#IstioCon Secure your microservices with istio step by step JianFeng Ding, LuYao Zhong #IstioCon Agenda ● Istio identity ● mTLS in Isito ● Secure ingress traffic ● Authorize ingress traffic ● Authorize Enable Access Control to your services via Istio authorization policy Istio will Secure your microservices for you! #IstioCon Thank you!

Leveraging Istio for Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating auto-generated from end-to-end tests – Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved

all 3 zones ● REST APIs for client traffic ● gRPC for inter-service traffic ● Around 100+ microservices ● Majority of services written in Go #IstioCon Architecture Overview - Discovery and Routing ● Extendable to multi-region setup #IstioCon Approach #IstioCon Rollout - Istio setup and Microservices ● Split rollout in to phases ● Setup control plane and related tooling ● Sidecar injection Kubernetes Cluster-IP services deployed across clusters #IstioCon Rollout - Istio setup and Microservices ● Export metrics to central prometheus ● Outlier detection for better reliability ● Enable

Istio & Kubernetes • Istio & Kubernetes上的灰度发布 An open platform to connect, manage, and secure microservices. Istio项目 微服务角度看Istio: 治理形态的演变 Node 1 svc1 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK without notice. Thank You. Istio & Kubernetes 在Google：Managed Istio Istio & Kubernetes 在Google：microservices become API Apigee API Management complements Istio with the robust features of Google Cloud's Cloud's Apigee API management platform, Apigee Edge, by extending API management natively into the microservices stack Istio & Kubernetes 在Google： Knative Knative Serving builds on Kubernetes and Istio to

Works GoPay & Istio About ● A few hundred developers ● Multiple Kubernetes Clusters ● 250+ microservices ● 150M+ internal API calls ● 3000+ deployments every week ● REST as well as gRPC services container and VM. ● Over time, managing Envoy and Consul became a burden, as we have more than +250 microservices using Envoy and Consul for service discovery. Istio ● We were using Envoy before which made

September 24, 2022 Shanghai, China Cloud Native Application Networking Secure, Observe and manage microservices Outline ● Background ● Enterprise Service Mesh: Tetrate Service Bridge ● Tetrate OSS Projects aware network Cloud!=Cloud Native Bare metal VMs Kubernetes VMs ● Monolith was decoupled to Microservices ● External and internal traffic starts to look less and less different from the perspective

payments Mercari holds in escrow, and simple and affordable shipping options. 5 6 ● 200+ microservices (200+ namespaces) ● 100K RPS at peak on API Gateway ● 1 main production Google Kubernetes Engine HTTP/2 load-balancing from client-side to Envoy Adopting Istio ● We use gRPC heavily in our microservices ● But Kubernetes is pretty bad at load-balancing it ● So we solved it by using a client-side

VirtualService metadata: name: evil-bookinfo spec: hosts: 2https://istio.io/latest/docs/examples/microservices-istio/setup-kubernetes-cluster/ 9 | Google Istio Security Assessment Google / NCC Group Confidential NCC-GOIST2005-015 Category Access Controls Component Istio Location https://istio.io/latest/docs/examples/microservices-istio/setup-kubernetes-cluster/ Impact Permissive Kubernetes RBAC Permissions may allow excessive

Developers 50M Customers 1993 IPO $6.8B FY19 Revenue 20 Locations 1983 Why Service Mesh? Microservices Kubernetes Service Mesh Istio Monolith Era Intuit Statistics ● 900+ Teams ● 5000+ Developers

y + All of the benefits of running Istiod locally + Can easily test real traffic, complex microservices, etc - Requires Cluster to Local network connectivity #IstioCon Plain Envoy envoy -c envoy-config