By Default 013 Medium Permissive Kubernetes RBAC within a Namespace 015 Medium Default Sidecar Image Not Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File exposed via sidecar (see finding NCC-GOIST2005-002 on the previous page) • Sidecar image using outdated, unhardened base image (see finding NCC-GOIST2005-005 on page 23) • Debug interface enabled for istiod if len(chunk) == 0 { continue } r, err := ParseChunk(chunk) if err != nil { log.Errorf("Error processing %s[%d]: %v", path, i, err) continue } if r == nil { continue } resources = append(resources

https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon Feature Graduation ● Enhancement workflow ○ CNI ○ IPv6 ○ Dual-stack (IPv6/IPv6) ○ Virtual Machine Expansion ○ Multi cluster mesh ○ Helm WebAssembly (Wasm) enhancements ○ APIs for adding custom Wasm extensions ○ Focus on Developer workflow ○ Discovery of Wasm extensions ● External AuthZ extensions ● Telemetry provider extension APIs

"nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses:

webassemblyhub.io/yuval/addheader-rust:v1 Build Store 14 | Copyright © 2020 Build Store WASM Artifact Image Specification 15 | Copyright © 2020 Build Store Deploy > meshctl wasm deploy istio --mgmt-kubecontext --mgmt-kubecontext kind-mgmt-cluster --deployment-name ratings-add-header --namespace bookinfo --image webassemblyhub.io/yuval/addheader-rust:v1 --cluster mgmt-cluster --labels app=ratings Extension Config

containers: - image: rating-v1 ... --- kind: Deployment metadata: name: rating-v2 spec: replicas: 3 template: metadata: labels: app: rating version: v2 spec: containers: - image: rating-v2

spec: containers: - image: rating- v1 kind: Deployment metadata: name: rating-v2 spec: replicas: 3 template: metadata: labels: app: rating version: v2 spec: containers: - image: rating- v2 Kubernet

services as a single sub-system while isolating them from other services, for example payment processing system | CONFIDENTIAL 5 Current approaches do not scale with #APIs Service Tests E2E API

Cluster + Registry docker push kubectl apply docker pull Local Kubernetes Local Registry + Fast! Image transfers are over localhost + Reproducible configuration with other developers and Istio tests

Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN

non-idempotent methods as it is triggers when a server is unavailable at the TCP level. Build your Istiod image, push your tag and use it in the IstioOperator manifest. 55 Istio proxy performance and capacity