#IstioCon Local Istio Development John Howard / @howardjohn / Google #IstioCon Fully Cloud docker push kubectl apply docker pull #IstioCon Fully Cloud docker push kubectl apply docker pull requests #IstioCon Thank you! For more information: ● https://github.com/howardjohn/local-istio-development

meetings with the Istio team to discuss questions and issues that came out throughout the period of the audit. Found issues were reported as they came up which gave the Istio team time to triage and assess investigation that revealed a vulnerability in Golang itself. The finding was reported by the auditing team to the Istio maintainers, because Istio does not cap the size of requests made on an h2c connection managed Istio offering which has MultiplexHTTP configured. A�er issue 10 had been reported to the Istio team, Istio maintainer John Howard assessed Golangs recommended solution for capping H2c requests which

based, large-scale serverless platform with Istio 张龚, Gong Zhang, IBM China Development Lab 庄宇, Yu Zhuang, IBM China Development Lab #IstioCon Speakers Gong (Grace) Zhang, zhanggbj@cn.ibm.com, twitter com/gracezhang1110, www.linkedin.com/in/gong-zhang-75560670/ Advisory Software Engineer of IBM Cloud Code Engine team focusing on Knative Serving and Istio, contributor of the Knative and Cloud Foundry community, maintainer Cloud Code Engine (Serverless platform), focusing on Knative, Istio, and Tekton, community, leading team to develop and offer serverless capabilities in IBM Cloud, which based on these Opensource technologies

urity-issues/: This section has a lot of good information but appears to be designed to provide support to security problems after they happen or guidance on error messages. This is a great goal and should towards less “fun” tasks such as documentation by building social events or incentivizing community support with some token of appreciation. This has historically been a successful way of getting new people traffic routing rules to apply when a host is addressed. They support matching on various criteria including URI paths and header values and support sending traffic to a specific in-cluster destination or returning

Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference Best in Class Team ● Creators of the service mesh Istio, gRPC, Apache SkyWalking, Zipkin from Google, Twitter, & VMWare Why not Istio OSS? ● Problems unsolved ○ Multi-cluster and VM (lower onboarding cost) ○ Enterprise team structure gap (Workspace, Tenants, etc) ○ UI&UX Background ● Leads to complexity and lack of operational Global control plane ○ Local control plane TSB Management Plane ● Front Envoy ● Multi Cluster support ● XCP Central -> XCP Edge TSB Control Plane ● VM integration ● XCP Edge ● Upstream Istio ●

Observability ○ See VM metrics alongside containers ● Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of forward ■ Retry, timeout, fault injection, mtls policies ■ VM service, multicluster Istio mesh support ● Service + Endpoints ○ Usually for internal traffic ○ ExternalName ■ Service <-> DNS name ○ separate object with distinct lifecycles Before Workload Entry, a single Istio Service Entry object combined the lifecycles of both the service and the workloads implementing it, w/o giving a first-class

addresses to access our endpoints. Drawback: ● Not the preferred approach suggested from security team ● Maintenance a lot of endpoint for each GoPay partner with specific IP seems burden job. ● Security lifecycle for HTTPS and mutual TLS communication. ● Renew & sync to our Kubernetes cluster, also support syncing to VM with an agent installed, this is also used by our partners as well. Ingress Mutual mechanism to using Egress Gateway, we block because we are using Istio 1.6 and Egress gateway not support adding certificate via SDS (Istio #14039). Thank You #ThereIsAlwaysAWay

Solo.io 3 | Copyright © 2020 Istio Adoption with Gloo Mesh Crawl Walk Run Fly Upstream Istio support (24 X 7) LTS (N – 3) FIPS, ARM Tech Advisory Developer portal API Gateway Security (EW) Observability Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane SRE / Platform Team Deploy Wasm WasmDeployment Wasm Registry Istiod 18 | Copyright © 2020 Build Store Deploy

app apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: app apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: serviceentry apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness:

new users at the end of February 2021. Impact for the project Source: http://eng.istio.io/ The team (1/3) Organizer’s Committee Co-lead Aizhamal Nurmamat kyzy (Google) Co-lead María Cruz (Google) Conner (RedHat) Member Aditya Prerepa (Highschool student) Member Alex Soto Bueno (RedHat) The team (2/3) Program Committee Co-lead Lin Sun (IBM > Solo.io) Co-lead Craig Box (Google) Member Christian Tannous (RedHat) Member Iris Ding (Intel) Member Jimmy Song (Tetrate) Member Zhonghu Xu (Huawei) The team (3/3) Event Production (Software Guru) Event Manager Mara Ruvalcaba Content Coordination Pedro