 256 gp2 120 [4] 1 Compute 16 64 gp2 120 2 到 100 [5] 1. 带有 120 / 10 IOPS 的 io1 磁盘用于 control apiVersion: v1 kind: Namespace metadata: name: openshift-performance-addon-operator annotations: workload.openshift.io/allowed: management $ oc create -f pao-namespace.yaml apiVersion: operators.coreos

PASSTHROUGH 模式 19.4. 使用手动模式 19.5. 在 AMAZON WEB SERVICES SECURITY TOKEN SERVICE 中使用手动模式 19.6. 在 GCP WORKLOAD IDENTITY 中使用手动模式 132 134 134 138 150 156 156 162 167 172 176 189 目 目录 录 3 OpenShift Services Security Token Service（AWS STS）。借助这一配置，CCO 对不同 组件使用临时凭证。 使用 使用 GCP Workload Identity: 在手动模式中，您可以将 GCP 集群配置为使用 GCP Workload Identity。借助这一配置，CCO 对不同组件使用临时凭证。 表 表 19.1. CCO 模式支持列表 模式支持列表 云供 云供应 应商 AWS 和 GCP 集群支持使用删除了 root secret 的 mint 模式。 使用手动模式的 AWS 或 GCP 集群可能会被配置为使用 AWS 安全令牌服务 (STS) 或 GCP Workload Identity 从集群外部创建和管理云凭证。您可以通过检查集群 Authentication 对象来确定集群是否使用了此策略。 7. 仅使用默认 ('') 的 AWS 或 GCP 集群