Automate mTLS communication with GoPay partners with Istio Vijay Dhama, Gojek Zufar Dhiyaulhaq, Gojek Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate Kubernetes cluster, also support syncing to VM with an agent installed, this is also used by our partners as well. Ingress Mutual TLS ● Using Istio Gateway mechanism with mode MUTUAL ● Leverage subjectAltNames

following table describes the event bundles that allow IstioCon to showcase a multi-vendor ecosystem of partners associated with certain levels: ● Tiers & sponsors’ logos will be displayed on the conference $850usd one time payment Virtual photo booth [Unavailable] Available sponsorship: 1 ● Contributing partners can give away cloud credits, e-book, subscriptions to their services, discount codes, etc. ●

livestream viewers 1,517 Unique recording viewers 25+ End User Presentations 10 IstioCon Partners Where did people join from? Where did people join from? 0.5% from Africa 43.5% from North

on Bilibili platform ● Listening sessions +20 End User Presentations 10 IstioCon Sponsors and partners Where did people join from? Participant demographics 28% of attendees were CxO / Engineering

The security components have limited functionality, and it should not be possible to force these to exceed this functionality to exceed trust boundaries. Each components limited 12 Istio Security Audit that would seek to exceed one or more trust boundaries. This could be a user that has been granted limited cluster privileges and seeks to perform harmful actions they should not have actions to perform. Istio side. In general, we found limited tracking, both internally and publicly. Upon request, the Istio team had little tracking documentation, and for only a limited number of 50 Istio Security Audit

■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation limited to Istio agent (no support of other provisioner tools and HSM incompatible) ■ Limitations to audit ○ Private key for TLS ○ Signing key ○ … #IstioCon Performance Limitations ● Some not just limited on VMs, but ○ need to be extended to VMs ○ and much more demanding for some VM use cases (w/ strict Bypass (cont.) ● Leverage eBPF ● Target Pod/VMs on the same node ● Use case: edge computing ○ Limited number of nodes ○ More traffic across Pod/VMs on the same node #IstioCon QUIC ● A new transport

handled by the earlier-created Gateway. Due to this behavior, it is possible for accounts otherwise limited to creating resources in specific namespaces to intercept requests for services run from other namespaces bernetes cluster that has Istio installed with a namespace to use. Each namespace user’s permissions is limited by the following Kubernetes Role object which would provide full read- write access to a participant’s