attributes #IstioCon Security & Usability Limitations (cont.) ● Access management: CNI needs improvements ○ Much required to avoid escalated Pod privileges ○ No support for smart DNS proxying (yet…) security ○ Networking ● Hooks ○ sock_ops ■ Construct map​ ○ sk_msg_md ■ Match & redirect ● ~5% improvements #IstioCon TCP/IP Stack Bypass (cont.) ● Leverage eBPF ● Target Pod/VMs on the same node top ○ Provides independent streams ■ Extremely similar to HTTP/2, but in transport layer ● Improvements ○ TCP head of line blocking ○ Faster handshakes ○ Earlier data ○ Connection-ID ○ More encryption

sources of failures (Consul etc) ● Possible benefits on Observability #IstioCon Requirements and Improvements ● Immutable deployments ● Minimal blast radius ● Discover Pods for controlled and predictable including Virtual Service and Destination rule #IstioCon Takeaways ● Identify the problems and improvements ● POCs for all known use-cases and features say mTLS, Outlier detection etc,. ● Passthrough