threat model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code audit for security issues. 3. Review the fixes for the issues found in an audit from 2020. 4 security advisories are clear and detailed. ● Security fixes include regression tests. A�er the manual auditing commenced, the auditing team found that the Istio team had prioritised security-sensitive available memory. https://github.com/istio/istio/blob/69b1e0f7bc04fcc6f32f0eab8c796cfed78b4c02/pkg/was m/httpfetcher.go#L138 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 // wasm

APIs Istio enables learning tests from API usage Learnt by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 9 Process flow using External APIs Creating test suites from API traffic Created by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 16 ML-assisted Context

proxy 5. xDS ■ Traffic forwarded to ingress in the mesh ● Traffic flow (Container -> VM) 1. Manual registration istioctl -n onprem register mysql 1.2.3.4 3306 #IstioCon V1.1 Introducing Service

container is using more than 700m CPU 24 Define HPA target for multi-containers pods Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container requests HPA configuration multi-containers pods Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container resources HPA configuration (70% CPU) metrics: - type: Resource resource: name: Utilization averageUtilization: 70 Will trigger when the container is using more than 770m CPU 26 Define HPA target for multi-containers pods Stabilizing Istio Two options: 1. Make the

istio/istio/mixer/adapter/prometheus/prometheus.go (line 24) func computeSha(m proto.Marshaler, log adapter.Logger) [sha1.Size]byte { ba, err := m.Marshal() if err != nil { log.Warningf("Unable to encode %v", err) listen for packets received by the Envoy proxy or inject raw packets that bypass Istio’s iptables -m owner filtering. • Inbound port bypass: By default, Istio’s sidecar iptables inbound redirection rules nsenterArgs := []string{ netnsArg, nsSetupExecutable, "-p", rdrct.targetPort, "-u", rdrct.noRedirectUID, "-m", rdrct.redirectMode, "-i", rdrct.includeIPCidrs, "-b", rdrct.includePorts, "-d", rdrct.excludeInboundPorts

Upstrea m Filter Chain 扩展自定义Filter, 并通过xDS API动态配置 L4 Network Filters L7 Http Filters 3 Listener & Filters before outbound services Listener Downst ream Filter Filter Filter Cluster Upstrea m Filter Filter Chain Listener Downst ream Filter Filter Filter Cluster Upstrea m Filter Chain 4 实际示例中用到的Envoy Filters 端口9080 监听 envoy.filte rs.network .metadata _exchange envoy.http _connectio n_manage r Cluster

PREROUTING -p tcp -m mark --mark 0x539 -j CONNMARK --save-mark --nfmask 0xffffffff -- ctmask 0xffffffff # mark connection 1337 according to packet sent to application -A OUTPUT -p tcp -m connmark --mark

Scale Testing ● Future Direction #IstioCon Introduction: eBay at a glance 185M Number of Active Buyers worldwide 19M Number of Sellers worldwide 1.7B Number of Live Listings $26.6B GMV in Q4 2020

Y, min=3, max=20 Istiod 1 vCPU 1 vCPU 2 Gi 4 Gi Y, min=3, max=6 Knative Networking-istio 30m 80Mi 900m 2 Gi N #IstioCon Istio scalability optimization during Knative Service provisioning • Detect

Joshi Istio Service Mesh at Enterprise Scale Feb, 2021 Who are we? Founded 5,000 Developers 50M Customers 1993 IPO $6.8B FY19 Revenue 20 Locations 1983 Why Service Mesh? Microservices