access to and from external services, tradi�onal CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from applica�on containers to par�cular IP ranges kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source: ENFORCEMENT ENFORCEMENT 108 Disabled kubernete k8s:org=empire Both ingress and egress policy enforcement is s�ll disabled on all of these pods because no network policy has been imported

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges (beta) Kata Containers with Cilium Configuring IPAM modes Local Redirect Policy (beta) BGP (beta) Egress Gateway (beta) Cluster Mesh Setting up Cluster Mesh Load-balancing & Service Discovery Network kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS namespace=default k8s:org=empire Both ingress and egress policy enforcement is still disabled on all of these pods because no network policy has been imported

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges (beta) Kata Containers with Cilium Configuring IPAM modes Local Redirect Policy (beta) BGP (beta) Egress Gateway (beta) CiliumEndpointSlice (beta) Cluster Mesh Setting up Cluster Mesh Load-balancing & kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS namespace=default k8s:org=empire Both ingress and egress policy enforcement is still disabled on all of these pods because no network policy has been imported

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS namespace=default k8s:org=alliance Both ingress and egress policy enforcement is still disabled on all of these pods because no network policy has been imported

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS namespace=default k8s:org=alliance Both ingress and egress policy enforcement is still disabled on all of these pods because no network policy has been imported

Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: with a Sidecar Impact If an Istio user relies on the Envoy sidecar for network restrictions such as egress controls, an attacker can bypass this sidecar and easily evade these controls. Description Istio can provide may be unclear to users especially when relying on features like REGISTRIES_ONLY7 or Egress policies. A service mesh is different than a CNI in that one facilitates communications, and the

2019 PoC OCP 3.11 Istio 1.0 Make It Simple Event Hub DBs SERVICE MESH Istio Ingress Istio Egress Other External Services Tracing Store Logging Store LB January 2019 PROD PoC March 2020 HA & DR Tracing Store Logging Store Event Hub DBs Istio Egress Other External Services Istio Ingress OCP 4.1 Istio 1.1 Istio Egress Istio Ingress OCP 4.1 LB LB LB TROUBLE SHOOTING January LB LB LB Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio 1.4 Service Mesh

traffic Can be standalone or sidecar Other Container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd Istio Operator istio-operator Manages Istio installation with IstioOperator Custom Control Plane Data Plane istiod Some container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd DestinationRule ServiceEntry Gateway VirtualService Some service outside of Control Plane Data Plane istiod Some container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd DestinationRule ServiceEntry Gateway VirtualService Some service outside of