Gojek Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate Management ○ Ingress mutual TLS ○ Egress mutual TLS ● Challenge & Future Works GoPay & Istio EnvoyFilters into Istio. ● Istio have abstraction concept that make manage things easier. Before Mutual TLS? HTTPS + Allowlisting Our previous setup is using https with allow listing to only allow specific by all services) Implementing Mutual TLS Centralized Certificate Management ● Central certificate management manage our certificate lifecycle for HTTPS and mutual TLS communication. ● Renew & sync

request: can access reviews-v1, reviews-v3 can not access reviews-v2 since we have enabled ISTIO_MUTUAL mode on client side Access productpage 1) Apply destination rule enable client side mTLS mTLS services outside of the mesh ● ISTIO_MUTUAL: originate TLS with istio cert ● SIMPLE/MUTUAL: originate TLS with the cert you specified, common if you want to TLS with service outside mesh apiVersion: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: tls: mode: ISTIO_MUTUAL 1) Generate client and server certificates and keys 2) Create a secret for the ingress

technology stack often used within Kubernetes clusters to provide service-to-service communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system facilitated by exposed via its control plane and should enforce all network communications use mTLS (or at minimum, TLS) for communi- cations within the istio-system namespace / control plane. As mentioned in finding NCC- to restrict a Pod’s access to them. Attempts to modify the settings to “controlPlaneAuth Policy: MUTUAL_TLS” did not appear to have any effect on preventing a Pod not managed by Istio from accessing Istio’s

as tenant. HP Horizon Platform Connect With Istio #IstioCon Secure Platform • JWT Verify • Mutual TLS • Authorization Policy • Envoy External Authorization #IstioCon Secure Platform #IstioCon request authentication policy to Verify end-user JWT easily #IstioCon Secure Platform – mutual TLS Using mutual TLS for service-to-service authentication. • When a service receives or sends network traffic

policies on - ■ hardware Firewalls, Bare Metals, legacy OpenStack, etc. ● Transport Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include Enforcement ■ Updating hardware devices is slow ○ Achieving micro-segmentation at scale ○ Enabling TLS for all applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Management, Tracing, Rate Limiting, Protocol Adapter, Circuit breaker, Caching

Trust Strong identity for users, workloads, devices, etc. Encrypting inter-CNF traffic via mutual TLS (mTLS) Option to encrypt intra-CNF traffic via mTLS Autonomous PKI service for certificate Intermediate CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways Tuning Istio to Meet 5G Security Requirements

local weight: 90 Knative Service Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to

ic。Envoy由于高性能和扩展能力前在数据面遥 遥领先。 • Iptables使Pod间出入应用的流量均由Envoy代理，对应用来说完全透明。支持主要常用网路协议 Http1/Http2/Tls/gRPC/Tcp等。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 6 Envoy原理及总体架构-启动 Envoy启动配置及xDS listener router upstream pool Envoy cluster istiod pilot-agent LDS RDS CDS EDS tls证书 管理 SDS CSR创建证书 stat tracing 支持采集或 主动上报 监控系统 过滤器 过滤器 连接 连接 xDS 描述 模式 请求路径 LDS 监听器配置 POST /envoy 线程间通信通过post接口发送任务，此任务通过定时器事件激活 • 3. 线程间数据交换通过post更新TLS，这样每个线程内代码都不需要加锁处理 • 4. 每个线程的TLS对象本身只保存真实对象的共享指针进行读操作，减少内存消耗。 • 5. 全局对象更新只发生在主线程，并通过COW方式通知工作线程进行指针修改 • 每个TLS slot通过allocateSlot分配，在使用前通过set在每个线程中创建一个拷贝并保存。

advantages of using Istio is that it offers a series of security features related to identity, policies, TLS encryption, authentication, authorization and internal auditing to enhance the security in the mesh 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 import ( "bytes" "context" "crypto/tls" "fmt" "io" "log" "net/http" "os" "os/signal" "time" byteSize "github.com/inhies/go-bytesize" "istio Second } transport := http.DefaultTransport.(*http.Transport).Clone() transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} return &HTTPFetcher{ client: &http.Client{ Timeout: requestTimeout

Impersonating ■ Secret clear in memory ■ Secret persistence ● Key protection ○ Private key for TLS ○ Signing key ○ … #IstioCon Performance Limitations ● Some not just limited on VMs, but ○ need across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol ● A little like TCP + TLS, but build on top of UDP ○ Uses UDP like TCP uses IP ○ Adds connections, resends and flow control