container in workload Istiod watch updates & start networking sidecar proxy init container update iptable rule for proxy terminate init container Start workload with updated ip routing rules Networking lifecycle Kubelet invoke CNI plugins CNI plugins setup ip for pod Istio CNI install isidecar network routing rule to workload iptable Benefits of Istio CNI No need for CAP_NET_ADMIN and CAP_NET_RAW permission No in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing rule to workload iptable Issue in Istio CNI Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI

○ kubectl exec -c istio-proxy curl localhost:15000/config_dump #IstioCon Istio identity – check configuration result ● Result: cert generated automatically with Istio identity 1) Apply peer-authentication matchLabels: app: reviews mtls: mode: STRICT 1) Apply destination rule to enable client side mTLS mTLS in Istio - Destination rule Using ingress port and ingress host to send request: can access reviews-v1 ISTIO_MUTUAL mode on client side Access productpage 1) Apply destination rule enable client side mTLS mTLS in Istio - Destination rule http http http http mTLS mTLS #IstioCon mTLS in Istio - DestinationRule

for bootstrap ○ mimic the sidecar proxy injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support with Added Security ● Secure bootstrapping process ○ Automate provisioning bootstrap certificate on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation limited to Istio agent (no support of other provisioner performance) ● Offload ○ Traffic management ○ Security (DDoS defense…) ● HW acceleration ○ Crypto ○ Rule matching ● Further isolation w/ host ● CapEx, OpEx #IstioCon RDMA (Remote Direct Memory Access)

是对Proxy上报的Attribute的特定处 理机制的框架，支持四类： • Preprocess: 汇总流量相关元数据 和环境（k8s）相关的元数据 • Report: 上报数据 • Check: 决策是否允许当前访问 • Quota: 决策容量是否足够 Mixer or Sidecar，这是一个问题 • Mixer提供了一种非常灵活的模型，让Handler可以在流量中动态的选 这里实现的例子mymock会完全拒绝所有 被匹配到的流量，右图是mymock Handler的基本原理 • mymock handler 是 mymock adapter的初始化配置 • 完成初始化后rule将checknothing配置 与handler关联起来，其实就是做了流 量的匹配，满足一定条件的流量上应用 mymock handler • mymock adapter直接拒绝被匹配的请

logfile Proxy Transaction ID Transaction ID …Commit to Client Success 成就客户卓越Mixer组件功能介绍Mixer的介绍 • Check:也叫precondition，前置条件检查， 比如说黑白名单，权限。 • Quota:访问次数 • Report: 日志。Mixer的二次开发流程Mixer插件工作模型 上述的过程中，E Mixer通过通过rpc调用，将属性与日志发送给Adapter。基于Mixer的二次开发的流程 • 编写grpc服务端程序，接收来自mixer的数据，并实现自身业务逻辑 • 编写handler、instance、rule配置文件 • 编译打包adapter，上传至docker仓库 • 编写k8s的deployment和service配置文件 • 部署应用基于Mixer的二次开发Hanlder Handlers

such as Mozilla’s CA chain.17 16https://istio.io/latest/docs/reference/config/networking/destination-rule/ 17https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ 31 | Google Istio Join(args, " ")) externalCommand := exec.Command(cmd, args...) externalCommand.Stdout = os.Stdout //TODO Check naming and redirection logic if !redirectStdout { externalCommand.Stderr = os.Stderr } return externalCommand

and allows for creation of miscellaneous rules Misc please rule for autogeneration K8s Greeter service example #IstioCon Building the new rule #IstioCon Deploying to a cluster #IstioCon ● Easy way

QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 16 ML-assisted Context Rule Learning createProduct(…): Response { “productId”: “HDSN1890675”, “src”: “Canada” : } Supervised system to accept true positives • No code! | CONFIDENTIAL 17 ML-assisted Assertion Rule Learning createOrder Response: Recording { “orderId”: “ORDR1890675”, “orderValue”: “58.75”

“service’s” hostname ● Validated ○ Deployments ○ Virtual Service ○ Service Entry ○ Destination Rule ● Blocked ○ Envoy Filters ○ Gateways Developer Platform Integration ● Mesh Automation ○ Control

creation or updation ● Templatise the Kubernetes deployment including Virtual Service and Destination rule #IstioCon Takeaways ● Identify the problems and improvements ● POCs for all known use-cases and