within Istio (NOTE: Envoy itself was not part of the assessment). • Istio Control Plane: Istio operator, side car injector, and other Istio control plane services • Istio Documentation: The documentation which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts. Istio does not currently have a reference design nt/sds/server.go#276 • istio/istio/security/pkg/nodeagent/util/util.go#71,#76,#81 • istio/istio/operator/pkg/helm/urlfetcher.go#113 • istio/istio/istioctl/cmd/sidecar-bootstrap.go Impact Malicious or

张之晗 Tetrate ⼯程师/Istio 社区 Release Manager 服务⽹格安全—— 理解 Istio CNI Istio Meetup China About me Istio 1.10 Release Manager, Istio Community, 2021-Present GetMesh(GetIstio) core contributor, Istio Community interface Calico Antrea Flannel Istio CNI CNI Daemonset Calico Antrea Flannel Istio CNI Networking lifecycle (Istio Init) Start istio init container in workload Istiod watch updates & start networking sidecar rule for proxy terminate init container Start workload with updated ip routing rules Networking lifecycle (Istio CNI) Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod

Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack vectors. ● Service security Operation security 3. Monitor audit log. 3 Lifecycle of service mesh security and demo Secure Monitor Enforce Verify Security Lifecycle Concepts Secure Monitor Enforce Verify Deploy comprehensive tampered. Verify that the security mechanisms are working as expected. Monitor security status. Lifecycle of service mesh security Edge Cluster Workload Operation GitOps Gatekeeper RBAC Audit log

proxy specifications ● Kubernetes shortcomings with sidecar containers ○ Controlling containers lifecycle ○ Autoscaling pods with sidecar containers ● Are you prepared to handle Istio? ● A full mesh for containers Stabilizing Istio Kubernetes lacks good control APIs to customize the containers lifecycle in a pod. There is no official way to instruct a pod to: 1. Start the sidecar container first container is stopped However, we can wrap a pod lifecycle using container lifecycle hooks to achieve our goal. 16 Workaround: Use postStart and preStop lifecycle hooks Stabilizing Istio 1. Ensure that Envoy

io Didier Grelin Sr. Technical Program Manager dgrelin@google.com Ethan Jackson Staff Engineer jethan@google.com Francis Zhou Senior Technical Program Manager francisz@google.com Greg Hanson So�ware jdpettit@google.com Lei Tang Technical Lead leitang@google.com Neelima Balakrishnan So�ware Engineering Manager neelimabk@google.com Shankar Ganesan So�ware Engineer shankgan@google.com OSTIF 4 Istio Security However, we found that some less exposed parts of Istio had several issues. In particular, the Istio Operator was found to have multiple security and reliability issues. This is already well known to the Istio

SECURITY Technology User Experience 11 | Copyright © 2020 11 | Copyright © 2020 Web Assembly lifecycle 12 | Copyright © 2020 Build > meshctl wasm init addheader-filter --language rust > meshctl wasm debug Wasm into Istio service mesh Wasm Registry Multi-cluster management, orchestration of Wasm lifecycle 22 | Copyright © 2020 • https://solo.io • https://solo.io/blog • https://slack.solo.io • https://gloo

TLS Centralized Certificate Management ● Central certificate management manage our certificate lifecycle for HTTPS and mutual TLS communication. ● Renew & sync to our Kubernetes cluster, also support

(mTLS) Option to encrypt intra-CNF traffic via mTLS Autonomous PKI service for certificate lifecycle management at scale What Do You Get From Istio? Traffic Management Powerful Layer 7 (HTTP/2)

Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator we are here TROUBLE SHOOTING January 2019 Istio Egress Istio 1.6 Istio 1.6 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.6 Istio 1.6 Service Mesh Operator Lessons Learned 1. Init containers maybe not

and transformation with users in mind #IstioCon Developer (service owner) Platform owner Mesh operator (could be your cloud provider) 3 Key Personas install verify-install upgrade Istio simplify install