deprecated library ● 1 race condition 2 Istio Security Audit, 2023 Notable findings Issue 10 - “H2c handlers are uncapped” - was an interesting finding, in that it affected Googleʼs managed Istio offering auditing team to the Istio maintainers, because Istio does not cap the size of requests made on an h2c connection, which could lead to a denial of service scenario if a large request was sent. This is a maintainer John Howard assessed Golangs recommended solution for capping H2c requests which is: “The first request on an h2c connection is read entirely into memory before the Handler is called. To limit

code base shown below: • github.com/istio/istio – 7353c84b560fd469123611476314e4aee553611d • github.com/istio/proxy – c51fe751a17441b5ab3f5487c37e129e44eec823 • github.com/istio/istio.io – 26dacdd July 15th, 2020. Commit: 7353c84b560fd469123611476314e4aee553611d istio/proxy Istio Envoy Proxy code in the master branch up to July 15th, 2020. Commit: c51fe751a17441b5ab3f5487c37e129e44eec823 istio/istio clusters, and more that should be protected. goroutine profile: total 380 32 @ 0x4374a0 0x405f77 0x405c3b 0x135de04 0x4674a1 # 0x135de03 k8s.io/client- go/tools/cache.(*controller).Run.func1+0x33 k8s.io/client-

项目之一。目前最新为1.10版本。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 5 Envoy介绍 • Envoy采用C++实现，本身为四层及七层代理，可以根据用户应用请求内的数据进行高级服务治理 能力，包括服务发现、路由、高级负载均衡、动态配置、链路安全及证书更新、目标健康检查、 完整的可观测性等。 • 目前常见 http_connecti on_manager … router upstream conn pool codec codec metadata_ex change iptables http/1.x h2c cluster L7过滤 L4过滤 监听过滤 下游 连接 上游 连接 outbound • APP发出的请求被iptables拦截，并根据源信息判断为outbound被DNAT后拦截进入Envoy spector http_connecti on_manager … router upstream conn pool codec codec backend http/1.x h2c iptables metadata_ex change 监听过滤 L7过滤 L4过滤 下游 连接 上游 连接 cluster inbound • 目标POD收到从网络进入的流量，

POD POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% Deployment Canary Releases Using Kubernetes Deployment POD POD POD S E R V I C E (Load balancer) www External Traffic POD 50% 50% Deployment Canary Releases Using Kubernetes Deployment POD S E R V I C E (Load balancer) www.my-application.com External Traffic POD POD 0% 100% Deployment Deployment application Layers Deployment POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% POD POD POD POD S E R V I C E (ClusterIP) 75% 25% POD POD Cross-version Traffic

filters.ht tp.wasm/envo y.wasm.metad ata_exchange Istio_authn kubectl exec -it [productpage-xxx] -c istio-proxy curl localhost:15000/config_dump envoy.filters .http.cors envoy.filters .http.fault envoy 将其他过滤器集成到Envoy的源代码中，并编译新的Envoy版本。 ■ 这种方法的缺点是您需要维护Envoy版本，并不断使其与官方发行版保持同步。 ■ 此外，由于Envoy是用C++实现的，因此新开发的过滤器也必须用C++实现。 ○ 动态运行时加载： ■ 在运行时将新的过滤器动态加载到Envoy代理中。 ■ 简化了扩展Envoy的过程, 这种解决方案通常使用WebAssembly（WASM）的新技术， Pros ○ 敏捷性：过滤器可以动态加载到正在运行的Envoy进程中，而无需停止或重新编译。 ○ 可维护性：不必更改Envoy自身基础代码库即可扩展其功能。 ○ 多样性：可以将流行的编程语言（例如C/C++和Rust）编译为WASM，因此开发人员可 以选择实现过滤器的编程语言。 ○ 可靠性和隔离性：过滤器会被部署到VM沙箱中，因此与Envoy进程本身是隔离的；即使 当WASM Filter出现问题

CONFIDENTIAL 10 Capture API interactions with lua filters Service A Proxy Proxy Service B Service C Proxy Mesh Dynamics Data Store Deploy: kubectl apply -f Capture using Lua filter All API Service C Proxy req req[A B], trace:r, span:s1 res[A B], trace:r, span:s1 req[B C], trace: r, parent_span: s1 res[B C], trace: r, parent_span: s1 req req[A->B] req[B->C] Construct

actively communicate through the buyer/seller chat and the “Like” feature. The Mercari app is a C2C marketplace where individuals can easily sell used items. We want to provide both buyers and sellers in the istio-proxy container manifest: lifecycle: preStop: exec: command: [“/bin/sh”, “-c”, “while [ $(netstat -plunt | grep tcp | grep -v envoy | wc -l | xargs) -ne 0 ]; do sleep 1; done”] lifecycle: preStop: exec: command: ["/bin/sh", "-c", "sleep 30; wget -qO- --post-data '' localhost:15000/healthcheck/fail; sleep 45; wget -qO- --post-data

plane 5 | Copyright © 2020 Extend Envoy Proxy with Filter Develop: Envoy Filters are written in C++ Asyc Build: need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER Copyright © 2020 Extend Envoy Proxy with Web Assembly (Wasm) Polyglot: Envoy Filters are written in C++ and Wasm expands to any language Secure and Reliable: Wasm runs in isolated VM, can dynamically Web Assembly Envoy Filter: User Experience Simplified tooling to bootstrap Wasm modules in Rust, C++, TinyGo, AssemblyScript Infrastructure to build, push, share, deploy, debug Wasm into Istio service

Requires Cluster to Local network connectivity #IstioCon Plain Envoy envoy -c envoy-config.yaml #IstioCon Plain Envoy envoy -c envoy-config.yaml + Fastest - bottleneck is typing speed + No Istio dependency

Engineer @Carousell Harshad Rotithor Software Architect @Carousell #IstioCon About Carousell ● C2C Marketplace in SEA ● Over 4 million monthly active users ● User requests over 10 billion per month