Istio As An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication Logging, Monitoring, Tracing API Gateway + Service Mesh together! Limitations of This Approach ● Maintaining Two Tools ● Maintaining Two Expert Pools Istio as the API Gateway Advantages Advantages

Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating API tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved API tests • Istio benefits – Venky / Prasad

Identifier NCC-GOIST2005-002 Category Data Exposure Component Pilot Location pilot/cmd/pilot-discovery/main.go Impact The debug interface provides unauthenticated users with a wide range of information about Istio control plane along with a set of TCP services that it exposes. One of which is the “/debug” API hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication remote: multi-cluster remote control plane setup • default: default settings of the IstioOperator API • demo: enables a variety of extra features • empty: provides a template • minimal: minimal config

in scope of the audit. Istio main repository Repository https://github.com/istio/istio Language Golang Istio API definitions Repository https://github.com/istio/api Language Golang Istio documentation exploited. Copy the file contents to a main.go file and run it with go run main.go. Careful: This will overwrite files on the system. 1 2 3 4 5 6 7 package main import ( "archive/tar" "bytes" "compress/gzip" NewWriter(maliciousBytes) w.Write(gzw.Bytes()) w.Close() return bytes.NewReader(maliciousBytes.Bytes()) } func main() { maliciousGzip := createMaliciousGzip() // Below is a minimized version of https://github.c

#IstioCon eBay Applications eBay is powered by ● More than 5,000 Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems in AZ K8s Cluster K8s Cluster #IstioCon Step 2: Replace Hardware LBs with Software K8s API Server NLB Controllers Istiod Network Load Balancer (NLB) Network Load Balancer (NLB) Ingress within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway watch API Server Pods, Services Workload Cluster API Server Pods, Services Workload Cluster watch

affordable shipping options. 5 6 ● 200+ microservices (200+ namespaces) ● 100K RPS at peak on API Gateway ● 1 main production Google Kubernetes Engine (GKE) cluster ● 12k+ pods ● 750+ nodes Istio at Mercari in the second part of the presentation. 28 Are you prepared to handle Istio? Stabilizing Istio Main time consumers with Istio: 1. Troubleshooting 2. Spreading adoption 3. Supporting new features With sidecar CRD Istiod average CPU usage 37 The Sidecar CRD to save the mesh Stabilizing Istio Main drawback Services must know their dependencies, document and update them. If this wasn’t the case

for a bootstrap certificate, then place that bootstrap certificate on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation RDMA (Remote Direct Memory Access) ● Advance transport protocol (same layer as TCP and UDP) ● Main features ○ Remote memory r/w semantics in addition to send/receive ○ Kernel bypass / direct user

1 Istiod Cluster 2 API server API server Ingress Ingress Service A Service B Service B Mirror Simplified Istio Multicluster Model #IstioCon Istiod Cluster API server Gateway Service #IstioCon Istio Standardize APIs Adopt Kubernetes service API Protocol declaration in Kubernetes service descriptor Transform informal API to formal API External authz #IstioCon analyze describe bug-report

(Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls reporting ● Service discovery across multiple clusters ● Fine-grained ingress & egress controls ● API GW is part of the mesh ● Workflows for collaborative agility More About Multi Cluster ● Multi tenancy zero dependency WebAssembly runtime written in Go. ● Contribute to Go/TinyGo/Rust ● Using WasmPlugin API to extend Istio ● GitHub: tetratelabs/wazero Istio Security Scanner ● Make Istio Security Best Practices

svcB svcA Rules API Pilot 80% Istio 灰度发布：基于请求内容 Version2 Envoy SVC Envoy SVC Pod1 Pod2 Pod3 Envoy SVC Pod1 Pod2 Version1(canary) group=dev svcB svcA Rules API Pilot apiVersion: 在Google：microservices become API Apigee API Management complements Istio with the robust features of Google Cloud's Apigee API management platform, Apigee Edge, by extending API management natively into