attributes #IstioCon Security & Usability Limitations (cont.) ● Access management: CNI needs improvements ○ Much required to avoid escalated Pod privileges ○ No support for smart DNS proxying (yet…) security ○ Networking ● Hooks ○ sock_ops ■ Construct map​ ○ sk_msg_md ■ Match & redirect ● ~5% improvements #IstioCon TCP/IP Stack Bypass (cont.) ● Leverage eBPF ● Target Pod/VMs on the same node top ○ Provides independent streams ■ Extremely similar to HTTP/2, but in transport layer ● Improvements ○ TCP head of line blocking ○ Faster handshakes ○ Earlier data ○ Connection-ID ○ More encryption

sources of failures (Consul etc) ● Possible benefits on Observability #IstioCon Requirements and Improvements ● Immutable deployments ● Minimal blast radius ● Discover Pods for controlled and predictable including Virtual Service and Destination rule #IstioCon Takeaways ● Identify the problems and improvements ● POCs for all known use-cases and features say mTLS, Outlier detection etc,. ● Passthrough

information about Pilot. This has a risk of containing certificates, keys, and secrets used by Pilot at runtime. This web interface also allows unauthenticated users to force force all Istio objects to sync their Component Istio Location • istio/istio/mixer/adapter/list/list.go#194 • istio/istio/mixer/pkg/runtime/handler/signature.go#80 • istio/istio/mixer/pkg/config/store/fsstore.go#91 • istio/istio/pkg/mcp h.log.Infof("Fetched list is unchanged") h.resetPurgeTimer() return } • istio/istio/mixer/pkg/runtime/handler/signature.go (line 80) 15 | Google Istio Security Assessment Google / NCC Group Confidential

control for workloads in the mesh. Authorization policies are created by users and are enforced at runtime using Envoys built-in authorization engine. Incoming requests are passed to Envoy that then evaluate return err 38 Istio Security Audit, 2023 0a9a5cf72728c896a f/istioctl/cmd/analyz e.go#L397 } runtime.SetFinalizer(r, func(x *os.File) { x.Close() }) readers = append(readers, local.ReaderSource{Name: f/istioctl/cmd/analyz e.go#L397 r, err := os.Open(f) if err != nil { return local.ReaderSource{}, err } runtime.SetFinalizer(r, func(x *os.File) { x.Close() }) return local.ReaderSource{Name: f, Reader: r}, nil

will directly use Istio APIs. Tetrate OSS Projects ● Wazero: the zero dependency WebAssembly runtime for Go developers ● Istio Security Scanner ● Envoy Gateway: Manages Envoy Proxy as a standalone ● Func-e: Make running Envoy easy Wazero ● wazero is the only zero dependency WebAssembly runtime written in Go. ● Contribute to Go/TinyGo/Rust ● Using WasmPlugin API to extend Istio ● GitHub: tetratelabs/wazero

young; 7 Wasm in Envoy Proxy ● Wasm动态加载 ● 一致性校验: ○ https://github.com/pr oxy-wasm/spec ● 内置的Wasm runtime ○ ~20MB for WAVM ○ ~10MB for V8 ● 事件驱动模型 ● 兼容native filter调用 方式 8 Example Wasm filter configuration push命令推送 ● oras push acree-1-registry.cn-hangzhou.cr.aliyuncs.com/asm/asm- test:v0.1 --manifest-config runtime- config.json:application/vnd.module.wasm.config.v1+json example- filter.wasm:application/vnd.module

CD metrics alerts deploy cache events logs secrets storage runtime app dev prod dev prod internal external on-prem dev prod public cloud