Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP Analysis Core Query CoreIstio telemetry Attribute Vocabulary https://istio.io/docs/reference/config/policy-and- service for incoming requests, such as HTTP URI path or gRPC service class + method signature. Core ConceptsIstio telemetry formatSkyWalking native telemetry formatTelemetry to Analysis scope • Any other mesh data/control panel • Format the telemetry toObservability Analysis Language • A compile language • Scopes • All • Service • ServiceInstance • Endpoint • ServiceRelation

com/istio/istio Language Golang Istio API definitions Repository https://github.com/istio/api Language Golang Istio documentation Repository https://github.com/istio/istio.io Language n/a; documentation mesh which is an infrastructure layer applicable to so�ware applications. Istio is platform and language agnostic, but is o�en used on top of Kubernetes. It offers users easy access to features such as memory-unsafe implementation issues such as buffer overflow and use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ and memory-corruption issues can therefore

traffic leaves the mesh bypassing the egress gateway.”8 This means that Istio alone cannot provide some core security controls and the documenta- tion suggests that additional mitigations, such as a network ns/admin#post--quitquitquit 11https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/core/address.proto#core-pipe 29 | Google Istio Security Assessment Google / NCC Group Confidential Finding DestinationRules applyUpstreamTLSSettings, and buildUpstreamClusterTLS Context functions within istio/pilot/pkg/networking/core/v1alpha3/cluster.go Impact An attacker that is able to intercept raw network connections between

#IstioCon Common services are in core cluster Projects shared solution cluster • Different namespace • Project runs as tenant, need control rights Solution cluster connect core cluster with Istio multi-cluster multi-cluster - Replicated control planes Some standalone cluster without Istio can access core cluster also, as tenant. HP Horizon Platform Connect With Istio #IstioCon Secure Platform • JWT Verify

Fast Any Language Outside the Web Web Assembly 7 | Copyright © 2020 Extend Envoy Proxy with Web Assembly (Wasm) Polyglot: Envoy Filters are written in C++ and Wasm expands to any language Secure 2020 Web Assembly lifecycle 12 | Copyright © 2020 Build > meshctl wasm init addheader-filter --language rust > meshctl wasm build rust -t webassemblyhub.io/yuval/addheader-rust:v1 ./addheader-filter

errors are retryable? ● Who knows the answer to all the questions? ● How to implement this to be language agnostic? #IstioCon Virtual Services API ● Solves our problems, but… ● All Service Owners must Service configs become a release artifact. ● Easy abstraction for defining timeouts and retries in a language agnostic way. ● Application developers using Istio/Envoy for retries and timeouts without knowing

maturity ○ Move “slowly and fix things” ○ Sustain the tremendous production adoption of Istio ● Stable core ○ Current Istio functionality meets user needs ○ Measured feature introduction ● Reducing operational

Meetup China About me Istio 1.10 Release Manager, Istio Community, 2021-Present GetMesh(GetIstio) core contributor, Istio Community, 2021-Present Tetrate Service Bridge developer, Tetrate.io, 2021-Present

service mesh: 100+ Kubernetes cluster ● VM integration ● On-prem, AWS, Azure, GCP, OpenShift ● 10000+ core business apps ● Plan to move to public cloud in 18 months ● Using F5 to distribute traffic at the

Huawei Cloud. - Github：https://github.com/hzxuzhonghu - Istio steering committee member - Istio Core Maintainer & Contributor - Open source enthusiastic, previously Kubernetes active contributor and