bounds file writes. https://github.com/istio/istio/blob/d0705cf0ed5591cc26c08001f3faab0a880aec48/operato r/pkg/util/tgz/tgz.go#L70 70 71 72 73 74 75 76 77 78 79 80 81 82 83 func Extract(gzipStream io.Reader is not closed: https://github.com/istio/istio/blob/d0705cf0ed5591cc26c08001f3faab0a880aec48/operato r/pkg/util/tgz/tgz.go#L107 103 104 105 106 107 108 109 110 outFile, err := os.Create(dest) if err != m/httpfetcher.go#L138 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 // wasm plugin should be the only file in the tarball. func getFirstFileFromTar(b []byte) []byte { buf := bytes

… traffic management observability security … Knative design based on knative.dev #IstioCon r How Istio is leveraged in a Knative based platform - Istio as an Ingress Gateway • By default, Knative enabled • Enable Istio mesh on Knative – Impact without optimization #IstioCon o With istio CNI plugin, we can move the iptables configuration parts to CNI. But another init- container, the istio-validation injection template. Mitigations: o When adding new worker node, make sure daemonset pod of istio CNI plugin is up and running before knative pods scheduling on the node. o Crontab job could help to detect

of ebpf ● Acceleration for Inbound/Outbound/Envoy to Envoy #IstioCon Istio-CNI ● The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup NET_ADMIN and NET_RAW capabilities for users deploying pods into the Istio mesh. ● The Istio CNI plugin replaces the functionality provided by the istio-init container. #IstioCon Tcp/ip stack overhead

Demo: Dubbo 协议支持 ● Dubbo2Istio 连接 Dubbo 服务注册表，支持： ○ ZooKeeper ○ Nacos ○ Etcd ● Aeraki Dubbo Plugin 实现了控制面的管理，支持 下述能力： ○ 流量管理： ■ 七层（请求级别）负载均衡 ■ 地域感知负载均衡 ■ 熔断 ■ 基于版本的路由 ■ 基于 Method 的路由 ■ 基于 中支持一个新的七层协议 ● 为七层协议如 Dubbo、Thrift 等等添加 RDS 能力 #IstioCon MetaProtocol：控制面 通过 Aeraki MetaProtocol Plugin 实现控制面的流量管理规则下发 ： 1. Aeraki 从 Istio 中获取 ServicEntry，通过端口命名判断 协议类型（如 tcp-metaprotocol-thrift） 2

sail What about the rest of the boat? Upcoming Talks: Aperture - Load Management Meshery - WASM plugin management Argo - Multi-cluster orchestration JP Morgan SLO Generation Reflecting on the Value

tests from API usage Learnt by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 9 Process flow using Istio Deploy Lua filters (kubectl Service B Service C Proxy req req[A B], trace:r, span:s1 res[A B], trace:r, span:s1 req[B C], trace: r, parent_span: s1 res[B C], trace: r, parent_span: s1 req req[A->B] from API traffic Created by Mesh API Studio Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 16 ML-assisted Context Rule Learning createProduct(…):

Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup TrimSpace(chunk) if len(chunk) == 0 { continue } r, err := ParseChunk(chunk) if err != nil { log.Errorf("Error processing %s[%d]: %v", path, i, err) continue } if r == nil { continue } resources = append(resources append(resources, &resource{BackEndResource: r, sha: sha1.Sum(chunk)}) } return resources } • istio/istio/pkg/mcp/creds/pollingWatcher.go (line 189) // getHashSum is a helper func to calculate sha1 sum. func

POD POD POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% Deployment Canary Releases Using Kubernetes Deployment POD POD POD S E R V I C E (Load balancer) External Traffic POD 50% 50% Deployment Canary Releases Using Kubernetes Deployment POD S E R V I C E (Load balancer) www.my-application.com External Traffic POD POD 0% 100% Deployment Deployment Across application Layers Deployment POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% POD POD POD POD S E R V I C E (ClusterIP) 75% 25% POD POD Cross-version

locations across globe peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple scenario Region R1 AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster Region Rn #IstioCon Application Specs Region R1 Application specs ● Standardization provides flexibility to switch backend implementations to software Region R1 AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster K8s Cluster AZ

Training and Certification Collaboration with NIST ● Author SP 800-204 series on microservice security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference