SberBank story: moving Istio from PoC to production Igor Gustomyasov, Sber Maksim Chudnovskii, IBM Sber position across key areas Best client experience Technological leadership In financial services

Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio

何时调用一个特定的 Handler插件编译和镜像打包 插件的编译 CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build - a -installsuffix cgo -o eventadapter 镜像制作的dockerfile FROM scratch ADD eventadapter /usr/bin/eventadapter ENTRYPOINT ['

HTTP redirections Etienne Fontaine (@etifontaine) #IstioCon Istio-redirector 301-redirection from /bus/routes/bruxelles/lille to /bus/routes/bruxelles-1/lille-3 Why do we need redirections? BEFORE see an error page Happy SEO specialist: My new URLs get SEO popularity from the old ones and I don’t have to start from scratch New URLs are shown in the Search Engine Results ?????? ? #IstioCon Our tool to ease the transition from a .csv file to an Istio VirtualService file. ● Golang service ○ Convert .csv to VirtualService ○ Open Pull Request on Github ○ Fetch info from Kubernetes cluster ○ Expose

c51fe751a17441b5ab3f5487c37e129e44eec823 istio/istio.io Istio documentation and security guidelines from the master branch up to July 15th, 2020. Commit: 26dacdde40968a37ba9eaa864d40e45051ec5448 Finding had a storied past. This feature was originally intended to enforce that all communications to and from the control plane be secured by the service mesh, mTLS, and in particular, no plaintext commu- nication “controlPlaneAuth Policy: MUTUAL_TLS” did not appear to have any effect on preventing a Pod not managed by Istio from accessing Istio’s debug interface. Reproduction Steps • Modify the default policy mesh config map

Machine Really Ready-to-go with Istio? Kailun Qin, Intel Haoyuan Ge #IstioCon Quick Summary (from Google Cloud Next ’19 [1]) VM works on Istio! [1] Istio Service Mesh for VM Native, Chris Crall known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) ○ Business reasons ■ Legacy applications ■ Deterministic workloads with strong requirements services ○ Enterprise/Workshop applications ○ Hard to lift and shift ● Packaged software ○ Non-Linux ○ unikernels ● Domain specific workloads ○ Network Functions (NFV) #IstioCon Hybrid and Multi

more the better) ● A good in-house knowledge of networking : Linux, Kubernetes and Envoy ● Be patient and resisting the temptations from users to open features too early ● Mechanisms to improve the doesn’t scale Istio-enabled pods well ○ Use ContainerResource to fix HPA on the application container (From K8S 1.20) ○ Otherwise, add the Sidecar proxy CPU usage into calculation for HPA scale target. ● of Istio Adopting Istio 43 Adoption challenges Adopting Istio ● Moving HTTP/2 load-balancing from client-side to Envoy ● Label selector updates for app and version labels ● Istio default retry policy

scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review of fixes for issues from previous audit 50 Istio SLSA compliance 52 1 Istio Security Audit, 2023 Executive summary In out a manual code audit for security issues. 3. Review the fixes for the issues found in an audit from 2020. 4. Review and improve Istio's fuzzing suite. 5. Perform a SLSA review of Istio. The audit was the request body was not fully consumed, meaning that when a server attempts to read HTTP2 frames from the connection it will instead be reading the body. As such, the MaxBytesHandler introduces an http

Where did people join from? Where did people join from? 0.5% from Africa 43.5% from North America 26.5% from Europe 23% from Asia 5% from South America 1.5% from Oceania Participant demographics Keynote Lightning talks China Secure your microservices with Istio step by step Best practice: from Spring Cloud to Istio Preserve original source address within Istio Performance tuning and to use Istio after attending the conference. “It was an amazing event in every way of that! From the speakers and presentations, to the hosts, community, activities, gifts, online gathering platform

and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application UI – Create E2E tests, component tests and service tests from the same data Reduced eng effort for testing, velocity) – Early testing of services components auto-generated from end-to-end tests – Significantly reduced time and cost for API testing for microservices architectures Terminology Component testing Test a set of services as a single sub-system while isolating them from other services, for example payment processing system | CONFIDENTIAL 5 Current approaches do