Virtual Machine Basic schedule unit Pod WorkloadEntry Component Deployment WorkloadGroup Service registry and discovery Service ServiceEntry K8s Pods labels: app: foo class: pod ServiceEntry selector: ○ Virtual Machine Installation to get started. ○ Virtual Machine Architecture to learn about the high level architecture of Istio’s virtual machine integration. ○ Debugging Virtual Machines to learn between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra low latency ○ And of course, reduce overheads introduced! ● High availability ● CapEx, OpEx #IstioCon

a step towards graduation for Istio. The engagement was a holistic security audit that had several high-level goals: 1. Formalise a threat model of Istio to guide the security audit as well as future well-maintained project that has a strong and sustainable approach to security. The project follows a high level of industry standards in dealing with security. In particular, it is worth highlighting that: fuzzers in its CI pipeline. Istio has had its fuzzing suite for around a year and has previously found high severity security issues such as CVE-2022-23635 along with dozens of reliability issues. As such,

The goal of the assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective on whether security features 15th, 2020. Commit: 26dacdde40968a37ba9eaa864d40e45051ec5448 Finding Breakdown Critical issues 0 High issues 4 Medium issues 5 Low issues 7 Informational issues 2 Total issues 18 Category Breakdown Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical High Medium Low Informational 3 | Google Istio Security Assessment Google / NCC Group Confidential Table

controls, across clusters ● High availability & resiliency enabling active-active deployments ● Cross cluster security policies & access control ● Unified telemetry and availability reporting ● Service discovery

peak data speeds, ultra low latency, more reliability, massive network capacity, increased availability, and a more uniform user experience to more users. Higher performance and improved efficiency ©2021 Aspen Mesh. All rights reserved. ● 4G to 5G translation (Protocols like Diameter, SCTP, GTP) ● High speed data path (SR-IOV/DPDK) ● Customizing workload certificate attributes ● Multi-cluster/site

Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling, networking, etc. ● PoP: 20+ Points of Presence Scale Testing: Results ● Default wide-open egress sidecar configuration does not scale ○ Results in high memory usage & convergence times since each sidecar knows about all services in the cluster ○ Disabled

Local Machine Local Cluster + Registry docker push kubectl apply docker pull Local Kubernetes Local Registry #IstioCon Local Machine Local Cluster + Registry docker push kubectl apply docker docker pull Local Kubernetes Local Registry + Fast! Image transfers are over localhost + Reproducible configuration with other developers and Istio tests + Easy to setup bespoke clusters, including

事件驱动模型 ● 兼容native filter调用 方式 8 Example Wasm filter configuration ● 下发到Envoy Proxy侧的配置 9 OCI Registry As Storage ● OCI Artifacts项目的参考实现, 可显著简化OCI注册库中任意内容的存储; ● 可以使用ORAS API/SDK Library来构建自定义工具， ○ Chart以及符合OCI规范的制品的生命周期管理； ● oras login --username=<登录账号> acree-1-registry.cn- hangzhou.cr.aliyuncs.com 11 通过oras push命令推送 ● oras push acree-1-registry.cn-hangzhou.cr.aliyuncs.com/asm/asm- test:v0.1 --manifest-config roller)到K8s集群中 ○ asmwasm-controller监听一个configmap, 该configmap存放要拉取的wasm filter 的地址, 例如： acree-1-registry.cn-hangzhou.cr.aliyuncs.com/asm/sample:v0.1 ○ 如果需要授权认证, 该asmwasm-controller会根据定义的pullSecret值获得相应的

Ingre ss Gloo Mesh Management Plane SRE / Platform Team Deploy Wasm WasmDeployment Wasm Registry Istiod 18 | Copyright © 2020 Build Store Deploy Debug Debug in Production 19 | Copyright AssemblyScript Infrastructure to build, push, share, deploy, debug Wasm into Istio service mesh Wasm Registry Multi-cluster management, orchestration of Wasm lifecycle 22 | Copyright © 2020 • https://solo

collecting 外部流量出口 外部流量入口 Pilot 2 Istio 流量管理 – 控制面 两类数据： q 服务数据（Mesh 中有哪些服务？缺省路由） v Service Registry § Kubernetes：原生支持 § Consul、Eureka 等其他服务注册表：MCP over xDS （https://github.com/istio-ecosystem/consul-mcp）