Using ECC Workload Certificates (pilot-agent environmental variables) Jacob Delgado / Aspen Mesh #IstioCon ECC workload certificates ● In various environments, the need for x509 certificates that that use Elliptical Curve Cryptography (ECC) is a requirement ● In Istio 1.6, support for workloads to use ECC certificates for mTLS in sidecar-to-sidecar communication was added ○ As of Istio 1.7.7+, 1.8.2+ and 1.9.0+ there is no longer the restriction that a plugged in CA certificate must use ECC cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported #IstioCon pilot-agent

©2021 Aspen Mesh. All rights reserved. Key Platform Requirements Multi-Vendor Real-Time (RAN) Workload Mobility Networking outside CNF Encryption & Authorization between CNFs 5 ©2021 Aspen Mesh. avoid escalated pod privileges ● Integrate with PKI minted Intermediate CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated architectural changes ● SPIFFE only certificates ● Configuring workload certificate TTLs ● RSA to ECC migration ● Missing www-authenticate header ● Tuning per-workload proxy concurrency ● Consuming Istio

within Kubernetes clusters to provide service-to-service communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane cluster. • The Envoy Proxy admin port is exposed via the Istio sidecar and would allow a malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated Sidecar Envoy Administrative Interface Exposed To Workload Containers 018 Low DestinationRules Without CA Certificates Field Do Not Validate Certificates 019 Low Default Injected Init Container Requires

Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress that VM ● Install DEB/RPM package of the Workload Onboarding Agent on that VM ● Provide a minimal declarative configuration describing where to onboard the workload to Bridged Mode vs Direct Mode ● Bridged: Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress

Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations Workload Data Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Plane Hardening

1 ServiceEntry #IstioCon V1.6-1.8 Better VM Workload Abstraction A K8s Service and Pods Two separate object with distinct lifecycles Before Workload Entry, a single Istio Service Entry object combined giving a first-class representation for the workloads themselves #IstioCon V1.6-1.8 Better VM Workload Abstraction Item Kubernetes Virtual Machine Basic schedule unit Pod WorkloadEntry Component selector: app: foo Istio Workload Entries labels: app: foo class: vm #IstioCon V1.6-1.8 Better VM Workload Abstraction ● Workload Entry ○ single non-Kubernetes workload ○ mTLS using service account

services - Global IPAM, Access-control Policy store, etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per workload K8s cluster #IstioCon Step 3: Evolve into AZ architecture ● One Istio deployment per K8s cluster Server Istiod East-West Gateway watch API Server Pods, Services Workload Cluster API Server Pods, Services Workload Cluster watch Services talk directly #IstioCon Step 4: Evolving

Start istio init container in workload Istiod watch updates & start networking sidecar proxy init container update iptable rule for proxy terminate init container Start workload with updated ip routing rules invoke CNI plugins CNI plugins setup ip for pod Istio CNI install isidecar network routing rule to workload iptable Benefits of Istio CNI No need for CAP_NET_ADMIN and CAP_NET_RAW permission No need for bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing rule to workload iptable Issue in Istio CNI Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins

perf) is a benchmark tool for Knative which can generate specific Knative Service provisioning workload and provides aggregated data of Knative Service ready duration. o Knative Performance Testing Framework ensure enough capacity Leveraged Metrics to monitor Istio & Knative components’ CPU and MEM under workload to avoid CPU throttling and OOM and ensure enough capacity. In Istio 1.5.4: Istio scalability PILOT_DEBOUNCE_MAX=10s are the env vars on pilot that can be tuned. o Set PILOT_DEBOUNCE_AFTER=1s helps under our workload. (we tested with 100ms, 1s, 2s, 5s, 10s) o With 800 Knative Services in total, ingress_ready p98

Platform #IstioCon Wise Platform Using envoy filter to handle things from platform level, reduce workload of developers. EnvoyFilter provides a mechanism to customize the Envoy configuration generated Wise Platform Using envoyfilter to implement requirements on platform level, reduces application workload. Intelligence Platform for Multiple Tenant Support • Support multi-tenants (Add extra http header/