Istio Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Documentation 016 High Lack of VirtualService Gateway Field Validation Enables Request Hijacking 017 High Ingress Gateway Configuration Generation Enables Route Hijacking 023 High Pilot Debug Interface Exposes Sidecar Envoy Administrative Interface Exposed To Workload Containers 018 Low DestinationRules Without CA Certificates Field Do Not Validate Certificates 019 Low Default Injected Init Container Requires Sensitive

FuzzIstioCASign istio.io/istio/security/pkg/ pki/ca https://github.com/istio/istio/blob/6 5478ea81272c0ceaab568974aff7 00aef907312/security/pkg/pki/ca/f uzz_test.go#L24 5 FuzzValidateCSR istio.io/istio/security/pkg/ go#L23 9 Istio Security Audit, 2023 6 FuzzBuildSecurityCaller istio.io/istio/security/pkg/ server/ca https://github.com/istio/istio/blob/6 5478ea81272c0ceaab568974aff7 00aef907312/security/pkg/server/c of cluster Ingress Sidecar or Ingress Gateway Low to high Ingress traffic can have the lowest level of privilege. As it enters the mesh it crosses a trust boundary. Ingress Sidecar or Ingress Gateway

JianFeng Ding, LuYao Zhong #IstioCon Agenda ● Istio identity ● mTLS in Isito ● Secure ingress traffic ● Authorize ingress traffic ● Authorize in mesh traffic ● Summary #IstioCon Istio Architecture Connect Envoy 2. Request Cert (SDS)) 3. CSR Auth: JWT 4. Cert signed with SPIFFE format Istio-proxy CA server #IstioCon Istio identity – how to get configuration ● Format: "spiffe:///ns peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on Using ingress port and ingress host to send request: can access reviews-v1, reviews-v2 and reviews-v3 can reach v2 as

Server NLB Controllers Istiod Network Load Balancer (NLB) Network Load Balancer (NLB) Ingress Gateway Ingress Gateway Pods Request Traffic Response Traffic Specs synced from Federated Access Access Point L4 Configuration L7 Route Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per workload K8s cluster #IstioCon Step 3: Evolve into AZ architecture Re-deployed Istio to AZ cluster ○ In Primary-Remote configuration within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway watch API Server Pods, Services Workload

Namespace SMF SQL DB AMF App B AMF App A SMF Frontend SMF Ingress Gateway Redis DB SMF App X AMF Identity SMF Identity SMF Identity 10 ©2021 Aspen rights reserved. ● CNI to avoid escalated pod privileges ● Integrate with PKI minted Intermediate CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) Namespace AMF Namespace SMF SQL DB AMF App B AMF App A SMF Frontend SMF Ingress Gateway Redis DB SMF App X https://aspenmesh.io/how-to-capture-packets-that-dont-exist/

(Pilot, Mixer, CA) accessible from the VMs ○ (optional) Kubernetes DNS server accessible from the VMs ● Onboard steps ○ Setup Internal Load Balancers (ILBs) for Kube DNS, Pilot, Mixer and CA ○ Generate Cluster IP resolved 4. Traffic intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to ingress in the mesh ● Traffic flow (Container -> VM) 1. Manual registration istioctl -n onprem register

0.0.1 #IstioCon Istio Traffic Flow - ingress svcB envoy envoy Pod1：10.244.0.19 Pod2：10.244.0.25 Dest: 127.0.0.1 Src：127.0.0.1 Ingress gateway ELB ingress EIP: 192.168.1.100 #IstioCon What does #IstioCon Preserve TCP Original Src Addr - ingress svcB envoy envoy Pod1：10.244.0.19 Pod2：10.244.0.25 Dest: 127.0.0.1 Src：100.10.10.10 Ingress gateway ELB ingress EIP: 192.168.1.100 TOA or Proxy Protocol Src Addr - ingress - If ingress traffic is using TOA ① Ingress gateway only need enable Proxy Protocol Transport Socket. #IstioCon Preserve TCP Original Src Addr - ingress - If ingress traffic is

is the default networking layer solution of Knative. It is leveraged for Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving leveraged in a Knative based platform - Istio as an Ingress Gateway • By default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress gateway which contains credentials for https support of multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway

Productivity January 2019 PoC OCP 3.11 Istio 1.0 Make It Simple Event Hub DBs SERVICE MESH Istio Ingress Istio Egress Other External Services Tracing Store Logging Store LB January 2019 PROD PoC Logging Store Event Hub DBs Istio Egress Other External Services Istio Ingress OCP 4.1 Istio 1.1 Istio Egress Istio Ingress OCP 4.1 LB LB LB TROUBLE SHOOTING January 2019 PROD PoC March 2020 OCP 4.4 OCP 4.4 LB LB LB Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio

Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Operation security Mesh security Edge Security Cluster security Service Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application firewall to security best practices Cluster security Access control Service Proxy Ingress Token exchange 1. Istio authentication and authorization policies for every service: mTLS to