authentication to verify the credential attached to the request. Authorization Istio allows users to create authorization policies to specify mesh-, namespace-, and workload-wide access control for workloads error { uncompressedStream, err := gzip.NewReader(gzipStream) if err != nil { return fmt.Errorf("create gzip reader: %v", err) } tarReader := tar.NewReader(uncompressedStream) for { header, err := // Create containing folder if not present dir := path.Dir(dest) if _, err := os.Stat(dir); err != nil { if err := os.MkdirAll(dir, 0o755); err != nil { return err } } outFile, err := os.Create(dest)

Reproduction Steps • Modify the default policy mesh config map for “controlPlaneAuthPolicy: MUTUAL_TLS” • Create a istio setup with control plane security enabled: istioctl install --set values.global.control function defined in istio/pkg/config/validation/valid ation.go Impact An attacker that is able to create an Istio VirtualService within a Kubernetes cluster can hi- jack the requests of any other namespace’s provided namespace is one wherein the client could perform the same VirtualService operation (e.g. create, update, delete, etc.). 10 | Google Istio Security Assessment Google / NCC Group Confidential Finding

of time and effort – Realistic outcome: Just create E2E tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API API tests • Can also be sped up by just navigating the application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR, #bugs-in-production development process. That’s not good!! | CONFIDENTIAL Start testing earlier Create and maintain a balanced test pyramid Create different types of tests with low effort 7 What we need… End-to-end Component

Commits - Documentation fixes, UI adjustments #IstioCon Commits ● For anything larger or bug fixes, create an issue and ask around for opinions ● General Contributing Guide ● Contributing Documentation: Process ● Viewing changes as if they were live ● Linter is pretty specific ● Don't forget to update/create a test if the page changed is tested! #IstioCon Run make lint locally to verify changes and check Netlify preview to view updates as if they were live #IstioCon Summary ● Don't be afraid to create issues, ask around, and share your ideas ● Join the Working Group ● Contributing ○ Check out

Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出（Transaction ID） C(application) Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 2018-0930(time) 日志输出 B(application) Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出 Get the corresponding logs for one time request by transaction ID Request(Transaction

Service spec: ... #IstioCon AccessPoint Spec Step 1: Access Point Spec ● Create the Specs on our Global Control Plane ● Realized on hardware LBs ● Internal orchestration & UI cluster ■ Each Istio deployment manages subset of namespaces using DiscoverySelectors ○ Overall, create macro-segments for different environments #IstioCon Step 4: Evolving Security ● Origin or Request debounce interval, push concurrency, etc. #IstioCon Control-plane Scale Testing: Setup ● Setup ○ Create Gateway Pods & thousands of Pods with sidecar Envoys ○ Measure Config convergence time ■ Time taken

trafficPolicy: tls: mode: ISTIO_MUTUAL 1) Generate client and server certificates and keys 2) Create a secret for the ingress gateway: productpage-credential 3) Define a gateway which specifying above attaching certificate file Access productpage 1) Generate client and server certificates and keys 2) Create a secret for the ingress gateway: productpage-credential 3) Define a gateway which specifying above

identity token ● All we have to do is ○ specify a new WorkloadGroup with a template (to create WorkloadEntry) ○ create a ServiceEntry (to select specific workloads) #IstioCon What Else Did Not Solve?

9090 #IstioCon EnvoyFilter is Powerful, But ... It’s very difficult if not possible to manually create and maintain these EnvoyFilters, especially in a large service mesh: ● It exposes low-level Envoy It depends on some cluster-specific information such as service cluster IP ● We need to manually create tons of EnvoyFilter, one for each of the services #IstioCon Aeraki: Manage any layer-7 traffic

enough, let’s do it: 1. Create a new Deployment with new name (immutable field) with the app and version labels 2. Make sure the Service is serving both Deployments 3. Create HPAs to target the new Deployment