permissions is limited by the following Kubernetes Role object which would provide full read- write access to a participant’s namespace. { "kind": "Role", "apiVersion": "rbac.authorization.k8s.io/v1beta1" missions authorized. Recommendation Update documentation to suggest a finer grained Kubernetes RBAC Role for read-write access to a participant’s namespace. 20 | Google Istio Security Assessment Google

Authorization Version 1 : Istio Mixer authz adapt Implement role-based authorization – whether this user can access this api based on its role => Version 2: Envoyfilter ext_authz #IstioCon Wise Platform

port ○ workaround: `resolution: NONE` ● Resolving DNS for services in remote clusters #IstioCon Role of DNS in Istio, Today 1. DNS query httpbin.ns1.svc.cluster.local 2. DNS response – 10.4.4.4 http Expect More? A Closer Look… ● Example use case: Telco & Edge computing ○ where VMs play a crucial role now and later ○ where service mesh is a key paradigm for solving challenges [1] ■ Traffic steering

svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a Role RoleBinding apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels:

implementation issues such as buffer overflow and use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ and memory-corruption issues can therefore have