#IstioCon Set Sail for a Ship-Shape Istio Release Brian Avery / twitter: @briansvgs / Red Hat Senior Software Engineer Eric Van Norman / twitter: @kf0s / IBM Senior Software Engineer #IstioCon First box and the pull request will merge. New System Release Notes #IstioCon Release Notes: As a result... ● Release notes are thought of up-front as part of changes, with context by the people who know

#IstioCon How HP set up secure and wise platform with Istio John Zheng/ john.zheng@hp.com #IstioCon Agenda ➢ HP Horizon platform design with Istio ➢ Secure Platform ➢ Wise Platform ➢ Excellent Excellent Observability Istio(envoy) can generate access logs for service traffic in a configurable set of formats #IstioCon Excellent Observability - Access logs Log Files Parse Istio-proxy Log •

服务网格中管理所有七层流量 ❏ Demo - Dubbo Traffic Management ❏ MetaProtocol - Service Mesh 通用七层协议框架 #IstioCon Protocols in a Typical Microservice Application Service Service Service Service Service Service Message RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect to manage any layer-7 protocols other than just HTTP and gRPC. You can think of Aeraki as the “Controller" to automate the creation of envoy configuration for layer-7 protocols #IstioCon Aeraki: Manage

gateways Learnings Along the Way 14 ©2021 Aspen Mesh. All rights reserved. ● 4G to 5G translation (Protocols like Diameter, SCTP, GTP) ● High speed data path (SR-IOV/DPDK) ● Customizing workload certificate

Describing the properties of a service, internal/external to the mesh ■ DNS name ■ VIPs, ports, protocols ■ Endpoints ○ After adding, sending traffic to the service as if it was a service in your mesh

Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File Permissions Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative Interface Exposed To Workload d is set to false, communication between the control plane will be secure by default.”1 In the “Default” profile used to represent a production environment, the “controlPlaneAuthP olicy” is set to “NONE” “controlPlaneAuthPolicy: MUTUAL_TLS” • Create a istio setup with control plane security enabled: istioctl install --set values.global.controlPlaneSecurityEnabled=true • Deploy the customized default policy • Start a Pod

into memory before the Handler is called. To limit the memory consumed by this request, wrap the result of NewHandler in an http.MaxBytesHandler.” John found that when the recommended MaxBytesHandler of Istio. During the initial assessment, the Ada Logics auditing team reviewed the existing fuzzing set up. At the start of the audit, we made the following observations: ● Istio is integrated into OSS-Fuzz Certificate management ● Authentication ● Authorization ● Policy Enforcement Points (PEPs) ● A set of Envoy proxy extensions to manage telemetry and auditing Certificate management Alongside each Envoy

label namespace default istio-injection=disabled/enabled ） http http http http http http http Result: can access reviews-v1, reviews-v2 and reviews-v3 Access productpage #IstioCon Istio Identity istio-proxy curl localhost:15000/config_dump #IstioCon Istio identity – check configuration result ● Result: cert generated automatically with Istio identity 1) Apply peer-authentication to enable server mTLS ● DISABLE: accept only plain text ● UNSET: inherit from parent, default to PERMISSIVE if no set apiVersion: "security.istio.io/v1beta1“ kind: "PeerAuthentication“ metadata: name: "demo-peer-policy“

testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved API tests • Istio benefits – Venky / Prasad – point here • Demo • Questions 2 Structure service in isolation. All producer services are mocked. 4 Terminology Component testing Test a set of services as a single sub-system while isolating them from other services, for example payment independently - Updates to an API require updating corresponding Service and Component tests - As a result, teams would go for just E2E tests | CONFIDENTIAL 6 Teams often focus on End-to-End tests (besides

complete, leading to 5xx errors Example: for sleep 30 + sleep 45 in the application container, we set terminationGracePeriodSeconds to 90 seconds. 20 Warning: These are workarounds, not solutions! Stabilizing HTTP/2 load-balancing capabilities out-of-the-box ● We tried it as-is, with existing gRPC services ● Result: Weird 5XXs on upstream service pod rollout ● No matter how well our services handled graceful termination pods, there are n sidecars ● Case 1: One size fits all (need to fit the biggest workload) + Easy to set, one default value for sidecar resources - Bigger default size = bigger cost ● Case 2: Adjust based