user or application would not be able to tell the difference between the legitimate and malicious files based on the hash. The following hash functions are not considered cryptographically secure and should &pos), }, nil • istio/istio/mixer/adapter/prometheus/prometheus.go (line 24) func computeSha(m proto.Marshaler, log adapter.Logger) [sha1.Size]byte { ba, err := m.Marshal() if err != nil { log.Warningf("Unable project source code, NCC found that the code wrote files to disk in such a way that allowed anyone who had access to the system to access these files. These files included private keys that could be used by a

Service config. ● Hard to manage when having hundreds of services. #IstioCon Abstracting to proto files Annotations API definition Greeting service example #IstioCon Please Build System ● https://github

u触发配置生效方式v1版本和v2版本之间的区别 V1 HTTP1 REST JSON/YAML 弱类型 轮询 SDS/CDS/RDS/LDS 奠定控制平面基础 V2 HTTP2 GRPC Proto3 强类型 Push SDS/CDS/RDS/LDS/HDS/ADS/KDS 和Google强强联手 官方博客：The universal data plane API缓存Istio和k8s配置

exceed their trust boundaries including authentication bypass, reading sensitive information, writing files to the underlying file system, exploiting logical errors. The security components have limited functionality the file contents to a main.go file and run it with go run main.go. Careful: This will overwrite files on the system. 1 2 3 4 5 6 7 package main import ( "archive/tar" "bytes" "compress/gzip" "fmt" outFile.Close() Exploitation An attacker could exploit this by forcing Istio to open a large number of files and thus exhaust system resources resulting in Denial of Service. 25 Istio Security Audit, 2023

configuration Deploy to production 1 4 2 3 Istio-redirector takes the .csv files and generates the Istio VirtualService files. Then, it automatically creates the Pull Request on GitHub on on our csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 The files are reviewed, merged and deployed! How does it work ? #IstioCon >26k redirections are now running

private-key and certificate pairs • Private keys and certificates are stored in keystore and truststore files in JKS or PKCS12 or PEM format Challenges – Kafka broker SSL with client auth 5 • Certificate truststore regeneration • Broker pods need restarting to pick up the modified keystore and truststore files • May cause service degradation Challenges – Certificate renewal 6 • Client certificates has be

traffic in a configurable set of formats #IstioCon Excellent Observability - Access logs Log Files Parse Istio-proxy Log • Each API Access Count • Each API Fail Rate • Each API Latency Easy to

frequency ● Proxies are heavily CPU throttling and consuming CPU without traffic ● Envoy configuration files are > 100K Lines 33 A full mesh is utopian, know what you need only Stabilizing Istio In fact