0.0.1 #IstioCon Istio Traffic Flow - ingress svcB envoy envoy Pod1：10.244.0.19 Pod2：10.244.0.25 Dest: 127.0.0.1 Src：127.0.0.1 Ingress gateway ELB ingress EIP: 192.168.1.100 #IstioCon What does #IstioCon Preserve TCP Original Src Addr - ingress svcB envoy envoy Pod1：10.244.0.19 Pod2：10.244.0.25 Dest: 127.0.0.1 Src：100.10.10.10 Ingress gateway ELB ingress EIP: 192.168.1.100 TOA or Proxy Protocol Src Addr - ingress - If ingress traffic is using TOA ① Ingress gateway only need enable Proxy Protocol Transport Socket. #IstioCon Preserve TCP Original Src Addr - ingress - If ingress traffic is

JianFeng Ding, LuYao Zhong #IstioCon Agenda ● Istio identity ● mTLS in Isito ● Secure ingress traffic ● Authorize ingress traffic ● Authorize in mesh traffic ● Summary #IstioCon Istio Architecture Connect peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on Using ingress port and ingress host to send request: can access reviews-v1, reviews-v2 and reviews-v3 can reach v2 as Apply destination rule to enable client side mTLS mTLS in Istio - Destination rule Using ingress port and ingress host to send request: can access reviews-v1, reviews-v3 can not access reviews-v2 since

is the default networking layer solution of Knative. It is leveraged for Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving leveraged in a Knative based platform - Istio as an Ingress Gateway • By default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress gateway which contains credentials for https support of multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway

Istio Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Documentation 016 High Lack of VirtualService Gateway Field Validation Enables Request Hijacking 017 High Ingress Gateway Configuration Generation Enables Route Hijacking 023 High Pilot Debug Interface Exposes kubectl -n istio-system get service istio-ingressgateway \ -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 3. In a separate namespace, "test" with sidecar auto-injection enabled, use an administra-

Productivity January 2019 PoC OCP 3.11 Istio 1.0 Make It Simple Event Hub DBs SERVICE MESH Istio Ingress Istio Egress Other External Services Tracing Store Logging Store LB January 2019 PROD PoC Logging Store Event Hub DBs Istio Egress Other External Services Istio Ingress OCP 4.1 Istio 1.1 Istio Egress Istio Ingress OCP 4.1 LB LB LB TROUBLE SHOOTING January 2019 PROD PoC March 2020 OCP 4.4 OCP 4.4 LB LB LB Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio

of cluster Ingress Sidecar or Ingress Gateway Low to high Ingress traffic can have the lowest level of privilege. As it enters the mesh it crosses a trust boundary. Ingress Sidecar or Ingress Gateway Proxy Low to high Traffic flowing from Ingress Sidecar or Ingress Gateway to a Proxy might be required to pass further security policies. Proxy Service Low to high Incoming traffic to proxy can be coming exceeding their trust boundaries. Untrusted traffic enters the Istio service mesh as ingress traffic through an ingress Gateway. Attack surface enumeration Any elevation of privilege in Istio is considered

Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Operation security Mesh security Edge Security Cluster security Service Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application firewall to security best practices Cluster security Access control Service Proxy Ingress Token exchange 1. Istio authentication and authorization policies for every service: mTLS to

Server NLB Controllers Istiod Network Load Balancer (NLB) Network Load Balancer (NLB) Ingress Gateway Ingress Gateway Pods Request Traffic Response Traffic Specs synced from Federated Access Access Point L4 Configuration L7 Route Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per workload K8s cluster #IstioCon Step 3: Evolve into AZ architecture Re-deployed Istio to AZ cluster ○ In Primary-Remote configuration within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway watch API Server Pods, Services Workload

Pilot Mixer Citadel Node Agent Injector Galley istio-system Node Pod Sidecar Pilot Agent Ingress Egress Istio Single Cluster Simplified #IstioCon Service Proxy Authentication Authorization Extension Model Mixer #IstioCon Istiod Cluster 1 Istiod Cluster 2 API server API server Ingress Ingress Service A Service B Service B Mirror Simplified Istio Multicluster Model #IstioCon

Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls, across clusters telemetry and availability reporting ● Service discovery across multiple clusters ● Fine-grained ingress & egress controls ● API GW is part of the mesh ● Workflows for collaborative agility More About Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh include VMs Before using service mesh: 100+ Kubernetes cluster ● VM integration ●