Ingress Token exchange 1. Istio authentication and authorization policies for every service: mTLS to defend against data exfiltration; deny by default. Credential (token, cookie, etc) 2. Exchange Exchange external credential to internal token to defend against token replay attacks. Internal JWT mTLS Edge security Cluster security best practices: access control Service 2 Service 1 1. Ensure traffic Verify Demo: mesh security lifecycle Sleep Proxy Httpbin Proxy Namespace foo mTLS Demo Security Lifecycle Concepts Secure Monitor Enforce Verify Demo: mesh security lifecycle

workloads, devices, etc. Encrypting inter-CNF traffic via mutual TLS (mTLS) Option to encrypt intra-CNF traffic via mTLS Autonomous PKI service for certificate lifecycle management at scale What CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways Tuning Istio to Meet 5G Security Requirements

it was a service in your mesh ■ Traffic redirect and forward ■ Retry, timeout, fault injection, mtls policies ■ VM service, multicluster Istio mesh support ● Service + Endpoints ○ Usually for internal V1.6-1.8 Better VM Workload Abstraction ● Workload Entry ○ single non-Kubernetes workload ○ mTLS using service account ○ work with an Istio ServiceEntry ● Workload Group ○ a collection of non-K8s the app) ■ Circuit detection and outlier detection (reliability) etc. ■ Pervasive security (via mtls) ■ Extensibility (to cherry pick extensions) [1] Service Mesh use cases for Telco and Edge – Google

capabilities ○ WebAssembly (Wasm) support ● Secure by default ○ Secret Discovery Service (SDS) ○ Auto mTLS ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine expansion/Multi cluster

features in Knative with service mesh enabled • Enable Istio mesh on Knative – Data flow with Istio mesh/mTLS #IstioCon o Init-container added which cost ~5 seconds for Knative application pod code start.