security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference Best in Class Team ● Creators of the service mesh Istio, gRPC, Apache SkyWalking ● Tetrate’s product build on top of the upstream Istio ● Why not Istio OSS? ● Problems unsolved ○ Multi-cluster and VM (lower onboarding cost) ○ Enterprise team structure gap (Workspace, Tenants, etc) ○ Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls, across clusters ● High availability & resiliency enabling

Expectations Though of Disillusionment Slope of Enlightenment Plateau of Productivity Think about Multi-Tenancy Tracing Store Logging Store Event Hub DBs Other External Services OCP 4.4 OCP 4.4 LB LB Istio Discovery Restarts (#25495) 2. Proxy Probes (#26792) Further Steps • Multi-cluster Discovery for OCP & Kubernetes • Multi-cluster Service Topology • Cloud-Native Event Hub • Full Support for VM-Based

reserved. What Is 5G and Why Does It Matter? 5G wireless technology is meant to deliver higher multi-Gbps peak data speeds, ultra low latency, more reliability, massive network capacity, increased 0ded0a 5G Architecture 4 ©2021 Aspen Mesh. All rights reserved. Key Platform Requirements Multi-Vendor Real-Time (RAN) Workload Mobility Networking outside CNF Encryption & Authorization between rights reserved. Architecture Options 9 ©2021 Aspen Mesh. All rights reserved. Namespace Level Tenancy Control Plane AMF Frontend Namespace AMF Namespace SMF SQL DB AMF App B

Istio explained Managed service mesh as a distributed cloud service Lessons Learned on Multi-tenancy Controls in Istio Presenters Lin Sun and Mitch Connors, Program Committee Lucas Copi and Native Apps with Service Mesh Manage and Secure Distributed Services with Anthos Service Mesh Multi-tenant Istio Service Mesh with Gloo Mesh Company presenting Tetrate Red Hat Google Soloio Participants

pattern in a better way, these workarounds should be deprecated. 21 Shortcoming 2: Autoscaling multi-containers pods Stabilizing Istio Kubernetes offers 2 ways to autoscale pods: ● HorizontalPodAutoscaler calculation 22 Define HPA target for multi-containers pods Stabilizing Istio CPU: 1 Memory: 100MB Pod App container Container requests 23 Define HPA target for multi-containers pods Stabilizing Istio averageUtilization: 70 Will trigger when the container is using more than 700m CPU 24 Define HPA target for multi-containers pods Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container

Shaping ✓ Latency ✓ Single Point of Failure Adoption Challenges ● Multi-region deployments ● Non-flat networks ● Multi-tenant configuration ● Management of Istio installation ● Self-service Install/Upgrade ○ Admiral cluster registration ● Higher Level Logical Service for Developers ○ Multi-cluster Identity ○ Multi-region Endpoint ○ Istio config integrated with gitops deployment ○ Init modifications

Non-Linux ○ unikernels ● Domain specific workloads ○ Network Functions (NFV) #IstioCon Hybrid and Multi Clouds #IstioCon Istio VM Integration is? A Tumultuous Odyssey… [1] Istio 1.8: A Virtual Machine sensitive data ○ Strong isolation for multi-vendor services ○ End-to-end security! (not just between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra low latency enhanced performance is desired ● Overheads introduced ● No high performance data path support ○ Multi-Gbps bandwidth ○ Ultra low latency #IstioCon Performance Limitations: Solutions ● Software techniques

○ Auto mTLS ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine expansion/Multi cluster mesh https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon Impact on users https://thenewstack ● Enhancement workflow ○ CNI ○ IPv6 ○ Dual-stack (IPv6/IPv6) ○ Virtual Machine Expansion ○ Multi cluster mesh ○ Helm v3 life-cycle management ● Evaluate current feature status and fix gaps https://istio improvement areas ● Native Kubernetes API integration ○ Kubernetes Service APIs ○ Kubernetes Multi-cluster APIs ● Adopt & drive innovation in Envoy community ○ Delta xDS ○ HTTP2 tunnels https://istio

(EW) Observability Zero-trust Approval Processes Rollback Delegation WASM Multi Cluster Global Service Failover Multi Mesh 4 | Copyright © 2020 Orders Citadel Pilot Galley User Account Istiod Infrastructure to build, push, share, deploy, debug Wasm into Istio service mesh Wasm Registry Multi-cluster management, orchestration of Wasm lifecycle 22 | Copyright © 2020 • https://solo.io •

impact of different securty options and expand on edge cases that may have a security impact such as multi-cluster environments. • /docs/ops/common-problems/security-issues/: This section has a lot of good NCC Group could not find clear documentation on the following subjects: • Security implications of multi-cluster setups • Transport security expectations of control plane traffic • Disabling default services interface. This means that all workloads from all namespaces within the cluster, adjacent clusters in a multi-cluster setup, and services in adjacent network segments are able to access this endpoint. When accessed