communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal of the assessment was to identify security issues related Certificates 019 Low Default Injected Init Container Requires Sensitive Capabilities 021 Low Execution of System Commands without Validation 008 Informational Weak Trust Boundary Between Workload Container and enforce all network communications use mTLS (or at minimum, TLS) for communi- cations within the istio-system namespace / control plane. As mentioned in finding NCC- GOIST2005-002 on page 13, there are debug

Service v.s. Endpoints ● Service Entry ○ An entry that Istio maintains internally ○ Describing the properties of a service, internal/external to the mesh ■ DNS name ■ VIPs, ports, protocols ■ Endpoints DNS query httpbin.ns1.svc.cluster.local 2. Cached DNS response – 10.4.4.4 DNS queries to the system configured name servers. Envoy does not use the agent’s DNS cache. http req to 10.4.4.4 GET /status/200

Golang 1 vulnerability found that affected Googles managed Istio offering 11 issues found ● 5 system resource exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping including authentication bypass, reading sensitive information, writing files to the underlying file system, exploiting logical errors. The security components have limited functionality, and it should not writing to arbitrary file paths. A header.Name containing patterns such as .. could traverse the file system and perform out of bounds file writes. https://github.com/istio/istio/blob/d0705cf0ed5591cc26c08

Component testing Test a set of services as a single sub-system while isolating them from other services, for example payment processing system | CONFIDENTIAL 5 Current approaches do not scale with ) Capture traces for E2E test requests Create tests & mocks for all services Configure system under test Forward egress requests to mock services | CONFIDENTIAL 10 Capture API interactions is effort intensive Solution • ML-driven identification of candidate relationships • Supervised system to accept true positives • No code! | CONFIDENTIAL 17 ML-assisted Assertion Rule Learning

Injecting sidecars, HTTP/2 LoadBalancing ● Traffic shifting for canaries Build confidence in the system and understanding of Istio. Then you can onboard some users, get feedback, improve, rinse and repeat name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: - ./* - istio-system/* 35 The Sidecar CRD to save the mesh Stabilizing Istio The Sidecar CRD (Custom Resource Definition) name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: - ./* - istio-system/* Only Istio and the local namespace configuration is pushed to namespace-local proxies: ● Listeners

● Release Notes tooling ● Feature Maturity Process ● Release Maturity Process #IstioCon Old System Expectation: Maintainers would populate a Google docs draft throughout a release which is finalized note. ● If it doesn’t, then the developer can check a box and the pull request will merge. New System Release Notes #IstioCon Release Notes: As a result... ● Release notes are thought of up-front

P//rBQDqg=="} üreq.DefaultWords ： • ["istio-pilot.istio-system.svc.cluster.local", • "kubernetes://istio-pilot-8696f764dd-fqxtg.istio-system", • "3a7a649f-4eeb-4d70-972c-ad2d43a680af", • "172.00.00.000"

istio.io/v1beta1“ kind: "RequestAuthentication“ metadata: name: "jwt-example“ namespace: istio-system spec: selector: matchLabels: istio: ingressgateway jwtRules: - issuer: testing@secure security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: action: ALLOW rules: - from: - source: requestPrincipals: ["testing@secure

Abstracting to proto files Annotations API definition Greeting service example #IstioCon Please Build System ● https://github.com/thought-machine/please ● Uses BUILD and allows for creation of miscellaneous

Istio simplify install helm3 #IstioCon Pilot Mixer Citadel Node Agent Injector Galley istio-system Node Pod Sidecar Pilot Agent Ingress Egress Istio Single Cluster Simplified #IstioCon Service