Observability ○ See VM metrics alongside containers ● Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of forward ■ Retry, timeout, fault injection, mtls policies ■ VM service, multicluster Istio mesh support ● Service + Endpoints ○ Usually for internal traffic ○ ExternalName ■ Service <-> DNS name ○ sidecar proxy injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support with Added Security ● Secure bootstrapping process ○ Automate provisioning a VM's mesh identity

Istioctl install & Operator support ● Architectural simplification ○ Monolith control plane ○ Mixerless telemetry ● New extension capabilities ○ WebAssembly (Wasm) support ● Secure by default ○ Secret UX Working Group - Upgrade Survey 2020 Do users on old versions understand their security and support posture? #IstioCon Listening to our users ... UX Working Group - Upgrade Survey 2020 #IstioCon winds-2020/ ● Fixed budget for infrastructure maintenance ● Desire predictability ● Longer support windows ● Skip releases for upgrades #IstioCon Focus areas for ‘Day 2 Operations’ #IstioCon

account ○ Trust Domain mapped to workload environments ■ Prod, Pre-prod, PCI, Staging, etc. ○ To support multiple trust domains in a single K8s cluster ■ Deploy multiple Istio deployments within a K8s ● Control-plane scale testing ○ Primary Goal ■ Understand Istio control-plane performance to support eBay scale ■ Proxy config convergence time (CDS, EDS, LDS, RDS push times) ■ Resource usage (CPU PILOT_PUSH_THROTTLE, etc. params of Istio Pilot #IstioCon Future Direction ● Support for on-demand config pushes to Envoy via Incremental XDS ● Support for multiple trust domains & namespace isolation natively in

monitor and mount secrets under istio-system to ingress gateway which contains credentials for https support of multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway tuning • Performance Criteria: the platform has multiple shard k8s clusters, each cluster should support 1000 sequential (interval 5s) Knative service provisionings with route ready time <= 30s. Type total with dev release with flow control fix looks great, ingress_ready p100 < 30s o [Istio 1.9.x] Support for backpressure on XDS pushes to avoid overloading Envoy during periods of high configuration churn

urity-issues/: This section has a lot of good information but appears to be designed to provide support to security problems after they happen or guidance on error messages. This is a great goal and should towards less “fun” tasks such as documentation by building social events or incentivizing community support with some token of appreciation. This has historically been a successful way of getting new people traffic routing rules to apply when a host is addressed. They support matching on various criteria including URI paths and header values and support sending traffic to a specific in-cluster destination or returning

Workshop of 2.5 hours for China TZ 1. Getting involved - Content 2. Getting involved - Financial support The following table describes the event bundles that allow IstioCon to showcase a multi-vendor after the event wrap-up. PII from registrations for gifts ● Vendors who want to offer financial support for the conference (“Sponsoring vendor”) will choose one category to engage in, and will be connected Wikimedia movement 2030 strategy) Graphic recording Process and implementation Coordination and support ● Software Guru will help to find suppliers in what relates to gifts and services. ● Companies

A(application) Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出（Transaction ID） C(application) Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) checklist(action) At 2018-0930(time) 日志输出 B(application) Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出 Get the corresponding logs for one time request by transaction

lifecycle for HTTPS and mutual TLS communication. ● Renew & sync to our Kubernetes cluster, also support syncing to VM with an agent installed, this is also used by our partners as well. Ingress Mutual mechanism to using Egress Gateway, we block because we are using Istio 1.6 and Egress gateway not support adding certificate via SDS (Istio #14039). Thank You #ThereIsAlwaysAWay

x509 certificates that use Elliptical Curve Cryptography (ECC) is a requirement ● In Istio 1.6, support for workloads to use ECC certificates for mTLS in sidecar-to-sidecar communication was added ○ certificate using RSA if plugged in custom CA certificates aren’t specified #IstioCon MeshConfig support In Istio 1.10 I am currently working on having ECC be supported in meshConfig for Istio 1.10 as

on platform level, reduces application workload. Intelligence Platform for Multiple Tenant Support • Support multi-tenants (Add extra http header/ logs wisely) • Verify whether JWT token in blacklist