• /docs/ops/best-practices/security/: This section only provides 2 general recommendations. Use namespaces for isolation (a contentious perspective) and configured third party service account tokens instead "/", preventing a need to re-declare essentially the same VirtualService in different namespaces. However, when using this format, no additional validation is performed to ensure that the account it is possible for accounts with access to only specific namespaces to surreptitiously intercept the traffic of applications from other namespaces that they do not otherwise have any access to. Reproduction

Istio Monolith Era Intuit Statistics ● 900+ Teams ● 5000+ Developers ● 200+ Clusters ● 7000+ Namespaces ● ~9200 Nodes varies with autoscaling Hub and Spoke API Gateway Book Info Payments

Deploy multiple Istio deployments within a K8s cluster ■ Each Istio deployment manages subset of namespaces using DiscoverySelectors ○ Overall, create macro-segments for different environments #IstioCon

his own user namespace only. o We can limit the mesh size to namespace scope for all user namespaces easily. Unleash maximum scalability by fully leveraging Istio features in Knative with service

holds in escrow, and simple and affordable shipping options. 5 6 ● 200+ microservices (200+ namespaces) ● 100K RPS at peak on API Gateway ● 1 main production Google Kubernetes Engine (GKE) cluster