Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy itself was not part of the assessment) did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default services exposed within the cluster. • The default Istio sidecar and would allow a malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated profiles for security: Istio allows a variety

Problem: – Creating API tests is effort intensive – Creating + maintainting E2E, service tests, component tests adds up very quickly • What happens if you do not address the problem? – Thorough test coverage creating API tests • Can also be sped up by just navigating the application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR Questions 2 Structure | CONFIDENTIAL 3 API-driven applications exploding Service Testing Component Testing E2E API Tests Engineering effort grows superlinearly as #APIs grow Customer services

filter. LDS with AwesomeRPC filter EnvoyFilter is an Istio configuration CRD, by which we can apply a “patch” to the Envoy configuration generated by Pilot. #IstioCon EnvoyFilter Example - Dubbo Traffic HTTP and gRPC. You can think of Aeraki as the “Controller" to automate the creation of envoy configuration for layer-7 protocols #IstioCon Aeraki: Manage any layer-7 traffic in an Istio service mesh integrate with Istio, deployed as a stand-alone component ● Provides an abstract layer with Aeraki CRDs, hiding the trivial details of the low-level envoy configuration from operation ● Protocol-related envoy

In Istio 1.5.4: Istio scalability optimization during Knative Service provisioning Project Component CPU MEM HorizontalPodAutoscaler (HPA) request limit request limit Istio (1.7.3) istio- ingressgateway duration from Knative Ingress and istio VirtualService are created to Knative probe thinks the configuration works. o [Istio 1.5.4] Istio is picking up new VirtualService slowly 30s #IstioCon Istio x] Support for backpressure on XDS pushes to avoid overloading Envoy during periods of high configuration churn. This is disabled by default and can be enabled by setting the PILOT_ENABLE_FLOW_CONTROL

multi-containers pods Stabilizing Istio CPU: 1 Pod App container Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container resources HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type:

Request Traffic Response Traffic Specs synced from Federated Access Point L4 Configuration L7 Route Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per service mesh span all clusters in an AZ - ○ Re-deployed Istio to AZ cluster ○ In Primary-Remote configuration within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway watch EDS, LDS, RDS push times) ■ Resource usage (CPU, memory, etc.) ○ Secondary Goal ■ Fine-tune configuration params - debounce interval, push concurrency, etc. #IstioCon Control-plane Scale Testing:

of our SEO Specialist #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 ? SEO specialist creates the file manually Matching old URLs file Generating the Istio configuration Deploy to production 1 3 4 2 How does it work ? #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 repo How does it work ? #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 The files are reviewed, merged and deployed! How does it work

Workload Abstraction Item Kubernetes Virtual Machine Basic schedule unit Pod WorkloadEntry Component Deployment WorkloadGroup Service registry and discovery Service ServiceEntry K8s Pods labels:

Failure Adoption Challenges ● Multi-region deployments ● Non-flat networks ● Multi-tenant configuration ● Management of Istio installation ● Self-service mesh enablement for service owners Demo k8s Istio Istio Validation Webhooks ● Allow configuration only related to owned namespace ○ Only allow configuration for a “service’s” hostname ● Validated ○ Deployments ○ Virtual

in Go #IstioCon Architecture Overview - Discovery and Routing ● Service Discovery and Configuration using Consul ● HTTP/TCP traffic via HAProxy ● gRPC traffic via Envoy ● Internet egress (HAProxy/Envoy) ● More control over load balancing ● Offload application services from networking and configuration ● Avoid other sources of failures (Consul etc) ● Possible benefits on Observability #IstioCon