an ideal Kubernetes cluster with Istio running within it. Instead, NCC Group used various hosting options (i.e. Minikube, GKE, KOPS) to build reference clusters and test various configurations. These reference case but a similar approach could be build a self- hosted checklist of features and configuration options that Istio believes match security best practices. See Appendix B on page 40. 2 | Google Istio Security This section appears to be designed to provide guidance on security related configuration options but the only options included are how to “Harden Docker Container Images” and “Extending Self-Signed Certificate

environment that uses the payments Mercari holds in escrow, and simple and affordable shipping options. 5 6 ● 200+ microservices (200+ namespaces) ● 100K RPS at peak on API Gateway ● 1 main production by setting the `holdApplicationUntilProxyStarts` field to true in ProxyConfig under MeshConfig options: meshConfig: defaultConfig: holdApplicationUntilProxyStarts: true 17 Workaround: Use using more than 770m CPU 26 Define HPA target for multi-containers pods Stabilizing Istio Two options: 1. Make the istio-proxy CPU very low compared to the application CPU (Between x%

linkedin.com/in/gflarity linkedin.com/in/liam-white Internal Presentation AGENDA Why? Reasons Options How? Strategy Compromise What could have been better? Learnings Hurdles What’s next? Projects

Istio dependency. Great for minimal Envoy bug reproductions + Great for rapid iteration of Envoy options - Very different from production environment - May be challenging to reproduce Istio configurations

Powerful Layer 7 (HTTP/2) routing 8 ©2021 Aspen Mesh. All rights reserved. Architecture Options 9 ©2021 Aspen Mesh. All rights reserved. Namespace Level Tenancy Control Plane AMF

LVS, one connection • HAProxy transparent mode, two connections  L4 • Add IP in TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user