services • Kubernetes service account based authn/authz • Secure cross-cluster interaction between client apps and Kafka Security goals 4 • Kafka brokers require private-key and certificate pairs • Private keystore and truststore files in JKS or PKCS12 or PEM format Challenges – Kafka broker SSL with client auth 5 • Certificate renewal requires keystore and truststore regeneration • Broker pods need renewal 6 • Client certificates has be created for each separate client identity • Client certificates may take different formats (JKS, PEM, etc) • Client certificate renewal may require client application

Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File Permissions Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative Interface Exposed To Workload Containers 018 and the validateGatewayNames() function, can ensure that the provided namespace is one wherein the client could perform the same VirtualService operation (e.g. create, update, delete, etc.). 10 | Google of istio-agent. This may imply that any Istio sidecar — and, by extension, any Istio control plane client, per finding NCC-GOIST2005-022 on page 36 — would be able to obtain sensitive routing metadata for

features in Istio: 1. Peer authentication: used for service-to-service authentication to verify the client making the connection. 2. Request authentication: Used for end-user authentication to verify the *HTTPFetcher) Fetch(ctx context.Context, url string, allowInsecure bool) ([]byte, error) { c := f.client if allowInsecure { c = f.insecureClient } attempts := 0 o := backoff.DefaultOption() o.InitialInterval 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 client *http.Client insecureClient *http.Client initialBackoff time.Duration requestMaxRetry int } // Copy of istio.io/pkg/wasm

What is the use case of original address 1. Sticky Session: based on ip hash, traffic from same client is forwarded to the same backend 2. Security Policy: set white/black list 3. Access log & Stats reporting the client IP address and port. A PROXY Protocol plain-text header has the format: PROXY TCP4 192.0.2.0 192.0.2.255 42300 443\r\n  Proxy Protocol v2 #IstioCon Proxy Protocol client Server connection Proxy Protocol binary header Application data - The client and server side must support proxy protocol simultaneously - The client here can be load balancers like envoy/haproxy/nginx which have

http http http http mTLS http #IstioCon Auto-mTLS in Istio ● Decide what type of traffic the client sidecar to send automatically ○ If DestinationRule is configured, respect it ○ If server has matchLabels: app: reviews mtls: mode: STRICT 1) Apply destination rule to enable client side mTLS mTLS in Istio - Destination rule Using ingress port and ingress host to send request: not access reviews-v2 since we have enabled ISTIO_MUTUAL mode on client side Access productpage 1) Apply destination rule enable client side mTLS mTLS in Istio - Destination rule http http http http

Istio Adopting Istio 43 Adoption challenges Adopting Istio ● Moving HTTP/2 load-balancing from client-side to Envoy ● Label selector updates for app and version labels ● Istio default retry policy load-balancing from client-side to Envoy Adopting Istio ● We use gRPC heavily in our microservices ● But Kubernetes is pretty bad at load-balancing it ● So we solved it by using a client-side load-balancing performance and capacity Adopting Istio Client Pod Svc A Pod Svc B Client Pod Svc A Pod Svc B Pod Svc authn/z 1 2 3 1 2 Client Pod Svc A Pod Svc B Pod

subjectAltNames to verify client SAN ● Additional AuthorizationPolicy to add IP allow listing Egress Mutual TLS ● Using Egress TLS origination ● Certificate is mounted in the client deployments using annotation io/userVolumeMount sidecar.istio.io/userVolume ● Client talks with HTTP, upgraded automatically to mutual TLS by sidecar. Challenge & Future Works Challenge ● Client egress communication sometime got 503 error

V1 SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance V1 SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance Service Instance V2 Service Instance V2 Service Instance V2 Service Instance V2 RIBBON (Client-Side Load Balancer) Load Balancer Deployment Deployment Deployment Canary Releases Using Istio

region, etc. ○ L7 routing ○ Hardware Firewalls (not shown) in front of Application-Tier LBs ● Client connects to closest Web-Tier LB based on DNS lookup Application-Tier Load-Balancer Web-Tier Load-Balancer Load-Balancer Application-Tier Load-Balancer Web-Tier Load-Balancer Pods Pods Pods AZ 1 AZ 2 AZ n Client #IstioCon What about Security? ● L4 Micro-segmentation Solution ○ Central Policy store capturing Specs synced from Federated Access Point L4 Configuration L7 Route Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per workload K8s cluster #IstioCon

between two services, the client side and server side’s “envoy proxies” verify each other’s identities before sending requests. • If the verification is successful, then the client-side proxy encrypts the