Automate mTLS communication with GoPay partners with Istio Vijay Dhama, Gojek Zufar Dhiyaulhaq, Gojek Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate ● Central certificate management manage our certificate lifecycle for HTTPS and mutual TLS communication. ● Renew & sync to our Kubernetes cluster, also support syncing to VM with an agent installed automatically to mutual TLS by sidecar. Challenge & Future Works Challenge ● Client egress communication sometime got 503 error (Istio #26990). This is fixed by adding retry mechanism in the Virtual

Working Group - Stability ● Standards and processes ○ Control plane behavior ○ Data plane communication ● Promote revision-based upgrades to stable and support skip-level revision-based upgrades gone from weeks to hours for major releases and hours to minutes for patch releases. Better communication of what’s important to users and more time saved for developers. #IstioCon Feature Maturity

service mesh technology stack often used within Kubernetes clusters to provide service-to-service communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system log notes: “Despite the naming, in Istio 1.5 when controlPlaneSecurityEnabled is set to false, communication between the control plane will be secure by default.”1 In the “Default” profile used to represent

● Same abstractions for all your traffic control needs ■ Ingress ■ Egress ■ Inter Service Communication ● Build expertise in one discipline ● Decentralized maintenance ● Rich Network functionalities

Observability • Disaster recovery Production grade Apache Kafka on Kubernetes 3 • Secure communication using mTLS between all services • Configurable short-lived certificates • On the fly certificate

● In Istio 1.6, support for workloads to use ECC certificates for mTLS in sidecar-to-sidecar communication was added ○ As of Istio 1.7.7+, 1.8.2+ and 1.9.0+ there is no longer the restriction that a

Gateway Traffic Flow Cloud Vendor Gateway Consolidation TSB allows service discovery and communication via the NodePort service type instead of a LoadBalancer Architecture ● Multi cluster ● Multi

routed through the gateway to the service ● The data plane traffic ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple networks ● all goes though the Gateway ● via

say that we’re running a bookinfo application in an Istio service mesh, but the inter-services communication are done by AwesomePRC, our own RPC protocol, instead of HTTP. So, how could we achieve layer-7

_ = err } resp.Body.Close() break } return nil, nil } 34 Istio Security Audit, 2023 6: Communication between Istio control plane components skips certificate verification Severity: Low Difficulty: