Online Meetup #6 July 14, 2020

2 | Copyright © 2020 Meetup Agenda • WebAssembly + Envoy Recap • Demos of Community Extensions • Community Q&A • Roadmap Discussion Solo.io Team for Today’s Meetup Betty Junod @bettyjunod Yuval Kohavi @kohaviyuval Scott Weiss @ilackarms Shane O’Donnell @sodman74

3 | Copyright © 2020 Introduction What is WebAssembly? WebAssembly (wasm) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable target for compilation of high-level languages like C/C++/Rust, enabling deployment on the web for client and server applications. PORTABLE SECURE FAST ANY LANGUAGE

4 | Copyright © 2020 Introduction EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM gRPC TRANSCODER CUSTOM FILTERS EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM WASM gRPC TRANSCODER BEFORE AFTER Only C++ Maintain Envoy distro Hard dependency Stop and recompile

5 | Copyright © 2020 Introduction Terminology WebAssembly (wasm) The actual WebAssembly binary instruction format Envoy-wasm Where the work is happening to provide support for WebAssembly in the Envoy. Not yet available in the upstream project. Repo github.com/envoyproxy/envoy-wasm WebAssembly Hub Public hub by Solo.io to publish and share wasm extensions for Envoy based tools (Envoy, Gloo, Istio) Launched Dec 2019 and updated March 2020 wasme CLI by Solo.io for the developer experience to build, push, pull wasm extensions for Envoy based tools (Envoy, Gloo, Istio) Module Extension Filter Terms used for the customization built using wasm for Envoy THANK YOU! 220+ Community Repos Available THANK YOU!

6 | Copyright © 2020 Introduction How does wasm work with Envoy • Write filter in any language • Compile to .wasm module • Dynamically load in Envoy during runtime

7 | Copyright © 2020 Blake Covarrubias Sr. Product Manager @blakecova Bryant Hagadorn Security Engineer bit.ly/2ZSEzWF Guest Speakers and Demos

8 | Copyright © 2020 Secure Link by Blake About this Filter Secure Link checks the authenticity of requested links and protects resources from unauthorized access. Authenticity is verified by comparing the checksum value passed in a request with the value computed for the request, using a shared secret. This filter is experimental / proof-of-concept. It is not meant to be used in production deployments. Secure Link was inspired by nginx's ngx_http_secure_link_url module. See http://nginx.org/en/docs/http/ngx_http_secure_link_module.html for more information. Code on GitHub https://github.com/blake/secure-link-filter/ Wasme Pull Command wasme pull webassemblyhub.io/blake/secure-link:v0.1

WASM Security Headers (kronos) BRYANT HAGADORN 7/14/2020

Inspiration HelmetJS (https://helmetjs.github.io/) Django CSP(https://django-csp.readthedocs.io/en/latest/) PHP Secure Headers (https://github.com/BePsvPT/secure-headers)

What are Security Headers? https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project Security headers generally instruct the browser how to interact with the rest of the internet. This can include information on how to process cross-domain requests, upgrading to HTTPS from HTTP, etc. They are not silver bullets in web application security, but generally recommended best practices according to OWASP. Inevitable agility vs. security debate

Before: Nginx

Before: Express

After:

Demo Currently have Istio on top of GKE cluster, BookInfo and BookInfo Gateways installed…. Install Istio 1.5

Next Steps for the Project Support dynamic header security items (such as whitelisting of common libraries like Bootstrap, Google Fonts, or other custom CDN-served cross-domain items that are better hosted elsewhere) Storing configuration inside of Kubernetes Secret or ConfigMap (rather than inside of the Kronos) Apply security headers only to UI and API’s interacting Get BookInfo to an A Apply least privilege automatically, flag violations, automatically suggest headers Feedback from the community?

How to help or reach me? Create issues in the repo: https://github.com/blhagadorn/kronos Add me on LinkedIn to chat: https://www.linkedin.com/in/bryanthagadorn/ Reach out on Kubernetes (haggs) or Solo.io slack (Bryant Hagadorn) https://medium.com/@bryant.hagadorn

18 | Copyright © 2020 Community Q&A

19 | Copyright © 2020 QUESTION What kinds of filters are possible besides Header Transformation?

20 | Copyright © 2020 QUESTION Is Istio 1.6 supported?

21 | Copyright © 2020 QUESTION What languages are currently supported for WebAssembly+Envoy and the tooling by Solo.io (WebAssembly Hub and wasme)?

22 | Copyright © 2020 QUESTION How do you pronounce wasm and wasme?

23 | Copyright © 2020 QUESTION How can you communicate or send data between two filters?

24 | Copyright © 2020 What’s Next

25 | Copyright © 2020 Currently in Development • Add Wasm for Gloo Enterprise github.com/solo-io/gloo/issues/3035 • Update to latest version of Envoy-Wasm github.com/solo-io/wasme/issues/131 • Istio 1.6 support github.com/solo-io/wasme/issues/126

26 | Copyright © 2020 Feedback, Discussion, Questions • Which languages are you most interested in next? • What other service meshes are you interested in using WebAssembly with? • What kind of filters are you interested in? (or content to help build your own) • What kind of capabilities does your company need to use WebAssembly? (i.e. tooling, integrations, security, support, etc) • What else?

27 | Copyright © 2020 About Us solo.io Community slack.solo.io WebAssembly Hub webassemblyhub.io Get Involved ● Suggest features or file issues github.com/solo-io/wasme/issues ● Review the OCI image spec github.com/solo-io/wasm-image-spec ● Check out envoy-wasm github.com/envoyproxy/envoy-wasm ● SDK for Proxy and Solo.io Guest Speakers Filters ● Blake’s filter 63/secure-link ● Bryant’s filter 174/kronos and blog bit.ly/3gKAWZG