overall architecture review which extrapolated areas of focus for subsequent phases of the assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery NCC Group used various hosting options (i.e. Minikube, GKE, KOPS) to build reference clusters and test various configurations. These reference architectures were used to provide testers with a way of validating Method Code-assisted Platforms Golang, Kubernetes Dates 2020-07-06 to 2020-07-31 Environment Local Test Environment Consultants 4 Level of Effort 50 person days Targets istio/istio Istio Source code

Istio Security Audit, 2023 Fuzzing The second goal of the audit was to assess and improve the fuzz test suite of Istio. During the initial assessment, the Ada Logics auditing team reviewed the existing substantial fuzz test suite that runs continuously on OSS-Fuzz. Ada Logics started the fuzzing assessment by prioritising security-critical parts of Istio. We found that many of these had impressive test coverage t/fuzz _test.go#L23 3 FuzzReadCACert istio.io/istio/security/pkg/ k8s/chiron https://github.com/istio/istio/blob/6 5478ea81272c0ceaab568974aff7 00aef907312/security/pkg/k8s/chir on/fuzz_test.go#L22

Huawei Technologies Co., Ltd. All rights reserved. Page 15 Envoy过滤器架构 • 根据位置及作用类型，分为： • 监听过滤器（Network::ListenerFilter） • onAccept接收新连接，判断协议类型，TLS握手，HTTP协议自动识别、提取连接地址信息 • L4 网络过滤器 • HTTP、Mysql、Dub 前的目标服务地址，作为后续负载均衡的输入。 envoy.filters.network.tcp_proxy L4网络过滤器 基于L4层1对1上下游网络连接代理 envoy.filters.network.wasm L4网络过滤器 基于WASM（WebAssembly）技术，支持沙箱、热升级、 跨语言的扩展机制，处理L4层新连接、数据收发。 envoy.filters.network.dubbo_pro xy L4网络过滤器 RPC协议并提取请求中方法、接口、 metadata等信息，并根据元数据进行路由选择。 envoy.filters.network.local_rateli mit L4网络过滤器 基于L4层网络限流，通过令牌桶防止定期时间间隔内 过多下游连接。 envoy.filters.network.http_conne ction_manager L4网络过滤器 专门用于处理HTTP请求的网络过滤器，根据协议类型

docker pull + No local resource utilization + Closely resembles production environments + Can test large scales - Slow, especially without fast upload speeds - Expensive #IstioCon Local Machine from an IDE - Very different from production environment, may not be representative - Harder to test actual traffic, especially iptables - May be dependant on local environment - Challenging to have Rapid iteration - Very different from production environment, may not be representative - Harder to test actual traffic, especially iptables - May be dependant on local environment - Challenging to have

Downstre am Filter Filter Filter Cluster Upstrea m Filter Chain 扩展自定义Filter, 并通过xDS API动态配置 L4 Network Filters L7 Http Filters 3 Listener & Filters before outbound services Listener Downst ream Filter Filter Filter Cluster Upstrea m Filter Chain 4 实际示例中用到的Envoy Filters 端口9080 监听 envoy.filte rs.network .metadata _exchange envoy.http _connectio n_manage r Cluster Productp age服务 Filter Chain envoy aliyuncs.com 11 通过oras push命令推送 ● oras push acree-1-registry.cn-hangzhou.cr.aliyuncs.com/asm/asm- test:v0.1 --manifest-config runtime- config.json:application/vnd.module.wasm.config.v1+json example- filter

meant to deliver higher multi-Gbps peak data speeds, ultra low latency, more reliability, massive network capacity, increased availability, and a more uniform user experience to more users. Higher performance Authorization between CNFs 5 ©2021 Aspen Mesh. All rights reserved. 5G Network Function Decomposition Microservice Network Function Implementation 5G Architecture Looks a Lot Like a Mesh? 6 ©2021 Redis DB SMF App X https://aspenmesh.io/how-to-capture-packets-that-dont-exist/ Optical Tap Network Analyzer Encrypted traffic w/PFS Intra node traffic HTTP/2 awareness Contextual data 16 ©2021

Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity to defend against data exfiltration, botnet attacks. 3. Define firewall and virtual private network to lock down external access. Edge security best practices Cluster security Access control control Service 2 Service 1 1. Ensure traffic is natively encrypted, such as HTTPS 3. use k8s network policies to limit traffic bypassing sidecars Cluster security best practices: safely handle policy

to lift and shift ● Packaged software ○ Non-Linux ○ unikernels ● Domain specific workloads ○ Network Functions (NFV) #IstioCon Hybrid and Multi Clouds #IstioCon Istio VM Integration is? A Tumultuous about connecting virtual machine workloads to Kubernetes workloads. #IstioCon VM Support – Single Network #IstioCon VM Support – Multiple Networks #IstioCon Current State of VM Support ● Traffic flow name resolved ■ gets routed through the gateway to the service ● The data plane traffic ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple networks ● all goes though

a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Istio CNI install isidecar network routing rule to workload iptable Benefits of Istio CNI No need for CAP_NET_ADMIN and CAP_NET_RAW get started in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing rule to workload iptable Issue in Istio CNI Kubelet Start a pausing pod Kubelet invoke get started in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing rule to workload iptable Issue in Istio CNI Could happen in suddenly increased nodes and

in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full isolation by confining service failures to AZ boundary AZ 1 AZ Replace Hardware LBs with Software K8s API Server NLB Controllers Istiod Network Load Balancer (NLB) Network Load Balancer (NLB) Ingress Gateway Ingress Gateway Pods Request Traffic Response