SberBank story: moving Istio from PoC to production Igor Gustomyasov, Sber Maksim Chudnovskii, IBM Sber position across key areas Best client experience Technological leadership In financial services January 2019 PoC OCP 3.11 Istio 1.0 Make It Simple Event Hub DBs SERVICE MESH Istio Ingress Istio Egress Other External Services Tracing Store Logging Store LB January 2019 PROD PoC March 2020 Istio 1.1 Istio Egress Istio Ingress OCP 4.1 LB LB LB TROUBLE SHOOTING January 2019 PROD PoC March 2020 December 2020 Innovation trigger Peak of inflated Expectations Though of Disillusionment

WriteHeader(clientResp.StatusCode) _, _ = io.Copy(wr, clientResp.Body) } PoC The following PoC demonstrates the issue. To reproduce, run the following PoC with go run main.go. We include the expected stacktrace below Do(req) fmt.Println("Copying...") if _, err := io.Copy(io.Discard, resp.Body); err != nil { } } PoC - expected stacktrace fatal error: runtime: out of memory runtime stack: runtime.throw({0x55962e user who can send a pubsub message to the Pulsar component to crash the Dapr sidecar. The following PoC demonstrates the issue. Add the unit test to components-contrib/pubsub/pulsar/pulsar_test.go and run

findings will be discussed in a chronological order alongside technical descriptions, as well as PoC and mitigation advice when applicable. Since most issues are reflective of a custom configuration redis instances, which will enable the attacker to establish a session to the master-0 redis pod. PoC Attacker has gained shell access to the Python application pod. • Using wget, the attacker downloads all secrets and assets for the entire cluster, which would in turn lead to a complete compromise. PoC /tmp # uname -a Linux pythonapp-b57b5897c-gfwj4 4.15.0-1082-azure #92~16.04.1-Ubuntu SMP /tmp # ./kubectl

return fmt.Errorf("uknown type: %v in %v", header.Typeflag, header.Name) } } return nil } PoC A complete PoC is available below that demonstrates how the vulnerability could be exploited. Copy the file either: panic: open fileToCopy: no such file or directory goroutine 1 [running]: main.main() /tmp/go-poc/main.go:61 +0x1db exit status 2 … which means the attacker did not win the race. Or : panic: +++++++++++++++ contents. The attacker has won the race. +++++++++++++++ goroutine 1 [running]: main.main() /tmp/go-poc/main.go:63 +0x1cc … which means the attacker won the race. 44 Istio Security Audit, 2023 10: H2c

that the HTTP Parameter Pollution is still possible, as demonstrated via the Proof-of-Concept (PoC) below. PoC: /tmp # ./curl -d "{"data":{"orderId":"1"}}" -i -H 'dapr-api-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 } func isActionAllowed(action string) bool { return strings.EqualFold(action, AllowAccess) } PoC: The following HTTP requests demonstrate that accessing the /neworder API of nodeapp is prohibited

Secure kubectl already in production; TEE-based secure kubectl completed PoC • API server and the rest changes for the TEE-based - PoC stage • Where we go? • To keep the production practice • To explore

946/1091 us) Wed, 01 Sep 2021 20�47�58 UTC 参考⽂档 Siwi on KubeSphere + OpenFunction Siwi (/ˈsɪwi/) is a PoC of Dialog System With Graph Database Backed Knowledge Graph. Arch Code ┌─────────────┬────────── │ │ ┌──────────▼──────────┐ Siwi, /ˈsɪwi/ │ │ │ Web_Speech_API │ A PoC of Dialog System │ │ │ Vue.JS │ With Graph Database │ │ │ │

panic in the Go standard library, when the key gets serialized. This is illustrated with the below PoC: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 package panic(err) } } Figure 2.1: Proof of concept payload to trigger issue ADA-DAP-FUZZ-2 Running this PoC will result in the following panic: panic: runtime error: index out of range [-1] goroutine 1 [running]:

产业互联⽹升级使得2B软件服务市场需求旺盛 什么是2B软件交付 01. 2B软件交付的困局 ⾯向企业⽤户交付软件价值的过程 （1）产品研发流程管理 （2）产品版本管理 （3）概念验证，POC 管理 （4）客户个性化定制（价值最⼤化的关键） （5）客户应⽤的持续交付 （6）客户应⽤⽣产稳定性保障 (SLA) 追求价值最⼤化 A. ⾼效的产品交付模式； B. ⾼效的产品定制开发模式；

xDS Client Request Client Request Client RequestConsul Registry遇到的坑： 1.0版本的Consul Registry只能算PoC（原型验证），远未达到产品要求 CPU占用率超高不下 (Pilot+Consul 占用冲高到 400%) • TIME_WAIT Sockets 太多导致FD耗光 Consul Registry优化