● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features complicated ● Writing EnvoyFilters is hard! ● Debugging EnvoyFilters is even harder!! Where It Isn’t a Good Fit? Where It Isn’t a Good Fit? ● Non Kubernetes Ecosystem ● You don’t want Sidecar Proxies

Bilibili platform ● Listening sessions +20 End User Presentations 10 IstioCon Sponsors and partners Where did people join from? Participant demographics 28% of attendees were CxO / Engineering manager Workshops for providing hands-on practice with specific tools/platforms 3 Listening sessions where users provided feedback on specific developments in the project. Participant feedback The majority recorded sessions" Networking event Space Escape Escape room focus on having fun time and teamwork, where participants solve together different challenges. Impact for the project 1,818 New followers on

integration ○ Reduced load on your DNS servers w/ faster resolution ○ Automatic VIP allocation where possible ○ Multicluster DNS lookup #IstioCon V1.9 VM Integration, Beta! ● DNS_AUTO_ALLOCATE ○ Expect More? A Closer Look… ● Example use case: Telco & Edge computing ○ where VMs play a crucial role now and later ○ where service mesh is a key paradigm for solving challenges [1] ■ Traffic steering

feature. The Mercari app is a C2C marketplace where individuals can easily sell used items. We want to provide both buyers and sellers with a service where they can enjoy safe and secure transactions the pod 13 What happens when the sidecar container is not ready? Stabilizing Istio ● 2 cases where it happens frequently: ○ During pod creation ○ During pod deletion ● To prevent it, we need to

level of privilege and that are able to escalate to higher privileges. There are a number of areas where either group could exceed their assumed privilege boundaries. We enumerate these below: Policy Enforcement https://github.com/istio/istio/pull/41930 Description In some experimental code, test code and code where a user has explicitly opted into insecure mode, InsecureSkipVerify mode is enabled. As stated by the process. The build is not fully satisfied because the build can access secrets from the build service, where SLSA requirements state that: “It MUST NOT be possible for a build to access any secrets of the build

building secured environments. • Expand hardening documentation: While there were a variety of areas where documentation could improve, it may make sense to start with the harden- ing guidelines first as it here should be not to build one single page of every security topic, but provide a single location where the most impactful and likely security questions are answered. Consider a community push to focus privilege escalation. Reproduction Steps The following list illustrates examples in the codebase where files are being written insecurely: • istio/istio/security/pkg/nodeagent/sds/server.go (line 276)

517 Unique recording viewers 25+ End User Presentations 10 IstioCon Partners Where did people join from? Where did people join from? 0.5% from Africa 43.5% from North America 26.5% from

feature quality consistent and predictable #IstioCon Definition of Done: Approach ● Automation where possible ● For everything else, make information easy to consume through checklists and continuous ● Provide a consistent list of requirements for each type of release: security, patch, major ● Where to post announcements ● What to look for when examining releases ○ Performance ○ Resource usage

envoy_on_request(request_handle) function envoy_on_response(request_handle) #IstioCon Who and where to reroute ? #IstioCon The contract GET / HTTP/1.1 Host: example.com User-Agent: curl/7.64

the Workload Onboarding Agent on that VM ● Provide a minimal declarative configuration describing where to onboard the workload to Bridged Mode vs Direct Mode ● Bridged: Indicates that the configurations