HP set up secure and wise platform with Istio John Zheng/ john.zheng@hp.com #IstioCon Agenda ➢ HP Horizon platform design with Istio ➢ Secure Platform ➢ Wise Platform ➢ Excellent Observability Observability ➢ Q & A #IstioCon HP Horizon Platform design with Istio #IstioCon HP Horizon Platform HP has lots of projects, deployed on cloud. They have common features, also have project specified feature feature. We provide a common platform includes all common features, connect all projects with istio. #IstioCon Common services are in core cluster Projects shared solution cluster • Different namespace

Using Istio to Build the Next 5G Platform David Lenrow Open Source Service Mesh Evangelist Neeraj Poddar Co-founder & Chief Architect, Aspen Mesh February 22, 2021 2 ©2021 Aspen Mesh. All rights reserved rchitecture-sba-47900b0ded0a 5G Architecture 4 ©2021 Aspen Mesh. All rights reserved. Key Platform Requirements Multi-Vendor Real-Time (RAN) Workload Mobility Networking outside CNF Encryption

#IstioCon Performance tuning and best practices in a Knative based, large-scale serverless platform with Istio 张龚, Gong Zhang, IBM China Development Lab 庄宇, Yu Zhuang, IBM China Development Lab #IstioCon Architect and Senior Software Engineer in IBM Cloud. Working on IBM Cloud Code Engine (Serverless platform), focusing on Knative, Istio, and Tekton, community, leading team to develop and offer serverless Kubernetes in IBM Cloud. #IstioCon ● Knative and Istio ● How Istio is leveraged in a Knative based platform ● Performance bottleneck analysis and tuning ○ Istio scalability optimization during Knative Service

developer building and operating an application Why is Istio? TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) Before using service mesh: 100+ Kubernetes cluster ● VM integration ● On-prem, AWS, Azure, GCP, OpenShift ● 10000+ core business apps ● Plan to move to public cloud in 18 months ● Using F5 to distribute

Default Injected Init Container Requires Sensitive Capabilities 021 Low Execution of System Commands without Validation 008 Informational Weak Trust Boundary Between Workload Container and Proxy Sidecar security related configuration options but the only options included are how to “Harden Docker Container Images” and “Extending Self-Signed Certificate Lifetime”. There’s an op- portunity to highlight samples/bookinfo/platform/kube/b ookinfo.yaml and samples/bookinfo/networking/bookinfo-gateway.yaml configu- rations 4. Using the restricted user, kubectl -n restrict-test apply -f samples/bookinfo/ platform/kube/bookinfo

with strong requirements ● For Istio ○ What is Istio? A service mesh. But more: an open service platform! ○ More use cases! ○ (Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios manually register the services running #IstioCon V0.2 Mesh Expansion (cont.) ● Traffic flow (VM -> Container) 1. Dnsmasq accepts DNS queries 2. Access the built-in Kube DNS (exposed by ILB) 3. Obtain the intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to ingress in the mesh ● Traffic flow (Container -> VM) 1. Manual registration istioctl -n onprem register mysql 1.2.3.4 3306 #IstioCon V1.1

telemetry analysis, metric aggregation and visualization for cloud-native workloads in a single platform. Leading Cloud Native Varun Talwar Co-founder/CEO Co-creator gRPC, Istio Jeyappragash (JJ) Co-founder (Istio Init) Start istio init container in workload Istiod watch updates & start networking sidecar proxy init container update iptable rule for proxy terminate init container Start workload with updated Benefits of Istio CNI No need for CAP_NET_ADMIN and CAP_NET_RAW permission No need for istio-init container means faster startup speed （need validation instead) Issue in Istio CNI Kubelet Start a pausing

Guardrails for Istio 11 Istio sidecar proxy specifications Stabilizing Istio Pod App container Sidecar container All incoming traffic must flow through the sidecar first when entering the pod All outgoing before leaving the pod 12 What happens when the sidecar container is not ready? Stabilizing Istio Pod App container Sidecar container (not running) The incoming traffic is sank into the void void The outgoing traffic cannot leave the pod 13 What happens when the sidecar container is not ready? Stabilizing Istio ● 2 cases where it happens frequently: ○ During pod creation ○ During pod deletion

的排水流程两个实例并存的阶段 • 能够对整个热升级流程中的镜像替换进行控制 • 更强大的生命周期管理组件 • 对需要热升级的Pod注入两个Container，Sidecar & Empty • 支持对热升级过程中Sidecar Container生命周期进行管理 实现热升级 Implement Hot-Upgrade 8 • Envoy热重启参数的协商 • PilotAgent需要 iner替换为新Sidecar镜像，新Sidecar镜像启动 • 新Envoy进程与老Envoy交互，开始进行热重启流程 • 最大排水时间到达，SidecarSet Controller将老Container替换为Empty镜像 • 热升级结束 10 • 为什么需要服务网格数据面热升级 • 实现热升级 • 实践热升级 目录 Catalog 11 实践热升级 Practice ASM Hot-Upgrade

certificate provided by Istio Proxy sidecar container • Each Kafka client request gets a client certificate attached automatically by Istio Proxy sidecar container • Client certificate includes the K8s