namespace / control plane. As mentioned in finding NCC- GOIST2005-002 on page 13, there are debug interfaces exposed that cannot be disabled by Istio, so that even when all the security features are enabled series of iptables rules to force redirection of outgoing and incoming traffic into the appropriate interfaces of the sidecar proxy. However, this operation requires the CAP_NET_ADMIN and CAP_NET_RAW capabilities capabilities. This presents a significant risk as such capabilities can be abused to reconfigure interfaces and firewall rules, and inject crafted packets into the network, which can enable an attacker to

Logging & Tracing - Prometheus, ClickHouse, etc. ○ Messaging systems - Kafka, RabbitMQ, etc. ○ Programming Languages - Java, Python, Go lang, Scala, etc. ● Running on variety of Hardware ○ General-purpose

not decreasing it. 66 Abstracting Istio Adopting Istio The same way as we build libraries and interfaces to improve productivity, we need to build proper abstractions to maximize the added value of Istio

buffer overflow in Envoy. Istio is vulnerable to other types of implementation issues in the Go programming language such as NULL-pointers, out-of-bounds, race conditions, resource exhaustion issues and