Local Machine Local Cluster + Registry docker push kubectl apply docker pull Local Kubernetes Local Registry #IstioCon Local Machine Local Cluster + Registry docker push kubectl apply docker docker pull Local Kubernetes Local Registry + Fast! Image transfers are over localhost + Reproducible configuration with other developers and Istio tests + Easy to setup bespoke clusters, including

webassemblyhub.io/yuval/addheader-rust:v1 Build Store 14 | Copyright © 2020 Build Store WASM Artifact Image Specification 15 | Copyright © 2020 Build Store Deploy > meshctl wasm deploy istio --mgmt-kubecontext --mgmt-kubecontext kind-mgmt-cluster --deployment-name ratings-add-header --namespace bookinfo --image webassemblyhub.io/yuval/addheader-rust:v1 --cluster mgmt-cluster --labels app=ratings Extension Config Ingre ss Gloo Mesh Management Plane SRE / Platform Team Deploy Wasm WasmDeployment Wasm Registry Istiod 18 | Copyright © 2020 Build Store Deploy Debug Debug in Production 19 | Copyright

within Istio (NOTE: Envoy itself was not part of the assessment). • Istio Control Plane: Istio operator, side car injector, and other Istio control plane services • Istio Documentation: The documentation By Default 013 Medium Permissive Kubernetes RBAC within a Namespace 015 Medium Default Sidecar Image Not Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File exposed via sidecar (see finding NCC-GOIST2005-002 on the previous page) • Sidecar image using outdated, unhardened base image (see finding NCC-GOIST2005-005 on page 23) • Debug interface enabled for istiod

事件驱动模型 ● 兼容native filter调用 方式 8 Example Wasm filter configuration ● 下发到Envoy Proxy侧的配置 9 OCI Registry As Storage ● OCI Artifacts项目的参考实现, 可显著简化OCI注册库中任意内容的存储; ● 可以使用ORAS API/SDK Library来构建自定义工具， ○ Chart以及符合OCI规范的制品的生命周期管理； ● oras login --username=<登录账号> acree-1-registry.cn- hangzhou.cr.aliyuncs.com 11 通过oras push命令推送 ● oras push acree-1-registry.cn-hangzhou.cr.aliyuncs.com/asm/asm- test:v0.1 --manifest-config roller)到K8s集群中 ○ asmwasm-controller监听一个configmap, 该configmap存放要拉取的wasm filter 的地址, 例如： acree-1-registry.cn-hangzhou.cr.aliyuncs.com/asm/sample:v0.1 ○ 如果需要授权认证, 该asmwasm-controller会根据定义的pullSecret值获得相应的

However, we found that some less exposed parts of Istio had several issues. In particular, the Istio Operator was found to have multiple security and reliability issues. This is already well known to the Istio https://istio.io/latest/docs/setup/install/operator/ 7 Istio Security Audit, 2023 It was also stated by the Istio maintainers throughout the audit that the Operator was known to be under-maintained in terms terms of security. Nevertheless, the operator has not been fully deprecated and is likely used in production by the community which makes some users prone to security issues. Furthermore, successful cyber

Virtual Machine Basic schedule unit Pod WorkloadEntry Component Deployment WorkloadGroup Service registry and discovery Service ServiceEntry K8s Pods labels: app: foo class: pod ServiceEntry selector:

collecting 外部流量出口 外部流量入口 Pilot 2 Istio 流量管理 – 控制面 两类数据： q 服务数据（Mesh 中有哪些服务？缺省路由） v Service Registry § Kubernetes：原生支持 § Consul、Eureka 等其他服务注册表：MCP over xDS （https://github.com/istio-ecosystem/consul-mcp）

Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator we are here TROUBLE SHOOTING January 2019 Istio Egress Istio 1.6 Istio 1.6 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.6 Istio 1.6 Service Mesh Operator Lessons Learned 1. Init containers maybe not

and transformation with users in mind #IstioCon Developer (service owner) Platform owner Mesh operator (could be your cloud provider) 3 Key Personas install verify-install upgrade Istio simplify install

Engineer, Google) #IstioCon Highlights of 2020 ● Better life cycle management ○ Istioctl install & Operator support ● Architectural simplification ○ Monolith control plane ○ Mixerless telemetry ● New