#IstioCon Istio-redirector: the way to go to manage thousands of HTTP redirections Etienne Fontaine (@etifontaine) #IstioCon Istio-redirector 301-redirection from /bus/routes/bruxelles/lille [...] spec: gateways: - istio-system/istio-ingressgateway hosts: - www.blablacar.fr http: - match: - uri: exact: /co2 redirect: uri: /blablalife/lp/zeroemptyseats

Istio Security Assessment Google / NCC Group Confidential - "*" gateways: - test/bookinfo-gateway http: - match: - uri: exact: /productpage route: - destination: host: details.restrict-test.svc.cluster the following 7. Run the following command and observe that a normal HTML page is returned curl -v "http://$GATEWAY/productpage" 8. Use an administrative account to run the following commands kubectl -n commands curl -v "http://$GATEWAY/productpage" curl -v "http://$GATEWAY/login" 10. Observe that the first command now returns a 404 error and the second command returns a redirect to http://www.nccgroup

NewHandler in an http.MaxBytesHandler.” John found that when the recommended MaxBytesHandler was used, the request body was not fully consumed, meaning that when a server attempts to read HTTP2 frames from from the connection it will instead be reading the body. As such, the MaxBytesHandler introduces an http request smuggling attack vector. The issue was disclosed to the Golang security team who fixed the of these had impressive test coverage with little to no room for improvement. We identified a few APIs in security-critical code parts that would benefit from fuzzing and wrote fuzzers for these. In total

○ Secret Discovery Service (SDS) ○ Auto mTLS ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine expansion/Multi cluster mesh https://istio.io/latest/blog/2020/tradewinds-2020/ Upgrade checks ○ Better testing mirroring production use cases ● Enhanced troubleshooting ● Aligning APIs with Istio user roles and responsibilities https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon enhancements ○ APIs for adding custom Wasm extensions ○ Focus on Developer workflow ○ Discovery of Wasm extensions ● External AuthZ extensions ● Telemetry provider extension APIs https://istio.i

exploding Service Testing Component Testing E2E API Tests Engineering effort grows superlinearly as #APIs grow Customer services Order services Catalog Customer history … Order details Payments Audit for example payment processing system | CONFIDENTIAL 5 Current approaches do not scale with #APIs Service Tests E2E API Tests Component Tests E2E Component Service Unit - E2E, component and … … … … … Test Driver TEST ENVIRONMENT Derive different types of tests Mocks for External APIs Istio enables learning tests from API usage Learnt by Mesh API Studio Third-party apps Manual

to Istio End of 2021 100% services migrated to Istio 8 Features currently used: ● HTTP/2 Load-balancing ● Traffic Shifting ● mTLS Features under investigation: ● Retries ● Circuit 1: Controlling the running order for containers Stabilizing Istio Kubernetes lacks good control APIs to customize the containers lifecycle in a pod. There is no official way to instruct a pod to: 1 fights, start small Stabilizing Istio Start with few simple features such as: ● Injecting sidecars, HTTP/2 LoadBalancing ● Traffic shifting for canaries Build confidence in the system and understanding

#IstioCon Architecture Overview ● User traffic infrastructure - TW region, all 3 zones ● REST APIs for client traffic ● gRPC for inter-service traffic ● Around 100+ microservices ● Majority of services Architecture Overview - Discovery and Routing ● Service Discovery and Configuration using Consul ● HTTP/TCP traffic via HAProxy ● gRPC traffic via Envoy ● Internet egress using NAT gateway #IstioCon use-cases and features say mTLS, Outlier detection etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection and TCP settings ● Handle signals gracefully (SIGINT, SIGTERM) ●

group will use macro APIs that automatically generate Istio APIs under the hood. ● Direct: Indicates that the configurations to be added to the group will directly use Istio APIs. Tetrate OSS Projects

Service VM Service VM Service Istio simplify VM onboarding #IstioCon Istio Standardize APIs Adopt Kubernetes service API Protocol declaration in Kubernetes service descriptor Transform informal

erd、Traefic。Envoy由于高性能和扩展能力前在数据面遥 遥领先。 • Iptables使Pod间出入应用的流量均由Envoy代理，对应用来说完全透明。支持主要常用网路协议 Http1/Http2/Tls/gRPC/Tcp等。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 6 Envoy原理及总体架构-启动 用于原始目标服务，并找到后端处理器处理新连接。 • 后端处理器在配置中指定处理协议，根据协议相关的网络过滤器处理读取到的数据。 • 如果为http协议，再经过请求过滤器处理http协议头部，如路由选择等功能并创建上游连接池 • 将修改及编码后的http消息通过网络发送到对端Envoy的容器网络。 • Iptables识别为入流量则进入virtualInbound端口。 • ORIGINA 之后Connection对象再次向libevent注册Read/Write回 调onFileEvent，并作为L4层过滤管理器处理 onNewConnection，onData数据接收。 • 对于HTTP协议，将继续经过L7层编解码处理后向上游发 送请求。 • 当请求处理完毕后，将调用deferredDelete删除请求对象 并记录统计观测数据。 • 使用异步I/O方式发送网络数据，降低对线程内其他操作