Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: with a Sidecar Impact If an Istio user relies on the Envoy sidecar for network restrictions such as egress controls, an attacker can bypass this sidecar and easily evade these controls. Description Istio can provide may be unclear to users especially when relying on features like REGISTRIES_ONLY7 or Egress policies. A service mesh is different than a CNI in that one facilitates communications, and the

2019 PoC OCP 3.11 Istio 1.0 Make It Simple Event Hub DBs SERVICE MESH Istio Ingress Istio Egress Other External Services Tracing Store Logging Store LB January 2019 PROD PoC March 2020 HA & DR Tracing Store Logging Store Event Hub DBs Istio Egress Other External Services Istio Ingress OCP 4.1 Istio 1.1 Istio Egress Istio Ingress OCP 4.1 LB LB LB TROUBLE SHOOTING January LB LB LB Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio 1.4 Service Mesh

mutual TLS ● Implementing mutual TLS ○ Centralized Certificate Management ○ Ingress mutual TLS ○ Egress mutual TLS ● Challenge & Future Works GoPay & Istio About ● A few hundred developers ● Multiple subjectAltNames to verify client SAN ● Additional AuthorizationPolicy to add IP allow listing Egress Mutual TLS ● Using Egress TLS origination ● Certificate is mounted in the client deployments using annotation Challenge ● Client egress communication sometime got 503 error (Istio #26990). This is fixed by adding retry mechanism in the Virtual Service object. Future Works ● Migrating Egress TLS origination mechanism

Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s firewall to defend against DDoS, injection, remote execution attacks. Edge security Egress 2. Define egress security policies to defend against data exfiltration, botnet attacks. 3. Define firewall security Workload security Operation security best practices Service Proxy Ingress Egress 2. Automatically rejects invalid configurations. Gatekeeper GitOps 1. Automatically manage source

monthly active users ● User requests over 10 billion per month ● Internet egress bandwidth over 100 TB/month ● Internal egress bandwidth ~2 PB/month #IstioCon Architecture Overview ● User traffic infrastructure Configuration using Consul ● HTTP/TCP traffic via HAProxy ● gRPC traffic via Envoy ● Internet egress using NAT gateway #IstioCon Motivation ● Reliability of central proxy layer (HAProxy/Envoy)

(Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls, across clusters ● High availability reporting ● Service discovery across multiple clusters ● Fine-grained ingress & egress controls ● API GW is part of the mesh ● Workflows for collaborative agility More About Multi (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh include VMs Before using service mesh: 100+ Kubernetes cluster ● VM integration ● On-prem,

Talk to CNFs in the Mesh UDM Virtual Machine Namespace SMF SMF Frontend UDM Egress Gateway Redis DB SMF App X Control Plane UDM Identity 11 ©2021 Aspen Mesh Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways Tuning Istio to Meet 5G Security Requirements 12 ©2021 Aspen Mesh. All rights reserved

Default wide-open egress sidecar configuration does not scale ○ Results in high memory usage & convergence times since each sidecar knows about all services in the cluster ○ Disabled egress traffic to restrict

istio.io/v1beta1 kind: Sidecar metadata: name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: - ./* - istio-system/* 35 The Sidecar CRD to save the mesh Stabilizing Istio istio.io/v1beta1 kind: Sidecar metadata: name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: - ./* - istio-system/* Only Istio and the local namespace configuration is

Gateway Advantages Advantages ● Same abstractions for all your traffic control needs ■ Ingress ■ Egress ■ Inter Service Communication ● Build expertise in one discipline ● Decentralized maintenance