holistic security audit that had several high-level goals: 1. Formalise a threat model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code audit for security use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ and memory-corruption issues can therefore have negative impact on the Istio service mesh which is best practices Istio maintains a guide on security best practices which we recommend all users follow: https://istio.io/latest/docs/ops/best-practices/security/. The guide iterates over known threat vectors

anything larger or bug fixes, create an issue and ask around for opinions ● General Contributing Guide ● Contributing Documentation: https://istio.io/latest/about/contribute/ #IstioCon Design Docs Istio.io page content is automatically verified through tests, and you can help by creating one! ● Guide for creating tests ● Sample page with a test ● make test_status ● make snips #IstioCon The Pull issues, ask around, and share your ideas ● Join the Working Group ● Contributing ○ Check out the style guides for documentation ○ Look into writing tests and how they work ○ We are here to help you

将其他过滤器集成到Envoy的源代码中，并编译新的Envoy版本。 ■ 这种方法的缺点是您需要维护Envoy版本，并不断使其与官方发行版保持同步。 ■ 此外，由于Envoy是用C++实现的，因此新开发的过滤器也必须用C++实现。 ○ 动态运行时加载： ■ 在运行时将新的过滤器动态加载到Envoy代理中。 ■ 简化了扩展Envoy的过程, 这种解决方案通常使用WebAssembly（WASM）的新技术， Pros ○ 敏捷性：过滤器可以动态加载到正在运行的Envoy进程中，而无需停止或重新编译。 ○ 可维护性：不必更改Envoy自身基础代码库即可扩展其功能。 ○ 多样性：可以将流行的编程语言（例如C/C++和Rust）编译为WASM，因此开发人员可 以选择实现过滤器的编程语言。 ○ 可靠性和隔离性：过滤器会被部署到VM沙箱中，因此与Envoy进程本身是隔离的；即使 当WASM Filter出现问题导致崩溃时，它也不会影响Envoy进程。 Filter出现问题导致崩溃时，它也不会影响Envoy进程。 ○ 安全性：过滤器通过预定义API与Envoy代理进行通信，因此它们可以访问并只能修改有 限数量的连接或请求属性。 ● Cons ○ 性能约为C++编写的原生静态编译的Filter的70％; ○ 由于需要启动一个或多个WASM虚拟机，因此会消耗一定的内存使用量; ○ The WebAssembly ecosystem is still young; 7

plane 5 | Copyright © 2020 Extend Envoy Proxy with Filter Develop: Envoy Filters are written in C++ Asyc Build: need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER Copyright © 2020 Extend Envoy Proxy with Web Assembly (Wasm) Polyglot: Envoy Filters are written in C++ and Wasm expands to any language Secure and Reliable: Wasm runs in isolated VM, can dynamically Web Assembly Envoy Filter: User Experience Simplified tooling to bootstrap Wasm modules in Rust, C++, TinyGo, AssemblyScript Infrastructure to build, push, share, deploy, debug Wasm into Istio service

Telemetry提供监控数据收集能力 基本原理 • Istio从架构上可以分为4个板块： • Istio Proxy: Mesh的基础 • 网络安全：兼容Spiffe标准实现 • 配置管理：为C++实现的Proxy接 入k8s的动态配置管理 • Attribute Machine: 授权，Quota ，Tracing，监控的基础 Istio管理下的微服务 • 右图是部署mock1.v1

中实现七层协议的通用逻辑：路由、Header Mutation、负载均衡、断路器、多路复用、流量镜像 等。 ● 基于 MetaProtocol 实现一个自定义协议时，只需要实现 Decode 和 Encode 扩展点的少量代码 (C++)。 ● 提供基于 WASM 和 Lua 的 L7 filter 扩展点，用户可以实现一些灵活的自定义协议处理逻辑，例如认证授权等。 #IstioCon MetaProtocol: 请求处理路径

项目之一。目前最新为1.10版本。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 5 Envoy介绍 • Envoy采用C++实现，本身为四层及七层代理，可以根据用户应用请求内的数据进行高级服务治理 能力，包括服务发现、路由、高级负载均衡、动态配置、链路安全及证书更新、目标健康检查、 完整的可观测性等。 • 目前常见数

production-ready approach. Having a secured profile with an opinionated cluster configuration will help guide users towards building secured environments. • Expand hardening documentation: While there were a 49, with a restricted user confined to a "rest rict-test" namespace per the Istio cluster setup guide2 2. Obtain the output of the following command (run with administrative access) and use it below