[2021-03-31T11:16:55.538Z] "GET /aaabbbcccddd HTTP/1.1" 503 UO"-" "-" 0 81 5 - "-" "-" "3c2a392c-56fc-9d8c-9895-f657a4444679" "test-503-svc:8080" "-" - - 10.106.246.126:8080 10.244.92.179:48788 - default

hardening documentation: While there were a variety of areas where documentation could improve, it may make sense to start with the harden- ing guidelines first as it will give administrators more confidence Location https://istio.io/latest/docs/ Impact WIthout clear documentation, administrators cannot make accurate security decisions and have no way of knowing whether their design adheres with industry sortConfigByCreationTime(gatewayConfigs) ps.allGateways = gatewayConfigs ps.gatewaysByNamespace = make(map[string][]Config) for _, gatewayConfig := range gatewayConfigs { if _, exists := ps.gatewaysB

NewBuffer(b) tr := tar.NewReader(buf) h, err := tr.Next() if err != nil { return nil } ret := make([]byte, h.Size) _, err = io.ReadFull(tr, ret) if err != nil { return nil } return ret } https://github h, err := tr.Next() if err == io.EOF { break } else if err != nil { return nil, err } ret := make([]byte, h.Size) if filepath.Base(h.Name) == wasmPluginFileName { _, err := io.ReadFull(tr, ret) if Errorf("%s not found in the archive", wasmPluginFileName) } Exploitation An attacker would need to make Istio fetch a tar archive containing a large file. This is fairly low effort. The URL that the tar

it happens frequently: ○ During pod creation ○ During pod deletion ● To prevent it, we need to make sure that: 1. Envoy is started before any other container in a pod 2. Envoy is stopped after any than 770m CPU 26 Define HPA target for multi-containers pods Stabilizing Istio Two options: 1. Make the istio-proxy CPU very low compared to the application CPU (Between x% and y% of upstream service pod rollout ● No matter how well our services handled graceful termination, Istio would make headless services worse. Conclusion: We stopped using headless services and gradually migrated to

you can help by creating one! ● Guide for creating tests ● Sample page with a test ● make test_status ● make snips #IstioCon The Pull Request Process ● Viewing changes as if they were live ● Linter pretty specific ● Don't forget to update/create a test if the page changed is tested! #IstioCon Run make lint locally to verify changes and check for problems Click on the Netlify preview to view updates

of Done Goal: To make Istio releases and feature quality consistent and predictable #IstioCon Definition of Done: Approach ● Automation where possible ● For everything else, make information easy to

Kubernetes-based application gateway ● Tetrate Istio Distro: Simple, safe enterprise-grade Istio distro ● Func-e: Make running Envoy easy Wazero ● wazero is the only zero dependency WebAssembly runtime written in Go/TinyGo/Rust ● Using WasmPlugin API to extend Istio ● GitHub: tetratelabs/wazero Istio Security Scanner ● Make Istio Security Best Practices easier to consume ● Do I run on a problematic Istio version ● Features

which made it easy to adopt existing EnvoyFilters into Istio. ● Istio have abstraction concept that make manage things easier. Before Mutual TLS? HTTPS + Allowlisting Our previous setup is using https

Disillusionment Slope of Enlightenment Plateau of Productivity January 2019 PoC OCP 3.11 Istio 1.0 Make It Simple Event Hub DBs SERVICE MESH Istio Ingress Istio Egress Other External Services Tracing

App X AMF Identity SMF Identity SMF Identity 10 ©2021 Aspen Mesh. All rights reserved. How to Make Legacy NFs Talk to CNFs in the Mesh UDM Virtual Machine Namespace SMF SMF Frontend