Such behavior could be configured by setting the PILOT_SCOPE_GATEWAY_TO_NAMESPACE environment variable feature setting, which, if enabled, configures the pilot-agent such that “a gateway workload can be accessible to unauthenticated users in the cluster. Modify Istio to expose Pilot’s debug port variable that allows this feature to be enabled or disabled. Ensure that documentation highlights that this easily enable these features but currently do not. There are examples of using istioctl to set a variable which enables seccomp and apparmor but there were no official documentation on how this is implemented

set the ECC_SIGNATURE_ALGORITHM environmental variable on sidecar ejection to ECDSA for use by pilot-agent ○ For gateways this environmental variable also must be set on installation/upgrade #IstioCon

is disabled by default and can be enabled by setting the PILOT_ENABLE_FLOW_CONTROL environment variable in Istiod. o Final solution is envoy delta-XDS push in future Istio release. Istio scalability

HTTPFetcher which prints out the size of the response body a�er it has been read into memory. The global variable bufferSize can be modified to demonstrate that the response body will be read no matter its size