with NIST ● Author SP 800-204 series on microservice security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference Best in Class Team ● Creators operating an application Why is Istio? TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload availability & resiliency enabling active-active deployments ● Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery across multiple clusters ●

#IstioCon V0.2 Mesh Expansion ● Prerequisites ○ IP connectivity to the endpoints in the mesh ○ Istio control plane services (Pilot, Mixer, CA) accessible from the VMs ○ (optional) Kubernetes DNS server accessible Istio and manually register the services running #IstioCon V0.2 Mesh Expansion (cont.) ● Traffic flow (VM -> Container) 1. Dnsmasq accepts DNS queries 2. Access the built-in Kube DNS (exposed by ILB) intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to ingress in the mesh ● Traffic flow (Container -> VM) 1. Manual registration istioctl -n onprem register mysql 1.2.3.4 3306 #IstioCon

application traffic end to end in production • Allow platform to use Istio authorization policy to control the access to each Knative service based on Istio service roles. How Istio is leveraged in a Knative overload issue still exits 800 Knative Services #IstioCon o 1400 total with dev release with flow control fix looks great, ingress_ready p100 < 30s o [Istio 1.9.x] Support for backpressure on XDS pushes configuration churn. This is disabled by default and can be enabled by setting the PILOT_ENABLE_FLOW_CONTROL environment variable in Istiod. o Final solution is envoy delta-XDS push in future Istio release

App container Sidecar container All incoming traffic must flow through the sidecar first when entering the pod All outgoing traffic must flow through the sidecar before leaving the pod 12 What happens Shortcoming 1: Controlling the running order for containers Stabilizing Istio Kubernetes lacks good control APIs to customize the containers lifecycle in a pod. There is no official way to instruct a pod said 32 A full mesh is utopian, know what you need only Stabilizing Istio The reality: ● The control plane is burning down when pushing your thousand services updates to the hundreds of proxies running

Hierarchy of control planes ● Global Control Plane ○ Users provide application specs to Global Control-Plane ○ Syncs specs to AZ control-planes ○ Hosts global services - Global IPAM, Access-control Policy Policy store, etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc Cluster K8s Cluster AZ Control Plane AZ Control Plane AZ Control Plane Global Control Plane Region Rn Delegate #IstioCon Load balancing & Traffic Flow ● Two tiers of hardware Load-Balancers

certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal of the assessment was to identify security issues related to the Istio code base Istio (NOTE: Envoy itself was not part of the assessment). • Istio Control Plane: Istio operator, side car injector, and other Istio control plane services • Istio Documentation: The documentation and secu- fields that could allow route hijacking • In testing, it did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default

offers more advanced features to support A/B testing, canary deployments, rate limiting, access control, encryption and end-to-end authentication. Istio itself is implemented in Go which shields the project consist of Envoy proxies and an Istio-agent and manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates Security Audit, 2023 Trust boundaries We identify the following trust boundaries: From Into Trust flow Description Outside of cluster Ingress Sidecar or Ingress Gateway Low to high Ingress traffic can

Istio As An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● Pools Istio as the API Gateway Advantages Advantages ● Same abstractions for all your traffic control needs ■ Ingress ■ Egress ■ Inter Service Communication ● Build expertise in one discipline ●

in an infrastructure to flow in a mesh, allowing you to visualize problem areas, tune performance, and add substrate features. Istio is the industry-standard service mesh control plane that makes it easier

protocol #IstioCon Istio Traffic Flow – inner cluster svcA svcB envoy envoy Pod1：10.244.0.20 Pod2：10.244.0.25 Dest: 127.0.0.1 Src：127.0.0.1 #IstioCon Istio Traffic Flow - ingress svcB envoy envoy