Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective on whether security features sufficiently subsequent phases of the assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts

Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

Optimal Canary Deployments using Istio and how it scores over Spring Cloud and Kubernetes Presented by Archna Gupta What is a Canary Release or Deployment? • A canary deployment, or canary release My-data-service Service Demo-canary Service Canary Releases Using Spring Cloud Demo-canary Service Service Instance V1 SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin My-data-service Service Service Instance V2 SPRING EUREKA Cross-version Traffic Load Balancer My-data-service Service Demo-canary Service Canary Releases Using Spring Cloud – Across application Layers using

platform I want to sketch a mesh for you Istio service mesh at enterprise scale Improving security with Istio What Envoy hears when Istio speaks Company presenting Google and IBM Aspen Mesh Lightning talks China Secure your microservices with Istio step by step Best practice: from Spring Cloud to Istio Preserve original source address within Istio Performance tuning and best using Kiali” (by RedHat). Office hours On the following topics: ● Istio debugging, ● Istio Security, ● WebAssembly, ● Multi Cluster, ● Istio Roadmap and ● Istio in production. Participant feedback

PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski This report is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0) Istio Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project previous audit 50 Istio SLSA compliance 52 1 Istio Security Audit, 2023 Executive summary In September and October 2022 Ada Logics carried out a security audit of the Istio project. The audit was sponsored

management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support with Added Security ● Secure bootstrapping process ○ Automate provisioning a VM's mesh identity (certificate) ■ based

#IstioCon Istio Architecture Connect, secure, control, and observe services. #IstioCon Security Architecture #IstioCon Bookinfo architecture without service mesh ● Reviews-v1 ○ doesn’t call accept only plain text ● UNSET: inherit from parent, default to PERMISSIVE if no set apiVersion: "security.istio.io/v1beta1“ kind: "PeerAuthentication“ metadata: name: "demo-peer-policy“ namespace: "default“ gateway Access productpage #IstioCon Authorize ingress traffic with JWT token apiVersion: "security.istio.io/v1beta1“ kind: "RequestAuthentication“ metadata: name: "jwt-example“ namespace: istio-system

Load-Balancer Web-Tier Load-Balancer Pods Pods Pods AZ 1 AZ 2 AZ n Client #IstioCon What about Security? ● L4 Micro-segmentation Solution ○ Central Policy store capturing Application-to-Application Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Enforcement applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Security, Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions:

Co-founder Chair CNCF SIG Security Varun Talwar Co-founder Co-creator gRPC, Istio Lizan Zhou Senior Maintainer, Envoy Community & Industry Leaders ● Founded CNCF SIG Security ● Secure and Hardened Istio ● Training and Certification Collaboration with NIST ● Author SP 800-204 series on microservice security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud across clusters ● High availability & resiliency enabling active-active deployments ● Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery

Toader & Zsolt Varga 2021-Feb-26 Apache Kafka with Istio on K8s 2 • Scalability • Resiliency • Security • Observability • Disaster recovery Production grade Apache Kafka on Kubernetes 3 • Secure service account based authn/authz • Secure cross-cluster interaction between client apps and Kafka Security goals 4 • Kafka brokers require private-key and certificate pairs • Private keys and certificates the fly certificate renewal • Kafka listeners configured in PLAINTEXT mode Security layer provided by Istio 8 Security layer provided by Istio 9 • Kafka does not process client certificate in PLAINTEXT