within Istio (NOTE: Envoy itself was not part of the assessment). • Istio Control Plane: Istio operator, side car injector, and other Istio control plane services • Istio Documentation: The documentation label search is restricted to the configuration namespace in which the the resource is present. In other words, the Gateway resource must reside in the same namespace as the gateway workload instance. Such create an additional resource type for ingress gateways to abstract their configuration and enable future features. This could be used, in combination with a new Gateway resource field, to implement a

1 vulnerability found that affected Googles managed Istio offering 11 issues found ● 5 system resource exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping ● 1 case However, we found that some less exposed parts of Istio had several issues. In particular, the Istio Operator was found to have multiple security and reliability issues. This is already well known to the Istio https://istio.io/latest/docs/setup/install/operator/ 7 Istio Security Audit, 2023 It was also stated by the Istio maintainers throughout the audit that the Operator was known to be under-maintained in terms

Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.4 Istio 1.4 Service Mesh Operator we are here TROUBLE SHOOTING January 2019 Istio Egress Istio 1.6 Istio 1.6 Service Mesh Operator Istio Ingress Istio Egress Istio Ingress Istio Egress Istio 1.6 Istio 1.6 Service Mesh Operator Lessons Learned 1. Init containers maybe not (#14516) 3. Istio Discovery overload (#25495) 3. Sidecar & ExportTo tuning is required 1. Resource consumption 2. Resource Mounts (#15517) 4. Tests on the production-size environment aren’t a waste of time

and transformation with users in mind #IstioCon Developer (service owner) Platform owner Mesh operator (could be your cloud provider) 3 Key Personas install verify-install upgrade Istio simplify install

Engineer, Google) #IstioCon Highlights of 2020 ● Better life cycle management ○ Istioctl install & Operator support ● Architectural simplification ○ Monolith control plane ○ Mixerless telemetry ● New

pods with multiple containers with HPA. ● Fixed in Kubernetes 1.20 by specifying a container resource as an HPA target ● In the meantime, we need to add the Istio sidecar into the HPA calculation Pod App container Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 Will container CPU: 100m Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 The

apply docker pull #IstioCon Fully Cloud docker push kubectl apply docker pull + No local resource utilization + Closely resembles production environments + Can test large scales - Slow, especially + Easy to setup bespoke clusters, including enabling alpha features and multicluster - Local resource utilization - Some overhead of Kubernetes and docker images - Attaching a debugger is not trivial

○ Release and Upgrade Notes ○ Release date slip ○ Release with known issues ○ Performance and resource usage ● Istio community didn’t have a process #IstioCon Led To ● Upgrade Working Group ● Release major ● Where to post announcements ● What to look for when examining releases ○ Performance ○ Resource usage ○ Open issues ○ Features being promoted ○ Release notes and upgrade notes #IstioCon Continuous

filters, or even add entirely new listeners, clusters, etc. #IstioCon Wise Platform K8s custom resource definition HTTP filters Network filters UDP listener filters … Match outbound listeners in all

of the mesh ● Workflows for collaborative agility More About Multi Cluster ● Multi tenancy ● Resource hierarchy ● NGAC Two-tier Gateway ● Tier-1 Gateways sit at the application edge and are used