exceptions 2. Define policy constraints to automatically validate policy exceptions are as expected. Gatekeeper Service 1 Proxy Service 2 Proxy Namespace foo Istio authn & authz policies Workload security best practices Scan vulnerabilities Verify images Gatekeeper Binary authorization Restrict privileges Gatekeeper Istio CNI Cluster security Edge security Workload security Operation practices Service Proxy Ingress Egress 2. Automatically rejects invalid configurations. Gatekeeper GitOps 1. Automatically manage source of truth for mesh policies. Audit log Cluster security

to catch issues at CI-level, keeping a short feedback loop ● Leverage admission webhooks (OPA Gatekeeper) to ○ protect the resources ○ check what cannot be checked at linter-level (inventory) Please CRDs to keep Istio healthy and find mechanisms to handle this automatically ● Guardrails such as Gatekeeper OPA are crucial to ensure the long-term stability of Istio Adopting Istio 43 Adoption challenges

provide a reference such as an OPA gateway policy. 19https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/ 37 | Google Istio Security Assessment Google / NCC Group