managing Istio within a Kubernetes cluster. This tool has a few builtin profiles6: • remote: multi-cluster remote control plane setup • default: default settings of the IstioOperator API • demo: enables if this port were not granted a short-circuit, Istio’s sidecar Envoy proxy process exposes its administration interface on port 15000. This API exposes a POST /qui tquitquit route that will cause Envoy to future versions of Istio, when a DestinationRule or similar client-side configuration declar- ing a remote TLS resource is processed, any configuration that does not explicitly disable TLS certificate validation

k8s production environment Line Moseng @linemoseng Johnny Horvi Norwegian Labour and Welfare Administration 5,2 million nais.io github.com/nais CD CD metrics alerts deploy cache events logs

Challenging to have multiple proxies #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent + Rapid Challenging to have multiple proxies #IstioCon Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery #IstioCon Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery +

“envoy.filters.listener.original_src” The original source listener filter replicates the downstream remote address of the connection on the upstream side of Envoy. For example, if a downstream connection use_remote_address: Envoy will only append to XFF if the use_remote_address HTTP connection manager option is set to true and the skip_xff_append is set false. xff_num_trusted_hops : If use_remote_address

traffic listening on the same port ○ workaround: `resolution: NONE` ● Resolving DNS for services in remote clusters #IstioCon Role of DNS in Istio, Today 1. DNS query httpbin.ns1.svc.cluster.local 2 isolation w/ host ● CapEx, OpEx #IstioCon RDMA (Remote Direct Memory Access) ● Advance transport protocol (same layer as TCP and UDP) ● Main features ○ Remote memory r/w semantics in addition to send/receive

This will run out of memory before disk space. See issue 5 case 1. 92 // DownloadTo downloads from remote srcURL to dest local file path 18 Istio Security Audit, 2023 93 94 95 96 97 98 99 100 101 102 out-of-bounds file write vulnerability. If the Operator runs with high privileges, this could lead to remote code execution. Even without sudo privileges, the vulnerability could have multiple attack vectors

control accesses to services. Deploy web application firewall to defend against DDoS, injection, remote execution attacks. Edge security Egress 2. Define egress security policies to defend against

have service mesh span all clusters in an AZ - ○ Re-deployed Istio to AZ cluster ○ In Primary-Remote configuration within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway