requests made on an h2c connection, which could lead to a denial of service scenario if a large request was sent. This is a vulnerability, however, to be vulnerable, users would need the MultiplexHTTP H2c requests which is: “The first request on an h2c connection is read entirely into memory before the Handler is called. To limit the memory consumed by this request, wrap the result of NewHandler in in an http.MaxBytesHandler.” John found that when the recommended MaxBytesHandler was used, the request body was not fully consumed, meaning that when a server attempts to read HTTP2 frames from the connection

file to an Istio VirtualService file. ● Golang service ○ Convert .csv to VirtualService ○ Open Pull Request on Github ○ Fetch info from Kubernetes cluster ○ Expose an API to be used with REST or a CLI csv files and generates the Istio VirtualService files. Then, it automatically creates the Pull Request on GitHub on on our GitOps repo How does it work ? #IstioCon Creating the .csv Importing

maintainers whether a pull request has user facing changes. ● If it does, the developer can easily add a release note. ● If it doesn’t, then the developer can check a box and the pull request will merge.

not ever hesitate to ask a question or send a PR.” https://github.com/istio/istio/wiki/Reviewing-Pull-Requests #IstioCon Learn Istio is a complex project, and Istio.io is the perfect place to start for creating tests ● Sample page with a test ● make test_status ● make snips #IstioCon The Pull Request Process ● Viewing changes as if they were live ● Linter is pretty specific ● Don't forget

Google #IstioCon Fully Cloud docker push kubectl apply docker pull #IstioCon Fully Cloud docker push kubectl apply docker pull + No local resource utilization + Closely resembles production environments docker push kubectl apply docker pull Local Kubernetes Local Registry #IstioCon Local Machine Local Cluster + Registry docker push kubectl apply docker pull Local Kubernetes Local Registry

Access productpage #IstioCon Istio Identity Istiod Istio Agent Envoy 1. Start Envoy 2. Request Cert (SDS)) 3. CSR Auth: JWT 4. Cert signed with SPIFFE format Istio-proxy CA server #IstioCon server side mTLS mTLS in Istio - PeerAuthenticati on Using ingress port and ingress host to send request: can access reviews-v1, reviews-v2 and reviews-v3 can reach v2 as peer-authentication only defines client side mTLS mTLS in Istio - Destination rule Using ingress port and ingress host to send request: can access reviews-v1, reviews-v3 can not access reviews-v2 since we have enabled ISTIO_MUTUAL

#IstioCon EnvoyFilter - #IstioCon Envoy HTTP LuaFilter function envoy_on_request(request_handle) function envoy_on_response(request_handle) #IstioCon Who and where to reroute ? #IstioCon The contract 12:8001” } Accept: */* #IstioCon Pseudo implementation 1 function envoy_on_request(request_handle) 2 contract = request_handle:headers():get("x-devroute") 3 if string.match(contract, "foo") == nil contract match 7 address = contract[“foo”] 8 headers = request_handle:headers() 9 -- send the request somewhere else 10 response = request_handle:httpCall(address,headers,..) 11 -- respond immediately

Security Related Documentation 016 High Lack of VirtualService Gateway Field Validation Enables Request Hijacking 017 High Ingress Gateway Configuration Generation Enables Route Hijacking 023 High Pilot Google / NCC Group Confidential Finding Lack of VirtualService Gateway Field Validation Enables Request Hijacking Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-017 Category running programs. It could be used to target other services or potentially in a DoS attack if a large request is made repeatedly. Description Pilot, runs in the “istiod” Deployment within the Istio control

types of tests with low effort 7 What we need… End-to-end Component Service | CONFIDENTIAL REQUEST RESPONSE API MOCKS ASSERTION RULES CONTEXT RULES … … … … … … Test Driver TEST ENVIRONMENT -f Capture using Lua filter All API data + TraceIDs | CONFIDENTIAL 11 Assemble API request traces Service A Proxy Proxy Service B Service C Proxy req req[A B], trace:r, span:s1 res[A req[B->C] Construct request trace | CONFIDENTIAL 12 At this point, we have: • Full trace of every request from the gateway • Complete request and response data for every API request in a trace From

External Authorization #IstioCon Secure Platform #IstioCon Secure Platform – JWT Verify Using request authentication policy to Verify end-user JWT easily #IstioCon Secure Platform – mutual TLS Using enables access control on workloads in the mesh. For request from ingressgateway, need verify token For request from same tenant, allow For request from another tenant, not allow #IstioCon Secure Platform