#IstioCon Istio-redirector: the way to go to manage thousands of HTTP redirections Etienne Fontaine (@etifontaine) #IstioCon Istio-redirector 301-redirection from /bus/routes/bruxelles/lille

#IstioCon Extending service mesh capabilities using a streamlined way based on WASM and ORAS 王夕宁 | 阿里云服务网格ASM 2 Envoy’s Filter Chain Listener Downstre am Filter Filter Filter Cluster Upstrea

Toader & Zsolt Varga 2021-Feb-26 Apache Kafka with Istio on K8s 2 • Scalability • Resiliency • Security • Observability • Disaster recovery Production grade Apache Kafka on Kubernetes 3 • Secure client authentication with Istio 12 • Istio provides a security layer for workloads in a uniform way • Envoy WASM filters opens the gates for a whole array of useful features such as Kafka protocol

Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow, PyTorch, Jupyter Notebook, etc. ○ slow ○ Achieving micro-segmentation at scale ○ Enabling TLS for all applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Security, Observability, Service Routing

Observability And Istio Telemetry 吴 晟 Apache SkyWalking Creator Apache ShardingSphere Co-founder Microsoft MVP Tetrate founding Engineer Bitmain tech expert Service Mesh Meetup #4 上海海站 • ServiceRelation • ServiceInstanceRelation • EndpointRelation • etc. https://github.com/apache/incubator-skywalking/blob/master/docs/en/ concepts-and-designs/oal.md • Extendable Aggregation Five types query • Metadata • Metric • Aggregation • Trace • Alarm https://github.com/apache/incubator- skywalking-query-protocolEcosystem powered by GraphQL and SkyWalking core • Open source

zero trust multi-cloud conference Best in Class Team ● Creators of the service mesh Istio, gRPC, Apache SkyWalking, Zipkin from Google, Twitter, & VMWare ● Top contributors to Envoy and Istio ● Wrote

[2021-03-03T10:32:47.139Z] "POST /v1/xx/xx/xx/xx/xx/983980038/stopxx HTTP/1.1" 503UC"-" "-" 0 95 1 - "10.13.22.7" "Apache- HttpClient/4.5.12 (Java/1.8.0_232)" "U4REJ819523DU961535U8316KUUG2G3X" "10.18.8.13:28443" "10.19

Kubernetes lacks good control APIs to customize the containers lifecycle in a pod. There is no official way to instruct a pod to: 1. Start the sidecar container first 2. Stop the sidecar container after the recommended if you know what you are doing. Once Kubernetes supports the sidecar pattern in a better way, these workarounds should be deprecated. 21 Shortcoming 2: Autoscaling multi-containers pods Stabilizing performance ○ Reasonable cost Istio proxy performance and capacity Adopting Istio ● Put in another way, know your tradeoffs: ○ How acceptable is the performance loss for the added value? ○ How much should

and test various configurations. These reference architectures were used to provide testers with a way of validating that security expectations in the code were implemented when deployed. Each environment disabled by Istio, so that even when all the security features are enabled, there does not appear to be a way to restrict a Pod’s access to them. Attempts to modify the settings to “controlPlaneAuth Policy: MUTUAL_TLS” services. The current documentation states: “In Istio 1.5, this is no longer the recommended or default way to connect the proxies with the control plane; instead, DNS certificates, which can be signed by Kubernetes

#IstioCon ● Easy way to manage Virtual Service configs. ● Virtual Service configs become a release artifact. ● Easy abstraction for defining timeouts and retries in a language agnostic way. ● Application