Kubernetes clusters. • Istio Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound and outbound access of Istio services within Istio (NOTE: Envoy itself was not part of the assessment). • Istio Control Plane: Istio operator, side car injector, and other Istio control plane services • Istio Documentation: The documentation test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts. Istio does not currently have

However, we found that some less exposed parts of Istio had several issues. In particular, the Istio Operator was found to have multiple security and reliability issues. This is already well known to the Istio https://istio.io/latest/docs/setup/install/operator/ 7 Istio Security Audit, 2023 It was also stated by the Istio maintainers throughout the audit that the Operator was known to be under-maintained in terms terms of security. Nevertheless, the operator has not been fully deprecated and is likely used in production by the community which makes some users prone to security issues. Furthermore, successful cyber

Engineer, Google) #IstioCon Highlights of 2020 ● Better life cycle management ○ Istioctl install & Operator support ● Architectural simplification ○ Monolith control plane ○ Mixerless telemetry ● New capabilities ○ WebAssembly (Wasm) support ● Secure by default ○ Secret Discovery Service (SDS) ○ Auto mTLS ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine expansion/Multi production adoption of Istio ● Stable core ○ Current Istio functionality meets user needs ○ Measured feature introduction ● Reducing operational overhead ○ Maintenance ○ Upgrades ○ Debugging https://istio

Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator we are here TROUBLE SHOOTING January 2019 Istio Egress Istio 1.6 Istio 1.6 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.6 Istio 1.6 Service Mesh Operator Lessons Learned 1. Init containers maybe not secrets rotation 1. Hot restarts for TCP-traffic 2. Root certificate reissue (#14516) 3. Istio Discovery overload (#25495) 3. Sidecar & ExportTo tuning is required 1. Resource consumption 2. Resource

Platform owner Mesh operator (could be your cloud provider) 3 Key Personas install verify-install upgrade Istio simplify install helm3 #IstioCon Pilot Mixer Citadel Node Agent Injector Galley Galley istio-system Node Pod Sidecar Pilot Agent Ingress Egress Istio Single Cluster Simplified #IstioCon Service Proxy Authentication Authorization Telemetry Extensibility New Extension Model You Are Innovating Too Fast! #IstioCon Istio Feature Process Tracked at the Istio enhancements repository Checklist and approval required for feature promotions: Experimental->Alpha->Beta->Stable

Basic schedule unit Pod WorkloadEntry Component Deployment WorkloadGroup Service registry and discovery Service ServiceEntry K8s Pods labels: app: foo class: pod ServiceEntry selector: app: foo Istio CNF: Option 3 ● Further performance concerns #IstioCon End-to-end Key Protection ● SDS (Secret Discovery Service) ● A stricter security model ○ Protections for inline components & workflows ○ Trust Leverage eBPF ● Target Pod/VMs on the same node ● Use case: edge computing ○ Limited number of nodes ○ More traffic across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol

restriction that a plugged in CA certificate must use ECC cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported #IstioCon pilot-agent environmental variables Disclaimer: Environmental values-overrides.yaml Install using helm install istiod manifests/charts/istio-control/istio-discovery \ -n istio-system --values values-overrides.yaml meshConfig: defaultConfig: proxyMetadata: Alpha feature ○ There will be a migration path and environmental variables as used in this talk will continue to be supported through at least 1.10 to allow users to migrate towards this feature #IstioCon

to connect, manage, and secure microservices. Istio项目 微服务角度看Istio: 治理形态的演变 Node 1 svc1 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK Sidecar 服务治理 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 应用侵入--； 治理位置--； } 微服务角度看Istio: 服务网格 服务网格控制面 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.ns svcc.ns svcb svcd svce svce.ns svcd.ns svcd.ns Kube-proxy Kube-APIServer ServiceIp Backend Istio & Kubernetes：架构结合 Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints, Pod) 用户 Istio & Kubernetes：统一服务发现

connect, manage, and secure microservices.4 Istio项目5 微服务角度看Istio: 治理形态的演变 Node 1 svc1 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK Sidecar 服务治理 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 应用侵入--； 治理位置--； }6 微服务角度看Istio: 服务网格 服务网格控制面7 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.n s svcc.ns svcb svcd svce svce.n s svcd.n s svcd.n s Kube-proxy Kube-APIServer ServiceIp Istio & Kubernetes：架构结合 Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints, Pod) 用户13 Istio & Kubernetes：统一服务发现

to buying and selling, users actively communicate through the buyer/seller chat and the “Like” feature. The Mercari app is a C2C marketplace where individuals can easily sell used items. We want to service definition to generate Sidecar ● Use protocol specific traffic sniffing (i.e. gRPC call discovery) to find out dependencies ● eBPF magic to get service calls? We use the first approach currently abstractions to maximize the added value of Istio to our users: ● Automating the onboarding ● Making a feature fully automated and managed It improves by a lot: ● The user experience for developing services