Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Plane Hardening Istio Security Releases Complete Security Cluster security Service Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application firewall to defend against DDoS, injection, remote

● Blocked ○ Envoy Filters ○ Gateways Developer Platform Integration ● Mesh Automation ○ Control Plane Install/Upgrade ○ Admiral cluster registration ● Higher Level Logical Service for Developers Developers ○ Multi-cluster Identity ○ Multi-region Endpoint ○ Istio config integrated with gitops deployment ○ Init modifications to prevent proxy startup race conditions Thank You Admiral Istio Ecosystem

Shortcoming 1: Controlling the running order for containers Stabilizing Istio Kubernetes lacks good control APIs to customize the containers lifecycle in a pod. There is no official way to instruct a pod 32 A full mesh is utopian, know what you need only Stabilizing Istio The reality: ● The control plane is burning down when pushing your thousand services updates to the hundreds of proxies running CRD to save the mesh Stabilizing Istio The Sidecar CRD (Custom Resource Definition) allows to control the exposure of mesh configuration to a specific proxy, based on namespace or labels. apiVersion:

VirtualService files. Then, it automatically creates the Pull Request on GitHub on on our GitOps repo How does it work ? #IstioCon Creating the .csv Importing the file Generating the Istio

certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal of the assessment was to identify security issues related to the Istio code base, highlight (NOTE: Envoy itself was not part of the assessment). • Istio Control Plane: Istio operator, side car injector, and other Istio control plane services • Istio Documentation: The documentation and secu- that could allow route hijacking • In testing, it did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default

Hierarchy of control planes ● Global Control Plane ○ Users provide application specs to Global Control-Plane ○ Syncs specs to AZ control-planes ○ Hosts global services - Global IPAM, Access-control Policy Policy store, etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc Cluster K8s Cluster K8s Cluster K8s Cluster AZ Control Plane AZ Control Plane AZ Control Plane Global Control Plane Region Rn Delegate #IstioCon Load balancing & Traffic Flow

with NIST ● Author SP 800-204 series on microservice security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference Best in Class Team ● Creators Istio? TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) availability & resiliency enabling active-active deployments ● Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery across multiple clusters ●

V0.2 Mesh Expansion ● Prerequisites ○ IP connectivity to the endpoints in the mesh ○ Istio control plane services (Pilot, Mixer, CA) accessible from the VMs ○ (optional) Kubernetes DNS server accessible http req to 172.16.1.3 GET /status/200 #IstioCon V1.8 Smart DNS Proxy: A Step Further ● Taking control of DNS! ○ VMs to Kubernetes integration ○ Reduced load on your DNS servers w/ faster resolution Networks #IstioCon Current State of VM Support ● Traffic flow ○ VM connects up to the Istio control plane through a Gateway ○ WorkloadEntry created ■ VM sidecar is made aware of all services in the

Orders Citadel Pilot Galley User Account Istiod Understanding Istio: Control and data planes data plane control plane 5 | Copyright © 2020 Extend Envoy Proxy with Filter Develop: Envoy Filters User AWS EKS Istiod Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane SRE / Platform Team Deploy Wasm WasmDeployment Wasm Registry Istiod 18 | Copyright © 2020

offers more advanced features to support A/B testing, canary deployments, rate limiting, access control, encryption and end-to-end authentication. Istio itself is implemented in Go which shields the project of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars. The proxies consist of Envoy proxies and an Istio-agent and manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates