Istio Security Audit, 2023 Audit scope The following assets were in scope of the audit. Istio main repository Repository https://github.com/istio/istio Language Golang Istio API definitions Repository exploited. Copy the file contents to a main.go file and run it with go run main.go. Careful: This will overwrite files on the system. 1 2 3 4 5 6 7 package main import ( "archive/tar" "bytes" "compress/gzip" NewWriter(maliciousBytes) w.Write(gzw.Bytes()) w.Close() return bytes.NewReader(maliciousBytes.Bytes()) } func main() { maliciousGzip := createMaliciousGzip() // Below is a minimized version of https://github.c

Identifier NCC-GOIST2005-002 Category Data Exposure Component Pilot Location pilot/cmd/pilot-discovery/main.go Impact The debug interface provides unauthenticated users with a wide range of information about runs go trace profiling tools5 on the pilot binary itself which contains stack, heap, and other process information about Pilot. This has a risk of containing certificates, keys, and secrets used by Pilot http://istiod.istio-system.svc.cluster.local:15014/debug/pprof • /istio/istio/pilot/cmd/pilot-discovery/main.go Impact Trace profiling risks providing attackers with information about the processes, memory

Istio scalability optimization during Knative Service provisioning [Istio 1.6.5&1.7.0] There’re two main issues o ingress_ready has random peak values o ingress_ready bumped to ~=800 seconds with 500+ Knative Knative benchmark tool helps everyone to understand the issue and accelerate the whole debug and fix process: https://github.com/knative-sandbox/kperf ● Get Istio CPU/MEM stats: https://github.com/istio/i

○ health/readiness check #IstioCon V1.7 VM Support with Added Security ● Secure bootstrapping process ○ Automate provisioning a VM's mesh identity (certificate) ■ based on a platform-specific identity RDMA (Remote Direct Memory Access) ● Advance transport protocol (same layer as TCP and UDP) ● Main features ○ Remote memory r/w semantics in addition to send/receive ○ Kernel bypass / direct user

implementorObserve on mesh Metric from Service Mesh by native supportedPower of out of process adaptor Bypass adpator Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP pods in Kubernetes, it doesn't need to be a single process in OS. Also if you are using instrument agents, an instance is actually a real process in OS. • Endpoint. It is a path in the certain service

○ Release with known issues ○ Performance and resource usage ● Istio community didn’t have a process #IstioCon Led To ● Upgrade Working Group ● Release Note Generation ● Definition of Done #IstioCon checklists and continuous feedback So Far… ● Release Notes tooling ● Feature Maturity Process ● Release Maturity Process #IstioCon Old System Expectation: Maintainers would populate a Google docs draft what’s being changed. ● Release notes and upgrade notes are no longer easily forgotten. ● The process has gone from weeks to hours for major releases and hours to minutes for patch releases. Better

the Roadmap session. It is used to explain a process. ● Sponsored by Google (Example from Wikimedia movement 2030 strategy) Graphic recording Process and implementation Coordination and support

to identify problems Iterate • Fix bugs • Repeat Testing starts late in the API development process. That’s not good!! | CONFIDENTIAL Start testing earlier Create and maintain a balanced test Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 9 Process flow using Istio Deploy Lua filters (kubectl apply -f ) Capture traces for E2E test

启动参数文档热重启envoy热重启涉及以下步骤 • Pilot-Agent只是负责启动S，其他步骤由envoy完成。 • 1. 启动另外一个S进程（Secondary process） • 2. S通知P（Primary process）关闭其管理的端口，由S接管 • 3. S加载配置，开始绑定listen sockets，在这期间使用UDS从P获取合适的listen sockets • 4.

shipping options. 5 6 ● 200+ microservices (200+ namespaces) ● 100K RPS at peak on API Gateway ● 1 main production Google Kubernetes Engine (GKE) cluster ● 12k+ pods ● 750+ nodes Istio at Mercari 7 in the second part of the presentation. 28 Are you prepared to handle Istio? Stabilizing Istio Main time consumers with Istio: 1. Troubleshooting 2. Spreading adoption 3. Supporting new features With sidecar CRD Istiod average CPU usage 37 The Sidecar CRD to save the mesh Stabilizing Istio Main drawback Services must know their dependencies, document and update them. If this wasn’t the case