Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio lei-tang Session agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture architecture ● Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster

How eBay is building a massive Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full isolation by confining service failures to AZ boundary AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s balancing & Traffic Flow ● Two tiers of hardware Load-Balancers (LB) ● Application-Tier LB ○ K8s service realized on Application-Tier LBs ● Web-Tier LB to control - ○ Percentage of traffic sent to an

Understanding the Cassandra Architecture 8 About Internode Communications (Gossip) 8 About Cluster Membership and Seed Nodes 9 About Failure Detection and Recovery 9 About Data Partitioning in Cassandra Node 42 Starting/Stopping Cassandra as a Stand-Alone Process 42 Starting/Stopping Cassandra as a Service 42 Upgrading Cassandra 43 Best Practices for Upgrading Cassandra 43 Upgrading Cassandra: 0.8.x listen_address 70 partitioner 71 rpc_address 71 rpc_port 71 saved_caches_directory 71 seed_provider 71 seeds 71 storage_port 71 endpoint_snitch 71 Performance Tuning Properties 72 column_index_size_in_kb

Master password provider Select from various providers. Options include: OS X Keystore Integration for macOS users. Windows Integration for Windows users. DBeaver Master Password provider (default), which Ultimate User Guide 24.2.ea. Page 77 of 1171. 1. 2. operating system. When using the provider, you will be prompted to specify a master password. DBeaver Master Password Change Passwords If store it in DBeaver password provider or use a generated password from your local password provider (for instance, OS X Keystore Integration or Windows integration provider). Learn more about the Master

Master password provider Select from various providers. Options include: OS X Keystore Integration for macOS users. Windows Integration for Windows users. DBeaver Master Password provider (default), which DBeaver User Guide 24.2.ea. Page 77 of 1171. 1. 2. operating system. When using the provider, you will be prompted to specify a master password. DBeaver Master Password Change Passwords If store it in DBeaver password provider or use a generated password from your local password provider (for instance, OS X Keystore Integration or Windows integration provider). Changing database password

Master password provider Select from various providers. Options include: OS X Keystore Integration for macOS users. Windows Integration for Windows users. DBeaver Master Password provider (default), which DBeaver Lite User Guide 24.2.ea. Page 75 of 1010. 1. 2. operating system. When using the provider, you will be prompted to specify a master password. DBeaver Master Password Change Passwords If store it in DBeaver password provider or use a generated password from your local password provider (for instance, OS X Keystore Integration or Windows integration provider). Learn more about the Master

the surrounding infrastructure. The pre-requisites to connect to the Internet are an Internet Service Provider (ISP) subscription and a functional Internet connection in your area. Configuring the Internet 6. Network Settings Now, you can connect to the Internet by using the cable. If your internet provider uses DHCP (Dynamic Host Connection Protocol) you simply need to select Automatic Configuration (DHCP) which maps a host name to an IP address successfully. For this, select the Use the Internet service provider nameservers check box. If the Internet connection breaks, your modem will automatically try

New extension capabilities ○ WebAssembly (Wasm) support ● Secure by default ○ Secret Discovery Service (SDS) ○ Auto mTLS ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine expansion/Multi https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon Impact on users https://thenewstack.io/when-service-meshes-can-emerge-from-envoy-istio-shadows/ #IstioCon Listening to our users UX Working Group on Developer workflow ○ Discovery of Wasm extensions ● External AuthZ extensions ● Telemetry provider extension APIs https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon Operational Excellence

in version 4.2. Django CMS is headless-ready. This means that you can use django CMS as a backend service to provide content to the frontend technology of your choice. Traditionally, django CMS serves the Headless support Django CMS 5.0.0 is headless-ready, allowing you to use django CMS as a backend service to provide content to the frontend technology of your choice. Traditionally, django CMS serves the contribution Drive adoption The best way to donate is to become a member of the association and pay membership fees. The funding is funneled back into core development and community projects. Sign up for more

Istio scalability optimization during Knative Service provisioning ○ Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled ● Reference Agenda #IstioCon an Ingress Gateway • By default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress and knative-local-gateway for cluster local access. They use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic