traffic leaves the mesh bypassing the egress gateway.”8 This means that Istio alone cannot provide some core security controls and the documenta- tion suggests that additional mitigations, such as a network ns/admin#post--quitquitquit 11https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/core/address.proto#core-pipe 29 | Google Istio Security Assessment Google / NCC Group Confidential Finding DestinationRules applyUpstreamTLSSettings, and buildUpstreamClusterTLS Context functions within istio/pilot/pkg/networking/core/v1alpha3/cluster.go Impact An attacker that is able to intercept raw network connections between

Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP Analysis Core Query CoreIstio telemetry Attribute Vocabulary https://istio.io/docs/reference/config/policy-and- service for incoming requests, such as HTTP URI path or gRPC service class + method signature. Core ConceptsIstio telemetry formatSkyWalking native telemetry formatTelemetry to Analysis scope • https://github.com/apache/incubator- skywalking-query-protocolEcosystem powered by GraphQL and SkyWalking core • Open source UI project for SkyWalking • https:// github.com/ TinyAllen/ rocketbotServiceMesher公众号

#IstioCon Common services are in core cluster Projects shared solution cluster • Different namespace • Project runs as tenant, need control rights Solution cluster connect core cluster with Istio multi-cluster multi-cluster - Replicated control planes Some standalone cluster without Istio can access core cluster also, as tenant. HP Horizon Platform Connect With Istio #IstioCon Secure Platform • JWT Verify

memory-unsafe implementation issues such as buffer overflow and use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ and memory-corruption issues can therefore policies to the proxies and checks whether the policy of each proxy is up to date. Authentication has two core features in Istio: 1. Peer authentication: used for service-to-service authentication to verify the

maturity ○ Move “slowly and fix things” ○ Sustain the tremendous production adoption of Istio ● Stable core ○ Current Istio functionality meets user needs ○ Measured feature introduction ● Reducing operational

Meetup China About me Istio 1.10 Release Manager, Istio Community, 2021-Present GetMesh(GetIstio) core contributor, Istio Community, 2021-Present Tetrate Service Bridge developer, Tetrate.io, 2021-Present

service mesh: 100+ Kubernetes cluster ● VM integration ● On-prem, AWS, Azure, GCP, OpenShift ● 10000+ core business apps ● Plan to move to public cloud in 18 months ● Using F5 to distribute traffic at the

Huawei Cloud. - Github：https://github.com/hzxuzhonghu - Istio steering committee member - Istio Core Maintainer & Contributor - Open source enthusiastic, previously Kubernetes active contributor and

到当前线程数下 对应斜率最大位 置为128连接 QPS平均提升30% 以上 QPS及平均时延在线程数确定时，随连 接数增加快速恶化 端到端平均时延 降低23%左右 • Envoy: 4线程，4core，默认内存 • fortio –q 0 –c 2~1024连接，http1长 连接模式，每组测试三次，每次30s 测试结果 测试条件 Copyright © Huawei Technologies