on page 36 — would be able to obtain sensitive routing metadata for Gateways and possibly other resources declared in other namespaces. However, due to time constraints, NCC Group was unable to determine earlier-created Gateway. Due to this behavior, it is possible for accounts otherwise limited to creating resources in specific namespaces to intercept requests for services run from other namespaces, while leveraging which, if enabled, configures the pilot-agent such that “a gateway workload can only select gateway resources in the same namespace” and “Gateways with same selectors in different namespaces will not be applicable”;4

pods Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container resources HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: original CPU absolute target (700m): Target % = Original CPU absolute target /Sum of CPU resources = 63.6%. 27 Define HPA target for multi-containers pods Stabilizing Istio Both options have new features 29 To succeed in Istio adoption you need to have: Stabilizing Istio ● Dedicated resources for it (the more the better) ● A good in-house knowledge of networking : Linux, Kubernetes and

failing to do so. Ingress Resources Istio offers two models for managing ingress traffic to the cluster: 1. The Kubernetes ingress resource 2. Istio Gateway These resources are exposed to the outside Istio operator Vectors: ● CWE-400: Uncontrolled Resource Consumption ● CWE-770: Allocation of Resources Without Limits or Throttling ID: ADA-IST-1 Fix: https://github.com/istio/istio/pull/41705 Description attacker could exploit this by forcing Istio to open a large number of files and thus exhaust system resources resulting in Denial of Service. 25 Istio Security Audit, 2023 4: Length of new byte slice controlled

recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM CUSTOM gRPC TRANSCODER Build Custom Envoy Filter 6 | Copyright © 2020 Portable Secure Fast Any Language Outside

environments ● Ignore ports / IP as applicable - consul ● Namespace isolation helps reduce Istio proxy resources #IstioCon Next Steps ● Move stateful components in to mesh discovery and routing ● Expose gateway

Secure Monitor Enforce Verify Demo: mesh security lifecycle Demo Monitor mTLS Thank You! Resources: ● https://istio.io/latest/docs/ops/best-practices/security/ ● https://cloud.google.com/servi

Background ● Enterprise Service Mesh: Tetrate Service Bridge ● Tetrate OSS Projects ● Use Case ● Resources Tetrate the Service Mesh Creators Zack Butcher Istio Steering Committee Jeyappragash (JJ) Co-founder

VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) ○ Business reasons ■ Legacy applications

NIST CURVE: P-256 istiod will generate a self-signed CA certificate using RSA if plugged in custom CA certificates aren’t specified #IstioCon MeshConfig support In Istio 1.10 I am currently working

inds-2020/ #IstioCon Extension Ecosystem ● WebAssembly (Wasm) enhancements ○ APIs for adding custom Wasm extensions ○ Focus on Developer workflow ○ Discovery of Wasm extensions ● External AuthZ