#IstioCon Taming Istio Configuration with Helm Ryan Michela / @ryanmichela / Salesforce #IstioCon In this talk This is a talk about using Helm with Istio ● Look at helm from a new perspective DEMO #IstioCon Demo - Bookinfo What did we see? ● Single entry point for each service’s configuration ● Install each service with a single command ● Single source of truth for auth and egress policy Everything you need to run a service in the mesh ● Ingress-service ○ Add’s ingress gateway configuration to mesh-service ● Mesh-egress ○ Configures TLS egress and policy ● Auth-policy ○ Configures

Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy itself was not part of the assessment) did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default services exposed within the cluster. • The default Istio sidecar and would allow a malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated profiles for security: Istio allows a variety

--api-group=extensions # Print the supported API versions oc api-versions # Apply the configuration in pod.json to a pod. oc apply -f ./pod.json # Apply resources from a directory containing stdin to a pod. cat pod.json | oc apply -f - # Note: --prune is still in Alpha # Apply the configuration in manifest.yaml that matches label app=nginx and delete all the other resources that are not file and match label app=nginx. oc apply --prune -f manifest.yaml -l app=nginx # Apply the configuration in manifest.yaml and delete all the other configmaps that are not in the file. oc apply --prune

provides a single IP address and DNS name by which the pods can be accessed. This load balancing configuration is much easier to manage, and helps scale pods seamlessly. Volume A volume is a directory API server which provides all CRUD operations on cluster through a API. • proxy is another component which is running on every node in Kubernetes cluster and provides a simple network and load balancer complete Guestbook application: • Service definitions for: o FrontEnd component : o Redis Master o Redis Slave component • Deployment definitions for: o Front End o Redis Master o Redis Slave

Snapshot Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1.11 Virtual Machine Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.12 Removing and Moving Virtual Machines 36 1.18.2 Creating a Custom Keyboard Layout . . . . . . . . . . . . . . . . . . . . 37 1.19 Configuration Details and Runtime Information of Virtual Machines . . . . . . . 37 2 Contents 1.19.1 Virtual Advanced Configuration for Windows Guests . . . . . . . . . . . . . . . . . . . . 313 9.2.1 Automated Windows System Preparation . . . . . . . . . . . . . . . . . 313 9.3 Advanced Configuration for Linux

2. Internally, for portability and easier maintenance, the Main API is implemented using the Component Object Model (COM), an interprocess mechanism for software components originally introduced by Microsoft you might find it preferable to program VirtualBox’s Main API directly via COM. COM stands for “Component Object Model” and is a standard originally introduced by Mi- crosoft in the 1990s for Microsoft (read-only) wstring ICertificate::issuerName[] Issuer name. Each member of the array is on the format COMPONENT=NAME, e.g. “C=DE”, “ST=Example”, “L=For Instance”, “O=Beispiel GmbH”, “CN=beispiel.example.org”

2. Internally, for portability and easier maintenance, the Main API is implemented using the Component Object Model (COM), an interprocess mechanism for software components originally introduced by Microsoft you might find it preferable to program VirtualBox’s Main API directly via COM. COM stands for “Component Object Model” and is a standard originally introduced by Mi- crosoft in the 1990s for Microsoft (read-only) wstring ICertificate::issuerName[] Issuer name. Each member of the array is on the format COMPONENT=NAME, e.g. “C=DE”, “ST=Example”, “L=For Instance”, “O=Beispiel GmbH”, “CN=beispiel.example.org”

2. Internally, for portability and easier maintenance, the Main API is implemented using the Component Object Model (COM), an interprocess mechanism for software components originally introduced by Microsoft you might find it preferable to program VirtualBox’s Main API directly via COM. COM stands for “Component Object Model” and is a standard originally introduced by Mi- crosoft in the 1990s for Microsoft (read-only) wstring ICertificate::issuerName[] Issuer name. Each member of the array is on the format COMPONENT=NAME, e.g. “C=DE”, “ST=Example”, “L=For Instance”, “O=Beispiel GmbH”, “CN=beispiel.example.org”

2. Internally, for portability and easier maintenance, the Main API is implemented using the Component Object Model (COM), an interprocess mechanism for software components originally introduced by Microsoft you might find it preferable to program VirtualBox’s Main API directly via COM. COM stands for “Component Object Model” and is a standard originally introduced by Mi- crosoft in the 1990s for Microsoft (read-only) wstring ICertificate::issuerName[] Issuer name. Each member of the array is on the format COMPONENT=NAME, e.g. “C=DE”, “ST=Example”, “L=For Instance”, “O=Beispiel GmbH”, “CN=beispiel.example.org”