communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal of the assessment was to identify security issues related Certificates 019 Low Default Injected Init Container Requires Sensitive Capabilities 021 Low Execution of System Commands without Validation 008 Informational Weak Trust Boundary Between Workload Container and enforce all network communications use mTLS (or at minimum, TLS) for communi- cations within the istio-system namespace / control plane. As mentioned in finding NCC- GOIST2005-002 on page 13, there are debug

Event Hub DBs SERVICE MESH Istio Ingress Istio Egress Other External Services Tracing Store Logging Store LB January 2019 PROD PoC March 2020 Innovation trigger Peak of inflated Expectations of Enlightenment Plateau of Productivity Istio 1.1 Don’t Forget about HA & DR Tracing Store Logging Store Event Hub DBs Istio Egress Other External Services Istio Ingress OCP 4.1 Istio 1.1 Disillusionment Slope of Enlightenment Plateau of Productivity Think about Multi-Tenancy Tracing Store Logging Store Event Hub DBs Other External Services OCP 4.4 OCP 4.4 LB LB LB Istio Ingress Istio

Golang 1 vulnerability found that affected Googles managed Istio offering 11 issues found ● 5 system resource exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping including authentication bypass, reading sensitive information, writing files to the underlying file system, exploiting logical errors. The security components have limited functionality, and it should not writing to arbitrary file paths. A header.Name containing patterns such as .. could traverse the file system and perform out of bounds file writes. https://github.com/istio/istio/blob/d0705cf0ed5591cc26c08

Service Endpoint Endpoint Istio Istio & Kubernetes：Mixer attribute Mixer proxy svc proxy svc Logging Backend Quota Backend Auth Backend Metric Backend Prometheus AWS New Relic Huawei-APM apiVersion: apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestduration namespace: istio-system spec: value: response.duration | "0ms" dimensions: source_service: source.service | "unknown"

Endpoint Endpoint Istio14 Istio & Kubernetes：Mixer attribute Mixer proxy svc proxy svc Logging Backend Quota Backend Auth Backend Metric Backend Prometheus AWS New Relic Huawei-APM apiVersion: apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestduration namespace: istio-system spec: value: response.duration | "0ms" dimensions: source_service: source.service | "unknown"

创建私钥仓库登录Secret ● 获取私有仓库登录信息之后, 按照如下命令创建Secret ○ kubectl create secret generic asmwasm-cache -n istio-system --from- file=.dockerconfigjson=myconfig.json --type=kubernetes.io/dockerconfigjson 16 ��������� 可以登录到proxy container进行查看 wasm filter是否挂载成功 2.调整wasm log level： curl -X POST http://localhost:15000/logging?wasm=debug #IstioCon Thank you!

Flink, etc. ○ Machine Learning Platforms - Tensorflow, PyTorch, Jupyter Notebook, etc. ○ Central Logging & Tracing - Prometheus, ClickHouse, etc. ○ Messaging systems - Kafka, RabbitMQ, etc. ○ Programming (Peer AuthN) using mutual TLS ○ Leverage SPIFFE Trust Domain ■ Trust Domain: Trust root of the system having separate root CA ■ Each workload gets unique identity based on K8s Service account - spiffe://

0 码力 | 22 页 | 505.96 KB | 1 年前

3

Traffic Splitting ● Canary Deployment ● Traffic Mirroring ● Rate Limiting ● TLS Termination ● Logging, Monitoring, Tracing API Gateway + Service Mesh together! Limitations of This Approach ● Maintaining

container through nsenter Check CNI logs in kubelet (journalctl) Will do: grafana board istio CNI logging on daemonset istioctl scanning tool designed for CNI Repair controller Valid through istio-init

AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s CNI AuthZ Policy