Istio As An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication Logging, Monitoring, Tracing API Gateway + Service Mesh together! Limitations of This Approach ● Maintaining Two Tools ● Maintaining Two Expert Pools Istio as the API Gateway Advantages Advantages

Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating API tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved API tests • Istio benefits – Venky / Prasad

Istio control plane along with a set of TCP services that it exposes. One of which is the “/debug” API hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication remote: multi-cluster remote control plane setup • default: default settings of the IstioOperator API • demo: enables a variety of extra features • empty: provides a template • minimal: minimal config names- pace. If, in the future, a privilege escalation vector is identified for any of the Kubernetes API Groups, escape from a specific namespace is possible. Description Istio documentation in the above

#IstioCon Common services are in core cluster Projects shared solution cluster • Different namespace • Project runs as tenant, need control rights Solution cluster connect core cluster with Istio multi-cluster multi-cluster - Replicated control planes Some standalone cluster without Istio can access core cluster also, as tenant. HP Horizon Platform Connect With Istio #IstioCon Secure Platform • JWT Verify : Istio Mixer authz adapt Implement role-based authorization – whether this user can access this api based on its role => Version 2: Envoyfilter ext_authz #IstioCon Wise Platform #IstioCon Wise

(Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls reporting ● Service discovery across multiple clusters ● Fine-grained ingress & egress controls ● API GW is part of the mesh ● Workflows for collaborative agility More About Multi Cluster ● Multi tenancy zero dependency WebAssembly runtime written in Go. ● Contribute to Go/TinyGo/Rust ● Using WasmPlugin API to extend Istio ● GitHub: tetratelabs/wazero Istio Security Scanner ● Make Istio Security Best Practices

repository Repository https://github.com/istio/istio Language Golang Istio API definitions Repository https://github.com/istio/api Language Golang Istio documentation Repository https://github.com/istio/istio memory-unsafe implementation issues such as buffer overflow and use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ and memory-corruption issues can therefore policies to the proxies and checks whether the policy of each proxy is up to date. Authentication has two core features in Istio: 1. Peer authentication: used for service-to-service authentication to verify the

WebAssembly (Wasm) support ● Secure by default ○ Secret Discovery Service (SDS) ○ Auto mTLS ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine expansion/Multi cluster mesh maturity ○ Move “slowly and fix things” ○ Sustain the tremendous production adoption of Istio ● Stable core ○ Current Istio functionality meets user needs ○ Measured feature introduction ● Reducing operational https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon Other improvement areas ● Native Kubernetes API integration ○ Kubernetes Service APIs ○ Kubernetes Multi-cluster APIs ● Adopt & drive innovation

Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP Analysis Core Query CoreIstio telemetry Attribute Vocabulary https://istio.io/docs/reference/config/policy-and- service for incoming requests, such as HTTP URI path or gRPC service class + method signature. Core ConceptsIstio telemetry formatSkyWalking native telemetry formatTelemetry to Analysis scope • https://github.com/apache/incubator- skywalking-query-protocolEcosystem powered by GraphQL and SkyWalking core • Open source UI project for SkyWalking • https:// github.com/ TinyAllen/ rocketbotServiceMesher公众号

Meetup China About me Istio 1.10 Release Manager, Istio Community, 2021-Present GetMesh(GetIstio) core contributor, Istio Community, 2021-Present Tetrate Service Bridge developer, Tetrate.io, 2021-Present

Huawei Cloud. - Github：https://github.com/hzxuzhonghu - Istio steering committee member - Istio Core Maintainer & Contributor - Open source enthusiastic, previously Kubernetes active contributor and