with Istio mesh/mTLS #IstioCon o Init-container added which cost ~5 seconds for Knative application pod code start. o Every sidecar needs full mesh information by default. Not a scalability solution. o push them to the sidecar. o Istio-proxy (envoy) sidecar costs ~2 seconds for Knative application pod cold start. Unleash maximum scalability by fully leveraging Istio features in Knative with service daemonset pod of istio CNI plugin is up and running before knative pods scheduling on the node. o Crontab job could help to detect whether pod was configured correctly and restart pod Unleash maximum

Machine Basic schedule unit Pod WorkloadEntry Component Deployment WorkloadGroup Service registry and discovery Service ServiceEntry K8s Pods labels: app: foo class: pod ServiceEntry selector: app: Limitations (cont.) ● Access management: CNI needs improvements ○ Much required to avoid escalated Pod privileges ○ No support for smart DNS proxying (yet…) ● Further security middle boxes support ○ Stack Bypass (cont.) ● Leverage eBPF ● Target Pod/VMs on the same node ● Use case: edge computing ○ Limited number of nodes ○ More traffic across Pod/VMs on the same node #IstioCon QUIC ● A new

solving? Architecture: K8s app using Redis over TLS only app-1 Namespace ms-1 K8s Pod External DB ms-2 K8s Pod ms-3 K8s Pod TLS only ● App with multiple microservices ● external Redis TLS only ● each Origination Architecture: K8s app using Redis over TLS only (TLS origination) app-1 Namespace ms-1 K8s Pod External DB container app container istio-proxy TCP TLS ● app talks unencrypted TCP to Redis

Envoy #IstioCon Istio-CNI ● The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup phase, ● Removing the requirement for the NET_ADMIN Inbound, 4-tuple key may conflict due to same src/dst ip address #IstioCon Use pod ip as hash key Use pod_ip to generate a unique key is a way to distinguish socket from different network namespace

Control Plane UDM Identity 11 ©2021 Aspen Mesh. All rights reserved. ● CNI to avoid escalated pod privileges ● Integrate with PKI minted Intermediate CA ● Enable ECC certificates ● Configure workload

noexcept; hazard_pointer_domain(const hazard_pointer_domain&) = delete; hazard_pointer_domain& operator=(const hazard_pointer_domain&) = delete; ~hazard_pointer_domain(); }; hazard_pointer_domain& hazard_pointer() noexcept; // Empty hazard_pointer(hazard_pointer&&) noexcept; hazard_pointer& operator=(hazard_pointer&&) noexcept; ~hazard_pointer(); [[nodiscard]] bool empty() const noexcept; noexcept; hazard_pointer_domain(const hazard_pointer_domain&) = delete; hazard_pointer_domain& operator=(const hazard_pointer_domain&) = delete; ~hazard_pointer_domain(); }; hazard_pointer_domain&

the column family, followed by a relational operator (one of =, >, >=, <, or <=), and then a value. When terms appear on both sides of a relational operator it is assumed the filter applies to an indexed indexed column. With column index filters, the term on the left of the operator must be the name of the indexed column, and the term on the right is the value to filter on. Note: The greater-than and less-than

access the current page that is rendering the template. It is important to remember that unless the operator has already assigned a page extension to every page, a page may not have the iconextension relationship Now when the operator invokes “Edit this page…” from the toolbar, there will be an additional menu item Page Icon ... (in this case), which can be used to open a modal dialog where the operator can affect notes What’s new in 3.0.10 Improved Python 3 compatibility Improved the behaviour when changing the operator’s language Numerous documentation updates Bug Fixes Revert a change that caused an issue with saving

Engineer, Google) #IstioCon Highlights of 2020 ● Better life cycle management ○ Istioctl install & Operator support ● Architectural simplification ○ Monolith control plane ○ Mixerless telemetry ● New