model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code audit for security issues. 3. Review the fixes for the issues found in an audit from 2020. 4. Review obtained in parts of code bases that receive less attention. Our assessment is that, not counting the Operator, Istio is a very well-maintained and secure project with a sound code base, well-established test coverage with little to no room for improvement. We identified a few APIs in security-critical code parts that would benefit from fuzzing and wrote fuzzers for these. In total, 6 fuzzers were written

its control plane. The goal of the assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective areas of focus for subsequent phases of the assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) architectures were used to provide testers with a way of validating that security expectations in the code were implemented when deployed. Each environment was deployed following Istio Documentation using

com/gracezhang1110, www.linkedin.com/in/gong-zhang-75560670/ Advisory Software Engineer of IBM Cloud Code Engine team focusing on Knative Serving and Istio, contributor of the Knative and Cloud Foundry com/in/yu-zhuang- 51915287/ Architect and Senior Software Engineer in IBM Cloud. Working on IBM Cloud Code Engine (Serverless platform), focusing on Knative, Istio, and Tekton, community, leading team to running, and managing serverless, cloud- native applications. It provides benefits: Focus on code Scale to zero Quick entry to serverless computing … … traffic management observability security

wizards of Stack Overflow. Bugs And Security ● Read this quick explanation on how to report bugs, in code or in documentation. ● The Istio security team responds rapidly to vulnerability reports. Read how Contributor ● The Istio Community README is the starting point for contributors who want to work on code, docs or other parts of Istio. ● You can access our trove of technical content and working documents the Value of Community Housekeeping • View the full IstioCon-VIRTUAL schedule • Abide by CNCF Code of Conduct • Use the official #IstioCon in your social conversations • Join #istiocon slack channel

API request • Context propagation rarely obvious Challenge • Dependencies require lot of time to code • Many dependencies in a test suite • Dependency maintenance is effort intensive Solution • ML-driven ML-driven identification of candidate relationships • Supervised system to accept true positives • No code! | CONFIDENTIAL 17 ML-assisted Assertion Rule Learning createOrder Response: Recording { results • ML-driven identification of decision rules • Human review to accept the learned rules • No code! Test data | CONFIDENTIAL 18 Summary: create different types of tests efficiently by learning

with application layer error codes ○ HTTP status code ○ Redis Get error ○ ... ● Observability with application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer AwesomeRPC in Istio? #IstioCon How to Manage AwesomeRPC Traffic in Istio? Pilot Envoy Code changes at the Pilot side: ● Add AwesomeRPC support in VirtualService API ● Generate LDS/RDS for

service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 200 Istio & Kubernetes: 总结 对于云原生应用，采用Kubernetes构建微服务部署和集群管理能力，采用 Istio构建服务治理能力，将逐渐成为应用微服务转型的标准配置。

service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 20015 Istio & Kubernetes: 总结 对于云原生应用，采用Kubernetes构建微服务部署和集群管理能力，采用 Istio构建服务治理能力，将逐渐成为应用微服务转型的标准配置。16

Thank you! @linsun_unc #IstioCon Istio Steering Committee Steering Committee Ecosystem Advocacy Code of Conduct Events

Your laptop is not part of the mesh club #IstioCon A dummy proxy for the mesh ● Called by Lua code ● Parses the contract header and makes http call #IstioCon #IstioCon Wait … What about VirtualService