certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal of the assessment was to identify security issues related to the Istio code base Istio (NOTE: Envoy itself was not part of the assessment). • Istio Control Plane: Istio operator, side car injector, and other Istio control plane services • Istio Documentation: The documentation and secu- fields that could allow route hijacking • In testing, it did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default

Shortcoming 1: Controlling the running order for containers Stabilizing Istio Kubernetes lacks good control APIs to customize the containers lifecycle in a pod. There is no official way to instruct a pod pods with multiple containers with HPA. ● Fixed in Kubernetes 1.20 by specifying a container resource as an HPA target ● In the meantime, we need to add the Istio sidecar into the HPA calculation Pod App container Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 Will

1 vulnerability found that affected Googles managed Istio offering 11 issues found ● 5 system resource exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping ● 1 case offers more advanced features to support A/B testing, canary deployments, rate limiting, access control, encryption and end-to-end authentication. Istio itself is implemented in Go which shields the project implementation issues in the Go programming language such as NULL-pointers, out-of-bounds, race conditions, resource exhaustion issues and other issues stemming from improper usage of the language. Istio consists

Hierarchy of control planes ● Global Control Plane ○ Users provide application specs to Global Control-Plane ○ Syncs specs to AZ control-planes ○ Hosts global services - Global IPAM, Access-control Policy Policy store, etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc K8s Cluster K8s Cluster K8s Cluster K8s Cluster AZ Control Plane AZ Control Plane AZ Control Plane Global Control Plane Region Rn Delegate #IstioCon Load balancing & Traffic

with NIST ● Author SP 800-204 series on microservice security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference Best in Class Team ● Creators operating an application Why is Istio? TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload availability & resiliency enabling active-active deployments ● Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery across multiple clusters ●

Different namespace • Project runs as tenant, need control rights Solution cluster connect core cluster with Istio multi-cluster - Replicated control planes Some standalone cluster without Istio can #IstioCon Secure Platform – Authorization Policy Using Authorization Policy enables access control on workloads in the mesh. For request from ingressgateway, need verify token For request from same filters, or even add entirely new listeners, clusters, etc. #IstioCon Wise Platform K8s custom resource definition HTTP filters Network filters UDP listener filters … Match outbound listeners in all

apply docker pull #IstioCon Fully Cloud docker push kubectl apply docker pull + No local resource utilization + Closely resembles production environments + Can test large scales - Slow, especially + Easy to setup bespoke clusters, including enabling alpha features and multicluster - Local resource utilization - Some overhead of Kubernetes and docker images - Attaching a debugger is not trivial StreamAggregatedResources + Fastest - bottleneck is typing speed + No envoy dependency + Complete control over requests - Very different from production environment - May be challenging to reproduce Istio

elimination of integration intermediary Integration expenses reduction Cloud oriented technology Control Plane Pod Service Pod Service SERVICE MESH Proxy Proxy sidecar sidecar Configuration for (#14516) 3. Istio Discovery overload (#25495) 3. Sidecar & ExportTo tuning is required 1. Resource consumption 2. Resource Mounts (#15517) 4. Tests on the production-size environment aren’t a waste of time

○ Release and Upgrade Notes ○ Release date slip ○ Release with known issues ○ Performance and resource usage ● Istio community didn’t have a process #IstioCon Led To ● Upgrade Working Group ● Release around Istio upgrades #IstioCon Upgrade Working Group - Stability ● Standards and processes ○ Control plane behavior ○ Data plane communication ● Promote revision-based upgrades to stable and support major ● Where to post announcements ● What to look for when examining releases ○ Performance ○ Resource usage ○ Open issues ○ Features being promoted ○ Release notes and upgrade notes #IstioCon Continuous

Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Plane Hardening Istio Security Releases Complete Security Cluster security Service Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application firewall to defend against DDoS, injection, remote