Compliant Cloud External CA integration with Istio explained Managed service mesh as a distributed cloud service Lessons Learned on Multi-tenancy Controls in Istio Presenters Lin Sun and Panel: Istio Istio Open Source Ecosystem Outlook From China The road to microservice for Database as a Service (DBaaS) via Istio Tencent Music service mesh with Istio and Aeraki Flexible proxy Hands-on practices for Controlling Kubernetes Native Apps with Service Mesh Manage and Secure Distributed Services with Anthos Service Mesh Multi-tenant Istio Service Mesh with Gloo Mesh Company

connect, observe, and secure microservices. SkyWalking is an observability power tool that provides distributed tracing, service mesh telemetry analysis, metric aggregation and visualization for cloud-native

are interacting, both with other services and with the Istio components themselves. Metrics Distributed Traces Access Logs #IstioCon Excellent Observability Istio(envoy) can generate access logs

Dubbo, Proprietary RPC Protocol … ● Messaging: Kafka, RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management

communication, manages TLS certificates, provides workload identity, and includes a builtin authorization system facilitated by its control plane. The goal of the assessment was to identify security issues related Certificates 019 Low Default Injected Init Container Requires Sensitive Capabilities 021 Low Execution of System Commands without Validation 008 Informational Weak Trust Boundary Between Workload Container and enforce all network communications use mTLS (or at minimum, TLS) for communi- cations within the istio-system namespace / control plane. As mentioned in finding NCC- GOIST2005-002 on page 13, there are debug

Golang 1 vulnerability found that affected Googles managed Istio offering 11 issues found ● 5 system resource exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping including authentication bypass, reading sensitive information, writing files to the underlying file system, exploiting logical errors. The security components have limited functionality, and it should not writing to arbitrary file paths. A header.Name containing patterns such as .. could traverse the file system and perform out of bounds file writes. https://github.com/istio/istio/blob/d0705cf0ed5591cc26c08

Component testing Test a set of services as a single sub-system while isolating them from other services, for example payment processing system | CONFIDENTIAL 5 Current approaches do not scale with ) Capture traces for E2E test requests Create tests & mocks for all services Configure system under test Forward egress requests to mock services | CONFIDENTIAL 10 Capture API interactions is effort intensive Solution • ML-driven identification of candidate relationships • Supervised system to accept true positives • No code! | CONFIDENTIAL 17 ML-assisted Assertion Rule Learning

Injecting sidecars, HTTP/2 LoadBalancing ● Traffic shifting for canaries Build confidence in the system and understanding of Istio. Then you can onboard some users, get feedback, improve, rinse and repeat name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: - ./* - istio-system/* 35 The Sidecar CRD to save the mesh Stabilizing Istio The Sidecar CRD (Custom Resource Definition) name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: - ./* - istio-system/* Only Istio and the local namespace configuration is pushed to namespace-local proxies: ● Listeners

● Release Notes tooling ● Feature Maturity Process ● Release Maturity Process #IstioCon Old System Expectation: Maintainers would populate a Google docs draft throughout a release which is finalized note. ● If it doesn’t, then the developer can check a box and the pull request will merge. New System Release Notes #IstioCon Release Notes: As a result... ● Release notes are thought of up-front

P//rBQDqg=="} üreq.DefaultWords ： • ["istio-pilot.istio-system.svc.cluster.local", • "kubernetes://istio-pilot-8696f764dd-fqxtg.istio-system", • "3a7a649f-4eeb-4d70-972c-ad2d43a680af", • "172.00.00.000"