read into memory. Case 1 A general Get function that makes an http request and reads the entire response into memory: https://github.com/istio/istio/blob/ed2de8c50dab2b10bdd165a2bdb2349d6d0eaeb6/ope r 103 104 105 // Fetch downloads a wasm module with HTTP get. func (f *HTTPFetcher) Fetch(ctx context.Context, url string, allowInsecure bool) ([]byte, error) { c := f.client if allowInsecure { c = f.insecureClient wasmLog.Debugf("wasm module download request failed: %v", err) if ctx.Err() != nil { // If there is context timeout, exit this loop. return nil, fmt.Errorf("wasm module download failed after %v attempts,

effort 7 What we need… End-to-end Component Service | CONFIDENTIAL REQUEST RESPONSE API MOCKS ASSERTION RULES CONTEXT RULES … … … … … … Test Driver TEST ENVIRONMENT Derive different types of At this point, we have: • Full trace of every request from the gateway • Complete request and response data for every API request in a trace From this data, we can: • Drive test requests to any of On-demand configuration to test any component/service | CONFIDENTIAL REQUEST RESPONSE API MOCKS ASSERTION RULES CONTEXT RULES … … … … … … Test Driver TEST ENVIRONMENT Derive different types of

mergeGateways methods and the sortConfigByCreationTime function within istio/pilot/pkg/model/push_context.go Impact An attacker that is able to create an Istio Gateway within a Kubernetes cluster can intercept oxy.ConfigNamespace] } else { configs = ps.allGateways } Listing 1: istio/pilot/pkg/model/push_context.go Recommendation While this issue can likely be remediated by using per-namespace ingress gateways Component Pilot Location The applyTrafficPolicy, applyUpstreamTLSSettings, and buildUpstreamClusterTLS Context functions within istio/pilot/pkg/networking/core/v1alpha3/cluster.go Impact An attacker that is

- #IstioCon Envoy HTTP LuaFilter function envoy_on_request(request_handle) function envoy_on_response(request_handle) #IstioCon Who and where to reroute ? #IstioCon The contract GET / HTTP/1 somewhere else 10 response = request_handle:httpCall(address,headers,..) 11 -- respond immediately and don’t proxy to original Foo 12 request_handle:respond(response) 13 end #IstioCon Ouch

io/v1alpha2" kind: metric metadata: name: requestduration namespace: istio-system spec: value: response.duration | "0ms" dimensions: source_service: source.service | "unknown" source_version: source destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 200 Istio & Kubernetes: 总结 对于云原生应用，采用Kubernetes构建微服务部署和集群管理能力，采用 Istio构建服务治理能力，将逐渐成为应用微服务转型的标准配置。

io/v1alpha2" kind: metric metadata: name: requestduration namespace: istio-system spec: value: response.duration | "0ms" dimensions: source_service: source.service | "unknown" source_version: source destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 20015 Istio & Kubernetes: 总结 对于云原生应用，采用Kubernetes构建微服务部署和集群管理能力，采用 Istio构建服务治理能

clusters #IstioCon Role of DNS in Istio, Today 1. DNS query httpbin.ns1.svc.cluster.local 2. DNS response – 10.4.4.4 http req to 10.4.4.4 GET /status/200 http req to 172.16.1.3 GET /status/200 httpbin #IstioCon DNS Issues on VMs accessing K8s SVCs 1. DNS query for httpbin.ns1.svc.cluster.local 2. DNS response – no such host httpbin.ns1.svc.cluster.local SVC IP: 10.4.4.4 #IstioCon DNS Issues on ext-TCP VIPs #IstioCon Smart DNS Proxying 1. DNS query httpbin.ns1.svc.cluster.local 2. Cached DNS response – 10.4.4.4 DNS queries to the system configured name servers. Envoy does not use the agent’s

endpoint and init a connection to server with original user’s address (IP_TRANSPARENT) ⑤ Server’s response packet is flowing through the same path (TPROXY + Custom Route) #IstioCon TOA Address Caveats inner ① Config original src filter: IP_TRANSPARENT and mark upstream packets to 1337 ② Make the response packet redirected back to envoy -A PREROUTING -p tcp -m mark --mark 0x539 -j CONNMARK --save-mark

tool ◦ Two pods run on the same node Configurations ◦ mTLS enabled ◦ Number of Envoy workers: 2 ◦ Response payload size: 1KB Latency ◦ 11-17% improvement Istio Meetup China Summary ● eBPF functionality

Extendable Aggregation Functions • Aggregation Function • Count • Calls per minute • Avg response time • Sum • Thermodynamic • P99/P95/P90/P75/P50Grammar & Official OAL ScriptUnderstand