first when entering the pod All outgoing traffic must flow through the sidecar before leaving the pod 12 What happens when the sidecar container is not ready? Stabilizing Istio Pod App container The outgoing traffic cannot leave the pod 13 What happens when the sidecar container is not ready? Stabilizing Istio ● 2 cases where it happens frequently: ○ During pod creation ○ During pod deletion deletion ● To prevent it, we need to make sure that: 1. Envoy is started before any other container in a pod 2. Envoy is stopped after any other container in a pod 14 Kubernetes shortcomings with sidecar

capping H2c requests which is: “The first request on an h2c connection is read entirely into memory before the Handler is called. To limit the memory consumed by this request, wrap the result of NewHandler traffic to proxy can be coming from outside the cluster and is validated against the specified policies before it reaches the service. The traffic crosses a trust boundary as it passes the proxy. Controlplane boundaries they have been granted by way of the set of configurations, there is reason to believe this happens through a security vulnerability in the Istio code base. On the other hand, if the user configures

contract ● Prior knowledge of Istio ● Need to create VirtualService and DestinationRule before anything happens ● VirtualService evaluation order matters #IstioCon Checkpoint 1. Minimize time to bug

intensive – Creating + maintainting E2E, service tests, component tests adds up very quickly • What happens if you do not address the problem? – Thorough test coverage can take a lot of time and effort –

GoPay partners with Istio Vijay Dhama, Gojek Zufar Dhiyaulhaq, Gojek Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate Management ○ Ingress mutual TLS Istio ● We were using Envoy before which made it easy to adopt existing EnvoyFilters into Istio. ● Istio have abstraction concept that make manage things easier. Before Mutual TLS? HTTPS + Allowlisting

○ Istio 1.9 was recently released. ○ How soon will you investigate this release? ○ How soon before you will use it in production? #IstioCon Feedback Across ● GitHub issues ● discuss.istio.io Expectation: Maintainers would populate a Google docs draft throughout a release which is finalized before the release ships.. Reality: Week(s) of time for release managers to sift through commits to

develop and offer serverless capabilities in IBM Cloud, which based on these Opensource technologies. Before he was architect for Cloud Foundry on Kubernetes in IBM Cloud. #IstioCon ● Knative and Istio Mitigations: o When adding new worker node, make sure daemonset pod of istio CNI plugin is up and running before knative pods scheduling on the node. o Crontab job could help to detect whether pod was configured

the requests of any other namespace’s Istio Gateways if their VirtualService was initially created before other users’ legitimate VirtualServices. Note: During testing, NCC Group observed an instance of namespace’s services by using a more specific hostname or if their Gateway was initially created before other users’ legitimate Gateways. Note: The underlying implementation of the at-issue behavior appears

/bus/routes/bruxelles/lille to /bus/routes/bruxelles-1/lille-3 Why do we need redirections? BEFORE : /bus/routes/bruxelles/lille New /bus/routes/bruxelles-1/lille-3 Old - 404 Page /bus/routes/bruxelles/lille

two services, the client side and server side’s “envoy proxies” verify each other’s identities before sending requests. • If the verification is successful, then the client-side proxy encrypts the