runtime app dev prod dev prod internal external on-prem dev prod public cloud gke dev prod dev prod internal external on-prem internet external navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound:

tests at Omio is both not efficient and cost-effective #IstioCon How tests are run ● On QA (dev -> PR -> master -> deploy QA …. ) ● On standalone VMs running all services needed for the test #IstioCon #IstioCon Define efficient and cost-effective #IstioCon 1. Minimize time to bug detection Dev -> PR -> master -> QA -> prod 3 steps away to find a problem #IstioCon 2. Allow simultaneous tests

Version1(canary) group=dev svcB svcA Rules API Pilot apiVersion: … kind: VirtualService metadata: name: ratings-route spec: hosts: - svcb http: - match: - headers: cookie: exact: “group=dev” route: -

Version1(canary) group=dev svcB svcA Rules API Pilot apiVersion: … kind: VirtualService metadata: name: ratings-route spec: hosts: - svcb http: - match: - headers: cookie: exact: “group=dev” route: - destination:

serverless computing … … traffic management observability security … Knative design based on knative.dev #IstioCon r How Istio is leveraged in a Knative based platform - Istio as an Ingress Gateway • provisioning • Envoy overload issue still exits 800 Knative Services #IstioCon o 1400 total with dev release with flow control fix looks great, ingress_ready p100 < 30s o [Istio 1.9.x] Support for backpressure

apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: - ./* - istio-system/* 35 The Sidecar CRD to save the mesh Stabilizing apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: default namespace: mercari-echo-jp-dev spec: egress: - hosts: - ./* - istio-system/* Only Istio and the local namespace configuration

request and cause DoS. This is a feature of the h2c library and is documented here: https://pkg.go.dev/golang.org/x/net/http2/h2c. It says: “The first request on an h2c connection is read entirely into compliance Ada Logics follows the specifications of SLSA v0.1 that are outlined here: https://slsa.dev/spec/v0.1/requirements. This version of compliance requirements is currently in alpha and is likely

POST /qui tquitquit endpoint10 that causes the process to exit. "admin": { "access_log_path": "/dev/null", "profile_path": "/var/lib/istio/data/envoy.prof", "address": { "socket_address": { "address": apiVersion: v1 metadata: name: custom-envoy-config data: envoy.yaml: | admin: access_log_path: /dev/null address: pipe: path: "@testenvoy" node: cluster: my-cluster id: mystack static_resources:

Istio Company presenting Intel and Tetrate Tetrate, HP and others Intel Huawei Huawei IBM China Dev Lab # live viewers 554 432 395 381 341 291 Making Istio accessible 13 Sessions presented in Chinese

by Devs Component, E2E Tests Service Tests Learning from usage of application and services Dev Usage Staging/UAT Env API catalog | CONFIDENTIAL #Rollbacks MTTR #Bugs Release Velocity