#IstioCon Using ECC Workload Certificates (pilot-agent environmental variables) Jacob Delgado / Aspen Mesh #IstioCon ECC workload certificates ● In various environments, the need for x509 certificates ECC_SIGNATURE_ALGORITHM: ECDSA Must be done for each chart, but not for base #IstioCon Inspection of Workload Certificates Ensure that workloads within your cluster are using ECC $ istioctl proxy-config

Kubernetes clusters to provide service-to-service communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal cluster. • The Envoy Proxy admin port is exposed via the Istio sidecar and would allow a malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative Interface Exposed To Workload Containers 018 Low DestinationRules Without CA Certificates Field Do Not Validate Certificates

张之晗 Tetrate ⼯程师/Istio 社区 Release Manager 服务⽹格安全—— 理解 Istio CNI Istio Meetup China About me Istio 1.10 Release Manager, Istio Community, 2021-Present GetMesh(GetIstio) core contributor, Istio Community Start istio init container in workload Istiod watch updates & start networking sidecar proxy init container update iptable rule for proxy terminate init container Start workload with updated ip routing rules invoke CNI plugins CNI plugins setup ip for pod Istio CNI install isidecar network routing rule to workload iptable Benefits of Istio CNI No need for CAP_NET_ADMIN and CAP_NET_RAW permission No need for

服务发现 • K8s Service ： Pilot 直接支持 • ServiceEntry： 手动添加 Service 到 Pilot 内部注册表中 • WorkloadEntry：单独添加 Workload，对于虚机支持更友好 • MCP 适配器： 将第三方注册表中的服务加入到 Pilot 中 Consul MCP Adapter https://github.com/istio-ecosystem/consul-mcp 路由 目的地流量策略配置 • LB 策略 • 连接池配置 • 断路器配置 • TLS 配置 Gateway External Service 统一网格出口 • 出口地址（Gateway Workload） • 出口端口 Virtual Service CLB 对外请求 对外请求（Passthrough/ServiceEntry） 缺省路由 （服务名） 5 Istio 流量管理 – IP（通配）和端口（9080）转发到 0.0.0.0_9080 这个 outbound listener。 5. 根据 0.0.0.0_9080 listener 的 http_connection_manager filter 配置，该请求采用 9080 route 进行分发。 6. 9080 这个 route 的配置中，host name 为 reviews:9080 的请求对应 的 cluster 为

io Didier Grelin Sr. Technical Program Manager dgrelin@google.com Ethan Jackson Staff Engineer jethan@google.com Francis Zhou Senior Technical Program Manager francisz@google.com Greg Hanson So�ware jdpettit@google.com Lei Tang Technical Lead leitang@google.com Neelima Balakrishnan So�ware Engineering Manager neelimabk@google.com Shankar Ganesan So�ware Engineer shankgan@google.com OSTIF 4 Istio Security Authorization Istio allows users to create authorization policies to specify mesh-, namespace-, and workload-wide access control for workloads in the mesh. Authorization policies are created by users and are

Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress that VM ● Install DEB/RPM package of the Workload Onboarding Agent on that VM ● Provide a minimal declarative configuration describing where to onboard the workload to Bridged Mode vs Direct Mode ● Bridged: Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress

Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations Workload Data Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Plane Hardening

1 ServiceEntry #IstioCon V1.6-1.8 Better VM Workload Abstraction A K8s Service and Pods Two separate object with distinct lifecycles Before Workload Entry, a single Istio Service Entry object combined giving a first-class representation for the workloads themselves #IstioCon V1.6-1.8 Better VM Workload Abstraction Item Kubernetes Virtual Machine Basic schedule unit Pod WorkloadEntry Component selector: app: foo Istio Workload Entries labels: app: foo class: vm #IstioCon V1.6-1.8 Better VM Workload Abstraction ● Workload Entry ○ single non-Kubernetes workload ○ mTLS using service account

services - Global IPAM, Access-control Policy store, etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per workload K8s cluster #IstioCon Step 3: Evolve into AZ architecture ● One Istio deployment per K8s cluster Server Istiod East-West Gateway watch API Server Pods, Services Workload Cluster API Server Pods, Services Workload Cluster watch Services talk directly #IstioCon Step 4: Evolving

©2021 Aspen Mesh. All rights reserved. Key Platform Requirements Multi-Vendor Real-Time (RAN) Workload Mobility Networking outside CNF Encryption & Authorization between CNFs 5 ©2021 Aspen Mesh. privileges ● Integrate with PKI minted Intermediate CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways changes ● SPIFFE only certificates ● Configuring workload certificate TTLs ● RSA to ECC migration ● Missing www-authenticate header ● Tuning per-workload proxy concurrency ● Consuming Istio generated