communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal of the assessment was to identify security issues related Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy itself was not part of the assessment) did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default services exposed within the cluster. • The default

multi-containers pods Stabilizing Istio CPU: 1 Pod App container Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container resources HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type:

Request Traffic Response Traffic Specs synced from Federated Access Point L4 Configuration L7 Route Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per service mesh span all clusters in an AZ - ○ Re-deployed Istio to AZ cluster ○ In Primary-Remote configuration within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway watch (Peer AuthN) using mutual TLS ○ Leverage SPIFFE Trust Domain ■ Trust Domain: Trust root of the system having separate root CA ■ Each workload gets unique identity based on K8s Service account - spiffe://

0 码力 | 22 页 | 505.96 KB | 1 年前

3

Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress gateway which contains credentials for https support of multi tenants. • Knative has duration from Knative Ingress and istio VirtualService are created to Knative probe thinks the configuration works. o [Istio 1.5.4] Istio is picking up new VirtualService slowly 30s #IstioCon Istio x] Support for backpressure on XDS pushes to avoid overloading Envoy during periods of high configuration churn. This is disabled by default and can be enabled by setting the PILOT_ENABLE_FLOW_CONTROL

signed with SPIFFE format Istio-proxy CA server #IstioCon Istio identity – how to get configuration ● Format: "spiffe:///ns//sa/” ● istioctl proxy-config exec -c istio-proxy curl localhost:15000/config_dump #IstioCon Istio identity – check configuration result ● Result: cert generated automatically with Istio identity 1) Apply peer-authentication istio.io/v1beta1“ kind: "RequestAuthentication“ metadata: name: "jwt-example“ namespace: istio-system spec: selector: matchLabels: istio: ingressgateway jwtRules: - issuer: testing@secure

Google Cloud Load Balancer Gateways Web App How do we use Istio? [...] spec: gateways: - istio-system/istio-ingressgateway hosts: - www.blablacar.fr http: - match: - uri: of our SEO Specialist #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 ? SEO specialist creates the file manually Matching old URLs file Generating the Istio configuration Deploy to production 1 3 4 2 How does it work ? #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1

Component testing Test a set of services as a single sub-system while isolating them from other services, for example payment processing system | CONFIDENTIAL 5 Current approaches do not scale with ) Capture traces for E2E test requests Create tests & mocks for all services Configure system under test Forward egress requests to mock services | CONFIDENTIAL 10 Capture API interactions /reviews rewrite: uri: /api/ms/CubeCorp/MovieInfo/test/reviews/reviews On-demand configuration to test any component/service | CONFIDENTIAL REQUEST RESPONSE API MOCKS ASSERTION RULES

添加新Filter的方式 ● Built-in Filter & Community Provided: ○ https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/http_fi lters ○ …. ● 自定义开发： ○ 静态预编译： ■ 将其他过滤器集成到Envoy的源代码中，并编译新的Envoy版本。 runtime ○ ~20MB for WAVM ○ ~10MB for V8 ● 事件驱动模型 ● 兼容native filter调用 方式 8 Example Wasm filter configuration ● 下发到Envoy Proxy侧的配置 9 OCI Registry As Storage ● OCI Artifacts项目的参考实现, 可显著简化OCI注册库中任意内容的存储; 创建私钥仓库登录Secret ● 获取私有仓库登录信息之后, 按照如下命令创建Secret ○ kubectl create secret generic asmwasm-cache -n istio-system --from- file=.dockerconfigjson=myconfig.json --type=kubernetes.io/dockerconfigjson 16 ���������

Golang 1 vulnerability found that affected Googles managed Istio offering 11 issues found ● 5 system resource exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio Security including authentication bypass, reading sensitive information, writing files to the underlying file system, exploiting logical errors. The security components have limited functionality, and it should not

technology Control Plane Pod Service Pod Service SERVICE MESH Proxy Proxy sidecar sidecar Configuration for proxy Certs, ACLs… Raw metrics HTTP/1 HTTP/2 gRPC Why? Innovation trigger Peak of Head of integration department Igor Gustomyasov Sber IVGustomyasov.SBT@sberbank.ru Open source system architect Maksim Chudnovskii IBM Maksim.Chudnovskii@ibm.com