risk configurations commonly used by administrators, and provide perspective on whether security features sufficiently address the concerns they are designed to provide. Four consultants over a period of is not recommended in this case but a similar approach could be build a self- hosted checklist of features and configuration options that Istio believes match security best practices. See Appendix B on page are debug interfaces exposed that cannot be disabled by Istio, so that even when all the security features are enabled, there does not appear to be a way to restrict a Pod’s access to them. Attempts to modify

End of 2021 100% services migrated to Istio 8 Features currently used: ● HTTP/2 Load-balancing ● Traffic Shifting ● mTLS Features under investigation: ● Retries ● Circuit breaking Istio Istio Main time consumers with Istio: 1. Troubleshooting 2. Spreading adoption 3. Supporting new features 29 To succeed in Istio adoption you need to have: Stabilizing Istio ● Dedicated resources for temptations from users to open features too early ● Mechanisms to improve the reliability of Istio 30 Choose your fights, start small Stabilizing Istio Start with few simple features such as: ● Injecting

optimization during Knative Service provisioning ○ Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled ● Reference Agenda #IstioCon Knative and Istio Istio high configuration churn 30s #IstioCon Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled • Enable Istio mesh on Knative – Data flow with Istio mesh/mTLS seconds for Knative application pod cold start. Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled • Enable Istio mesh on Knative – Impact without optimization

users easy access to features such as observability, traffic management and security without requiring users to add these to their application code. It also offers more advanced features to support A/B testing Security Components One of the advantages of using Istio is that it offers a series of security features related to identity, policies, TLS encryption, authentication, authorization and internal auditing the proxies and checks whether the policy of each proxy is up to date. Authentication has two core features in Istio: 1. Peer authentication: used for service-to-service authentication to verify the client

An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication ● Traffic

appropriate documentation, testing, and code completion is done for each level ● Making sure that features continue to mature #IstioCon Release Maturity ● Provide a consistent list of requirements for announcements ● What to look for when examining releases ○ Performance ○ Resource usage ○ Open issues ○ Features being promoted ○ Release notes and upgrade notes #IstioCon Continuous Release Health ● New dashboard to allow visibility of release health ● Open issues and priorities ● Issues being promoted ● Features awaiting documentation ● Weekly performance ● Open release blockers #IstioCon Thanks also to

of projects, deployed on cloud. They have common features, also have project specified feature. We provide a common platform includes all common features, connect all projects with istio. #IstioCon Common

for workloads in a uniform way • Envoy WASM filters opens the gates for a whole array of useful features such as Kafka protocol level metrics, extended client throttling, audit logs to name a few Takeaway

with other developers and Istio tests + Easy to setup bespoke clusters, including enabling alpha features and multicluster - Local resource utilization - Some overhead of Kubernetes and docker images

#IstioCon Takeaways ● Identify the problems and improvements ● POCs for all known use-cases and features say mTLS, Outlier detection etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1