it exposes. One of which is the “/debug” API hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication to anything that is able to access it’s network Pilot. This has a risk of containing certificates, keys, and secrets used by Pilot at runtime. This web interface also allows unauthenticated users to force force all Istio objects to sync their current "${NAMESPACE}-access", "namespace": "$NAMESPACE" }, "rules": [{ "apiGroups": [ "", "extensions", "apps", "networking.k8s.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "config

hardware Load-Balancers (LB) ● Application-Tier LB ○ K8s service realized on Application-Tier LBs ● Web-Tier LB to control - ○ Percentage of traffic sent to an AZ, region, etc. ○ L7 routing ○ Hardware closest Web-Tier LB based on DNS lookup Application-Tier Load-Balancer Web-Tier Load-Balancer Application-Tier Load-Balancer Web-Tier Load-Balancer Application-Tier Load-Balancer Web-Tier Load-Balancer VirtualService, DestinationRules, etc. apiVersion: apps.cloud.io/v1 kind: AccessPoint metadata: name: my-accesspoint spec: accessPoints: - name: web-tier scopeIDs: - az1 scopeType: AvailabilityZone

External APIs Istio enables learning tests from API usage Learnt by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 9 Process flow External APIs Creating test suites from API traffic Created by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 16 ML-assisted

• Kubernetes service account based authn/authz • Secure cross-cluster interaction between client apps and Kafka Security goals 4 • Kafka brokers require private-key and certificate pairs • Private

attendance Workshop Istio 0 to 60 Workshop Hands-on practices for Controlling Kubernetes Native Apps with Service Mesh Manage and Secure Distributed Services with Anthos Service Mesh Multi-tenant

Kubernetes cluster ● VM integration ● On-prem, AWS, Azure, GCP, OpenShift ● 10000+ core business apps ● Plan to move to public cloud in 18 months ● Using F5 to distribute traffic at the DMZ zone Solving

Copyright © 2020 Portable Secure Fast Any Language Outside the Web Web Assembly 7 | Copyright © 2020 Extend Envoy Proxy with Web Assembly (Wasm) Polyglot: Envoy Filters are written in C++ and Wasm Copyright © 2020 SECURITY Technology User Experience 11 | Copyright © 2020 11 | Copyright © 2020 Web Assembly lifecycle 12 | Copyright © 2020 Build > meshctl wasm init addheader-filter --language 20 | Copyright © 2020 Build Store Deploy Debug Debug in Production 21 | Copyright © 2020 Web Assembly Envoy Filter: User Experience Simplified tooling to bootstrap Wasm modules in Rust, C++,

Mercari What Is Mercari? ● Service start: July 2013 ● OS: Android, iOS *Can also be accessed by web browsers ● Usage fee: Free *Commission fee for sold items: 10% of the sales price ● Regions/languages even in a same product. Some examples: ○ Latency-sensitive workloads ○ Long-lived batches (ML) ○ Web platforms ● How do you define a common answer to the previous questions? ○ It’s nearly impossible

infrastructure is deployed on GKE, with GCLB and Istio IngressGateway User Google Cloud Load Balancer Gateways Web App How do we use Istio? [...] spec: gateways: - istio-system/istio-ingressgateway hosts:

Service Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application firewall to defend against DDoS, injection, remote execution attacks. Edge security