Using Istio to Build the Next 5G Platform David Lenrow Open Source Service Mesh Evangelist Neeraj Poddar Co-founder & Chief Architect, Aspen Mesh February 22, 2021 2 ©2021 Aspen Mesh. All rights reserved Observability, Debugging Uniform metrics and tracing for all CNF traffic Enforcement Primitives to Build Zero Trust Strong identity for users, workloads, devices, etc. Encrypting inter-CNF traffic via

continuously. ● All fuzzers are hosted in the Istio repository along with the OSS-Fuzz build script. ● The OSS-Fuzz build is maintained to avoid disruption. ● Istio does not run the fuzzers in its CI pipeline unsatisfied in the build process. The build is not fully satisfied because the build can access secrets from the build service, where SLSA requirements state that: “It MUST NOT be possible for a build to access secrets of the build service”. The Build requirements also fail in the hermetic part, because builds run with network access, while SLSA compliance requires no network access: “The build service… MUST

Filters are written in C++ Asyc Build: need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM CUSTOM gRPC TRANSCODER Build Custom Envoy Filter 6 | Copyright failures Speed: Near native performance Sustainable: Eliminates need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM WASM gRPC TRANSCODER Why WebAssembly Copyright © 2020 Web Assembly lifecycle 12 | Copyright © 2020 Build > meshctl wasm init addheader-filter --language rust > meshctl wasm build rust -t webassemblyhub.io/yuval/addheader-rust:v1 ./addheader-filter

running within it. Instead, NCC Group used various hosting options (i.e. Minikube, GKE, KOPS) to build reference clusters and test various configurations. These reference architectures were used to provide malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated profiles for security: Istio allows a variety of customizations to fit it into different something formal such as CIS benchmarks is not recommended in this case but a similar approach could be build a self- hosted checklist of features and configuration options that Istio believes match security

simple features such as: ● Injecting sidecars, HTTP/2 LoadBalancing ● Traffic shifting for canaries Build confidence in the system and understanding of Istio. Then you can onboard some users, get feedback even for non-idempotent methods as it is triggers when a server is unavailable at the TCP level. Build your Istiod image, push your tag and use it in the IstioOperator manifest. 55 Istio proxy performance decreasing it. 66 Abstracting Istio Adopting Istio The same way as we build libraries and interfaces to improve productivity, we need to build proper abstractions to maximize the added value of Istio to our

Annotations API definition Greeting service example #IstioCon Please Build System ● https://github.com/thought-machine/please ● Uses BUILD and allows for creation of miscellaneous rules Misc please rule

Running, NIST SPs 800-204A, NIST SP 800-204B Sheng Wu Creator, SkyWalking ● Tetrate’s product build on top of the upstream Istio ● Why not Istio OSS? ● Problems unsolved ○ Multi-cluster and VM (lower up • We built products on top of the upstream Istio. • We aim to solve the complexity of Istio and build a zero-trust network for application connectivity. • We are committed to maintaining Istio's open

abstractions for all your traffic control needs ■ Ingress ■ Egress ■ Inter Service Communication ● Build expertise in one discipline ● Decentralized maintenance ● Rich Network functionalities across the

seriously #IstioCon Most popular sessions in English Session Welcome Keynote Using Istio to build the next generation 5G platform I want to sketch a mesh for you Istio service mesh at enterprise

Rules。将数据交付给适配器。 定义了一个特定的 Instance 何时调用一个特定的 Handler插件编译和镜像打包 插件的编译 CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build - a -installsuffix cgo -o eventadapter 镜像制作的dockerfile FROM scratch ADD eventadapter /usr/bin/eventadapter