ALLOW or DENY. Policy Enforcement Points Istio authenticates traffic between workloads with mTLS. 14 Istio Security Audit, 2023 Threat actors In this part of the threat model we identify threat actors import ( "archive/tar" "bytes" "compress/gzip" "fmt" 21 Istio Security Audit, 2023 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 body: 1.86GB main.go 1 package main 30 Istio Security Audit, 2023 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

tasks as they are learning how the community works. As described in finding NCC-GOIST2005-003 on page 14, the Default production profile could be updated or replaced by a hardened version that describes each integrate with something like OPA. 6https://istio.io/latest/docs/setup/additional-setup/config-profiles/ 14 | Google Istio Security Assessment Google / NCC Group Confidential Finding Weak Hash Used for Integrity lack a caCertificates value into a partially filled Upst reamTlsContext lacking a validation_context.14, 15 As a result, Envoy proxies using such a configuration will not attempt to verify the validity of

app2 15.lo 1 2 3.非本 POD、 非 Envoy 自身 4.DNAT 5 6 7. UID=1337 8 9 10.跳 过普 通端 口 11.DNAT 1 3 14.lo 网络发送 • outbound方向：本POD内发起对外调用流量 • outbound方向增加ISTIO_OUTPUT、 ISTIO_REDIRECT链。 • 除目标为127.0.0.x及Envoy自身发出的 下一轮请求解析时将从头TLS中获取到更新后的集群可用状态。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 14 Envoy网络及线程模型-网络处理 系统内核 Worker Thread Dispatcher LibeventDispatcher 待清理对象 ListenerManager Listener https://istio.io/latest/docs/ envoy官方文档：https://www.envoyproxy.io/docs/envoy/latest/ 名称 简介 Envoy 基于C++11,14的高性能服务网格数据面代理 xDS Envoy与上层控制面如istiod使用的基于gRPC的应用层协议，用于传输配置变更。 自动注入及流量拦截 POD创建时，由istiod进行自动修改deployment并将istio-init

13 | Copyright © 2020 > meshctl wasm push webassemblyhub.io/yuval/addheader-rust:v1 Build Store 14 | Copyright © 2020 Build Store WASM Artifact Image Specification 15 | Copyright © 2020 Build

中间件升级和切换的自由 • 不被供应商绑定的自由11/25 兼容新旧服务体系 Istio 的价值和问题12/25 兼容新旧调用链体系 Istio 的价值和问题13/25 灰度发布 Istio 的价值和问题14/25 性能损耗 Istio 的价值和问题 每 pod 多占用内存 20 MB -8 毫秒 测试 API 平均响应时 间变化量 吞吐量提升 5 %15/25 Pilot、Mixer

proxy concurrency ● Consuming Istio generated certificates at gateways Learnings Along the Way 14 ©2021 Aspen Mesh. All rights reserved. ● 4G to 5G translation (Protocols like Diameter, SCTP, GTP)

ServiceMesh 12 更多 More 更多特性 控制台一键启动、暂停热升级 控制台设置热升级策略，单批次实例比例 可视化观察热升级状态 13 更多 More 谢谢! Thanks! 14

Lightning talks ● 8 lightning talks of 10 minutes each for US TZ ● 4 for China TZ Tech Talks ● 14 tech talks of 40 minutes each for US TZ ● 6 Tech talks of 40 minutes each for China TZ Workshops

Component tests Leverage API data for different types of tests Mesh Dynamics Services | CONFIDENTIAL 14 Configure mocks with Istio virtual service Route requests to mock svc with a virtual service - match:

mosn_config : MOSN 的配置信息 • listener : LDS • routers : RDS • cluster : CDS 和 EDS13/23 MOSN-listener14/23 MOSN-routers15/23 MOSN-cluster16/23 Dubbo 场景下的改造 /03 从数据面、控制面两个方面来介绍如何改造17/23 改造方案1 Istio+Envoy