exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping ● 1 case unhandled errors ● 1 case of using a deprecated library ● 1 race condition 2 Istio Security Audit, 2023 Notable Go which shields the project from memory-unsafe implementation issues such as buffer overflow and use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio Security Audit, 2023 Trust boundaries We identify

following best practices. Pursuing something formal such as CIS benchmarks is not recommended in this case but a similar approach could be build a self- hosted checklist of features and configuration options RBAC within a Namespace 015 Medium Default Sidecar Image Not Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File Permissions Set 007 Low Istio Client-Side Bypasses controlPlaneAuthPolicy: NONE ... In any case, Istio should not have any plaintext endpoints exposed via its control plane and should enforce all network communications use mTLS (or at minimum, TLS) for communi-

achieve our goal. 16 Workaround: Use postStart and preStop lifecycle hooks Stabilizing Istio 1. Ensure that Envoy is started before any other container in a pod ● Use a `postStart` lifecycle hook in yStarts: true 17 Workaround: Use postStart and preStop lifecycle hooks Stabilizing Istio 2. Ensure that Envoy is stopped after any other container in a pod ● Use a `preStop` lifecycle hook in the the container. 18 Workaround: Use postStart and preStop lifecycle hooks Stabilizing Istio 2. Ensure that Envoy is stopped after any other container in a pod ● Use a `preStop` lifecycle hook in the

What is Istio? A service mesh. But more: an open service platform! ○ More use cases! ○ (Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store Cached DNS response – 10.4.4.4 DNS queries to the system configured name servers. Envoy does not use the agent’s DNS cache. http req to 10.4.4.4 GET /status/200 httpbin.ns1.svc.cluster.local SVC IP: expect more? And what do we need else? #IstioCon Why We Expect More? A Closer Look… ● Example use case: Telco & Edge computing ○ where VMs play a crucial role now and later ○ where service mesh is

Outline ● Background ● Enterprise Service Mesh: Tetrate Service Bridge ● Tetrate OSS Projects ● Use Case ● Resources Tetrate the Service Mesh Creators Zack Butcher Istio Steering Committee Jeyappragash added to the group will use macro APIs that automatically generate Istio APIs under the hood. ● Direct: Indicates that the configurations to be added to the group will directly use Istio APIs. Tetrate Config scanning ● GitHub Envoy Gateway ● API standarization ● Support Kubernetes Gateway API Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane

Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon What is the use case of original address 1. Sticky Session: based on ip hash, traffic from same client is forwarded configuration use_remote_address: Envoy will only append to XFF if the use_remote_address HTTP connection manager option is set to true and the skip_xff_append is set false. xff_num_trusted_hops : If use_remote_address

Acceleration #IstioCon Problem In the case of Inbound, 4-tuple key may conflict due to same src/dst ip address #IstioCon Use pod ip as hash key Use pod_ip to generate a unique key is a way

multiple AZs in each region ○ Capability to run all applications from a single region or AZ in a worst-case scenario Region R1 AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster on our Global Control Plane ● Realized on hardware LBs ● Internal orchestration & UI tools to use Access Point specs ● Standardization provides flexibility to switch backend implementations to

业务无需代码改动即可开启，在线调整backup超时 分位值、熔断阈值。 2. 支持动态调整配置参数，对接智能调参系统。 防雪崩能力：动态BackupRequest #IstioCon 未来 l 强化稳定性工程。（Case覆盖、故障自动恢复） l 实现现有能力整合。（Mesh作为基础层，完全有能力整合内部Trace系统、压测平台等） l 积极拥抱社区。（积极贡献Istio社区） l 探索新应用。 （机房扩建，流量染色分级等）

environments, the need for x509 certificates that use Elliptical Curve Cryptography (ECC) is a requirement ● In Istio 1.6, support for workloads to use ECC certificates for mTLS in sidecar-to-sidecar must use ECC cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported #IstioCon pilot-agent environmental variables Disclaimer: Environmental variables and their use are deprecated in a future release. Use at your own discretion. ● To enable this, users must set the ECC_SIGNATURE_ALGORITHM environmental variable on sidecar ejection to ECDSA for use by pilot-agent ○ For gateways