enabling the workload container to claim its ports. 7https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external- services 27 | Google Istio Security Assessment restricting egress traffic to only Istio’s Egress gateway. 8https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/ 28 | Google Istio Security Assessment Google / NCC Group Confidential between these sidecars at a cluster level. Tools like Hashicorp vault provide addi- tional secret management controls and a Dynamic Admission Controller-based approaches such as OPA19 provide a means to help

least one example but haven’t used it seriously #IstioCon Most popular sessions in English Session Welcome Keynote Using Istio to build the next generation 5G platform I want to sketch a Labs # live viewers 1108 1192 1080 955 807 677 #IstioCon Most popular sessions in Chinese Session Welcome Keynote Lightning talks China Secure your microservices with Istio step by step Best

19% of attendees are using Istio in production. #IstioCon Most popular sessions in English Session Opening keynote (State of Istio & Zero Trust) Running Istio at Scale for a Secure and Compliant McKinley, Solo.io # live viewers 1196 926 847 754 636 #IstioCon Most popular sessions in Chinese Session China: Opening & Panel: Istio Istio Open Source Ecosystem Outlook From China The road to microservice

for those who go above and beyond in the organization of the event. 6. Logos on bumpers (for session recordings) Vendor logo representation - Examples Vendor logo representation - Examples Participant artist that captures key concepts in a linear illustration, to be incorporated during the Roadmap session. It is used to explain a process. ● Sponsored by Google (Example from Wikimedia movement 2030

Mesh 中的七层流量管理能力 ❏ 几种扩展 Istio 流量管理能力的方法 ❏ Aeraki - 在 Isito 服务网格中管理所有七层流量 ❏ Demo - Dubbo Traffic Management ❏ MetaProtocol - Service Mesh 通用七层协议框架 #IstioCon Protocols in a Typical Microservice Application Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 Header Layer-7 Header Data Traffic Management for HTTP/gRPC - all good ● We get all the capabilities we mentioned on the previous slide Traffic Management for non-HTTP/gRPC - only layer-3 to layer-6

TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload Architecture ● Multi cluster ● Multi mesh ● Components ○ Management plane ○ Global control plane ○ Local control plane TSB Management Plane ● Front Envoy ● Multi Cluster support ● XCP Central -> Kubernetes Gateway API Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload

Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate Management ○ Ingress mutual TLS ○ Egress mutual TLS ● Challenge & Future Works GoPay & Istio About ● IP that used by all services) Implementing Mutual TLS Centralized Certificate Management ● Central certificate management manage our certificate lifecycle for HTTPS and mutual TLS communication. ●

在Google：microservices become API Apigee API Management complements Istio with the robust features of Google Cloud's Apigee API management platform, Apigee Edge, by extending API management natively into the microservices

Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Enforcement ■ Updating hardware devices is slow ○ Achieving micro-segmentation at Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Management, Tracing, Rate Limiting, Protocol Adapter, Circuit breaker, Caching, etc. #IstioCon Service Architecture Evolving Security Current Status #IstioCon Step 1: Access Point Spec ● Capture Traffic Management & Routing intent as “Access Point” Specs ○ Leverage Istio object model: Gateway, VirtualService

complexity ○ Need consistent policy enforcement ○ Need consistent metrics aggregation ● Traffic management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security workload certificate attributes #IstioCon Security & Usability Limitations (cont.) ● Access management: CNI needs improvements ○ Much required to avoid escalated Pod privileges ○ No support for smart Sidecar Offload ● Ultimate goal ○ Proxyless services (for high performance) ● Offload ○ Traffic management ○ Security (DDoS defense…) ● HW acceleration ○ Crypto ○ Rule matching ● Further isolation