with notes that it should be replaced by a DNS-based secure signing method. So the updated change log notes: “Despite the naming, in Istio 1.5 when controlPlaneSecurityEnabled is set to false, communication sha1.Sum(buf) if sha == h.latestSHA && h.list != nil { // the list hasn't changed since last time h.log.Infof("Fetched list is unchanged") h.resetPurgeTimer() return } • istio/istio/mixer/pkg/runtime/handler/signature bytes.TrimSpace(chunk) if len(chunk) == 0 { continue } r, err := ParseChunk(chunk) if err != nil { log.Errorf("Error processing %s[%d]: %v", path, i, err) continue } if r == nil { continue } resources

Multi-region deployments ● Non-flat networks ● Multi-tenant configuration ● Management of Istio installation ● Self-service mesh enablement for service owners Demo Admiral API Gateway Payments

#IstioCon 2018-2019: Year of Service Mesh #IstioCon 2020: Year of Istio Innovation Simplified installation Simplified control plane New extension Model Unified multicluster model Simplified VM onboarding

ECDSA for use by pilot-agent ○ For gateways this environmental variable also must be set on installation/upgrade #IstioCon istioctl iop.yaml Install with istioctl install -f iop.yaml apiVersion:

● DNS_AUTO_ALLOCATE ○ Decoupled from DNS_CAPTURE ● Documents available ○ Virtual Machine Installation to get started. ○ Virtual Machine Architecture to learn about the high level architecture of

36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 import ( "bytes" "context" "crypto/tls" "fmt" "io" "log" "net/http" "os" "os/signal" "time" byteSize "github.com/inhies/go-bytesize" "istio.io/istio/pkg/backoff" if err = srv.ListenAndServe(); err != nil && err != http.ErrServerClosed { log.Fatalf("listen:%+s\n", err) } }() log.Printf("server started") d, err := time.ParseDuration("20s") if err != nil { fmt.Println("Fetching") f.Fetch(context.Background(), "http://localhost:6969", true) <-ctx.Done() log.Printf("server stopped") ctxShutDown, cancel := context.WithTimeout(context.Background(), 5*time

00 4000.00 6000.00 8000.00 10000.00 12000.00 14000.00 16000.00 1 2 3 4 5 6 7 8 9 10 QPS LOG(连接数)2 默认连接策略与增强连接策略平均 QPS对比 默认连接策略平均qps 增强连接策略平均qps 1.01 1.31 1.99 3.70 5.22 8.57 17.82 28 00 20.00 30.00 40.00 50.00 60.00 70.00 80.00 90.00 100.00 1 2 3 4 5 6 7 8 9 10 平均时延(MS) LOG(连接数)2 默认连接策略与增强连接策略平均时延 对比 默认连接策略平均时延(ms) 增强连接策略平均时延(ms) 提升30% 降低23% 默认连接策略 增强连接策略 QPS变化不均匀， 0.000 0.010 0.020 0.030 0.040 0.050 0.060 0.070 0.080 1 2 3 4 5 6 7 8 9 10 平均TP50(S) LOG(连接数)2 默认连接策略与增强连接策略平均 TP50对比 默认连接策略平均tp50(s) 增强连接策略平均tp50(s) 0.002 0.002 0.003 0.004 0.010 0

in a configurable set of formats #IstioCon Excellent Observability - Access logs Log Files Parse Istio-proxy Log • Each API Access Count • Each API Fail Rate • Each API Latency Easy to debug Easy report Easy to alert Elastalert #IstioCon Excellent Observability - Access logs Istio-proxy log showed in kibana after parse #IstioCon Excellent Observability - Access logs API Error In last

manage source of truth for mesh policies. Audit log Cluster security Edge security Workload security Operation security 3. Monitor audit log. 3 Lifecycle of service mesh security and demo Lifecycle of service mesh security Edge Cluster Workload Operation GitOps Gatekeeper RBAC Audit log Metrics Security testing tools Security dashboard Prometheus Kiali Security Lifecycle Concepts

same client is forwarded to the same backend 2. Security Policy: set white/black list 3. Access log & Stats 4. Specific scenarios like SIP Trunking #IstioCon Common Ways to Preserve Original Src Addr