#IstioCon Set Sail for a Ship-Shape Istio Release Brian Avery / twitter: @briansvgs / Red Hat Senior Software Engineer Eric Van Norman / twitter: @kf0s / IBM Senior Software Engineer #IstioCon First #IstioCon Upgrade Working Group - Stability ● Standards and processes ○ Control plane behavior ○ Data plane communication ● Promote revision-based upgrades to stable and support skip-level revision-based

Anthos Service Mesh Multi-tenant Istio Service Mesh with Gloo Mesh Company presenting Tetrate Red Hat Google Soloio Participants 73 53 46 40 Satisfaction score 4.44/5 4.28/5 4.65/5 4.58/5 Making

Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload Central -> Edge ● TSB CR -> Istio CR TSB Config Data Flow Cluster Onboarding Flow 1. Creating cluster object 2. Deploy Operators: Control plane & data plane 3. Configuring Secrets 4. Installing control Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload

the ratings service. ● Reviews-v2 ○ calls ratings, black stars ● Reviews-v3 ○ calls ratings, red stars Initializing services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2)

Google Istio Security Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service Total issues 18 Category Breakdown Access Controls 7 Configuration 5 Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical Communications Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-004 Category Data Exposure Component Istio Location Istio Control Plane: • controlPlaneSecurityEnabled istioctl configuration

usage of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars. err := url.Parse(srcURL) if err != nil { return "", fmt.Errorf("invalid chart URL: %s", srcURL) } data, err := httprequest.Get(u.String()) if err != nil { return "", err } name := filepath.Base(u.Path) err := os.Mkdir(dir, 0o755) if err != nil { return "", err } } if err := os.WriteFile(destFile, data, 0o644); err != nil { return destFile, err } return destFile, nil } Exploitation To exploit this

tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) A Proxy Proxy Service B Service C Proxy Mesh Dynamics Data Store Deploy: kubectl apply -f Capture using Lua filter All API data + TraceIDs | CONFIDENTIAL 11 Assemble API request traces

from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters

(Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift services in the cluster ○ DNS name resolved ■ gets routed through the gateway to the service ● The data plane traffic ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple for sensitive data ○ Strong isolation for multi-vendor services ○ End-to-end security! (not just between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra

○ ... IP Data IP Header TCP Data TCP Header Layer-7 Header Data #IstioCon What Do We Get From Istio? IP Data IP Header TCP Data TCP Header Layer-7 Header Data Traffic Management