file write during archive extraction Medium High Yes 3 File le� opened Medium High Yes 4 Length of new byte slice controlled by potentially untrusted file size Low High Yes 5 Possible memory exhaustions com/istio/istio/blob/master/operator/pkg/util/tgz/tgz.go#L70 func createMaliciousGzip() io.Reader { gzw := new(bytes.Buffer) // Create tar writer tw := tar.NewWriter(gzw) defer tw.Close() // Create a file f, err = io.Copy(tw, f2); err != nil { panic(err) } // Compress the tar archive maliciousBytes := new(bytes.Buffer) w := gzip.NewWriter(maliciousBytes) w.Write(gzw.Bytes()) w.Close() return bytes.NewR

refactoring it or building a 7 | Google Istio Security Assessment Google / NCC Group Confidential new section that consolidates security-related topics to a single page. Right now there are “Security” community support with some token of appreciation. This has historically been a successful way of getting new people involved within the commu- nity by assigning them documentation tasks as they are learning how abstract their configuration and enable future features. This could be used, in combination with a new Gateway resource field, to implement a two-way binding between ingress gateways and Gateway resources

/bus/routes/bruxelles-1/lille-3 Why do we need redirections? BEFORE : /bus/routes/bruxelles/lille New /bus/routes/bruxelles-1/lille-3 Old - 404 Page /bus/routes/bruxelles/lille 1 2 AFTER /bus/ro automatically redirected to the new page instead of seeing an error page Happy Googlebot: I don’t have to crawl 2 URLs I don’t see an error page Happy SEO specialist: My new URLs get SEO popularity from from the old ones and I don’t have to start from scratch New URLs are shown in the Search Engine Results ?????? ? #IstioCon Our infrastructure is deployed on GKE, with GCLB and Istio IngressGateway User

Stabilizing Istio Main time consumers with Istio: 1. Troubleshooting 2. Spreading adoption 3. Supporting new features 29 To succeed in Istio adoption you need to have: Stabilizing Istio ● Dedicated resources it: 1. Create a new Deployment with new name (immutable field) with the app and version labels 2. Make sure the Service is serving both Deployments 3. Create HPAs to target the new Deployment 4. Delete CPU resources and concurrency 65 Abstracting Istio Adopting Istio ● Should you expose a whole new layer of YAMLs to people that are already overfed with? The answer is no. ● Should you require your

Hurdles What’s next? Projects Ideas Excitement! Internal Presentation New Square DC -> Cash App EKS Internal Presentation “New” Cash App EKS -> Square DC Internal Presentation ir-sync Internal Presentation Square DC Internal Presentation Square DC -> Cash App EKS Internal Presentation New in-mesh s2s Internal Presentation New cross-region s2s Internal Presentation

12:00 Ambient + Pod Identity 12:40 Multiplayer Istio WASM 1:15 What’s New Since 2022 CNCF Graduation Ambient Mesh A new dataplane mode for Istio without sidecars. Graduated Announcing Istio's Started Started by teams from Google and IBM 2017 2018 2022-04 2023 2022-09 Community Growth New Contributors up 32% YoY 2022 2023 Contributor Experience Get Involved Ask Questions ● Join our

for a VM instance that connects with a valid identity token ● All we have to do is ○ specify a new WorkloadGroup with a template (to create WorkloadEntry) ○ create a ServiceEntry (to select specific from the internal mesh traffic ○ One of the viable solutions to communicate between Legacy VNFs and new CNFs ● Need a stricter security model for end-to-end key protection #IstioCon Legacy VNF  CNF: ○ Limited number of nodes ○ More traffic across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol ● A little like TCP + TLS, but build on top of UDP ○ Uses UDP like TCP uses IP

Cluster Simplified #IstioCon Service Proxy Authentication Authorization Telemetry Extensibility New Extension Model Mixer #IstioCon Istiod Cluster 1 Istiod Cluster 2 API server API server Mesh #IstioCon 2020: Year of Istio Innovation Simplified installation Simplified control plane New extension Model Unified multicluster model Simplified VM onboarding Simplified troubleshooting

Operator support ● Architectural simplification ○ Monolith control plane ○ Mixerless telemetry ● New extension capabilities ○ WebAssembly (Wasm) support ● Secure by default ○ Secret Discovery Service ds-2020/ #IstioCon Early adopter vs Maintainer ● Consumes latest & greatest Istio ● Utilize new capabilities ● Desire tooling to ensure frictionless upgrade https://istio.io/latest/blog/2020/tradewinds-2020/

points higher than other conference months. 18.6% New users to the project from beginning of Jan to end of Feb. 87% Of Istio users are new users at the end of February 2021. Impact for the project