Internal Presentation WELCOME Internal Presentation Liam White Geoff Flarity Jan Zantinge linkedin.com/in/janzantinge linkedin.com/in/gflarity linkedin.com/in/liam-white Internal Presentation Projects Ideas Excitement! Internal Presentation New Square DC -> Cash App EKS Internal Presentation “New” Cash App EKS -> Square DC Internal Presentation ir-sync Internal Presentation Do you like io/careers Internal Presentation THE END Internal Presentation Understanding Istio Internal Presentation Cash App EKS -> Cash App EKS Internal Presentation Cash App EKS -> Square DC Internal Presentation

from the VMs ○ (optional) Kubernetes DNS server accessible from the VMs ● Onboard steps ○ Setup Internal Load Balancers (ILBs) for Kube DNS, Pilot, Mixer and CA ○ Generate configs for VMs, incl. `cluster Service Entry ○ An entry that Istio maintains internally ○ Describing the properties of a service, internal/external to the mesh ■ DNS name ■ VIPs, ports, protocols ■ Endpoints ○ After adding, sending mtls policies ■ VM service, multicluster Istio mesh support ● Service + Endpoints ○ Usually for internal traffic ○ ExternalName ■ Service <-> DNS name ○ External IPs #IstioCon V1.1 ServiceEntry #IstioCon

security features related to identity, policies, TLS encryption, authentication, authorization and internal auditing to enhance the security in the mesh. Istio's security components are especially exposed part of the threat model we identify threat actors that may impact the security posture of Istio. Internal attacker An entity with some level of privilege that would seek to exceed one or more trust boundaries of our review may not be relevant at this point. Ada Logics started out the review by requesting internal documentation that had been produced as part of the mitigation process. We then looked for public

app dev prod dev prod internal external on-prem dev prod public cloud gke dev prod dev prod internal external on-prem internet external internal DMZ app app app

About ● A few hundred developers ● Multiple Kubernetes Clusters ● 250+ microservices ● 150M+ internal API calls ● 3000+ deployments every week ● REST as well as gRPC services ● Services written in of endpoint for each GoPay partner with specific IP seems burden job. ● Security concern about internal attacks (we don’t know who are using those IP, only service that communicate with us or it’s NAT

users ● User requests over 10 billion per month ● Internet egress bandwidth over 100 TB/month ● Internal egress bandwidth ~2 PB/month #IstioCon Architecture Overview ● User traffic infrastructure - injection by namespace or on-demand ● Passthrough mode during rollout ● Service entry to connect internal proxy ● Kubernetes Cluster-IP services deployed across clusters #IstioCon Rollout - Istio setup

Credential (token, cookie, etc) 2. Exchange external credential to internal token to defend against token replay attacks. Internal JWT mTLS Edge security Cluster security best practices: access control

Access Point Spec ● Create the Specs on our Global Control Plane ● Realized on hardware LBs ● Internal orchestration & UI tools to use Access Point specs ● Standardization provides flexibility to different environments #IstioCon Step 4: Evolving Security ● Origin or Request Authentication ○ Internal OpenID implementation for origin authentication ○ Plan to integrate with Istio #IstioCon How

read or modify some unauthorized data on a system, deny access to that system, or gain significant internal technical information. Low Attackers can gain small amounts of unauthorized information or slightly schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://github.com/kubernetes/community/b

Native Bare metal VMs Kubernetes VMs ● Monolith was decoupled to Microservices ● External and internal traffic starts to look less and less different from the perspective of a developer building and