Modify the default policy mesh config map for “controlPlaneAuthPolicy: MUTUAL_TLS” • Create a istio setup with control plane security enabled: istioctl install --set values.global.controlPlaneSecurityEnabled=true could be expanded to reference other documentation that provides deeper insight. • /docs/setup/additional-setup/config-profiles/: The configuration profiles provided by isti octl simply describe the features on page 49, with a restricted user confined to a "rest rict-test" namespace per the Istio cluster setup guide2 2. Obtain the output of the following command (run with administrative access) and use it

Observability ● Extendable to multi-region setup #IstioCon Approach #IstioCon Rollout - Istio setup and Microservices ● Split rollout in to phases ● Setup control plane and related tooling ● Sidecar internal proxy ● Kubernetes Cluster-IP services deployed across clusters #IstioCon Rollout - Istio setup and Microservices ● Export metrics to central prometheus ● Outlier detection for better reliability via config #IstioCon Latency improvement #IstioCon Tooling and Automation ● Automate the Istio setup during Kubernetes cluster creation ● Automated endpoint config creation on new micro-service creation

Networking lifecycle (Istio CNI) Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Istio CNI install isidecar network routing rule to workload iptable Benefits of Istio instead) Issue in Istio CNI Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Pod could get started in here and bypassing istio sidecar proxy(race condition) Istio CNI workload iptable Issue in Istio CNI Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Pod could get started in here and bypassing istio sidecar proxy(race condition) Istio CNI

Onboard steps ○ Setup Internal Load Balancers (ILBs) for Kube DNS, Pilot, Mixer and CA ○ Generate configs for VMs, incl. `cluster.env`, DNS config, Istio authN secrets etc. ○ Setup dnsmasq, Istio components No first-class support for VM Multiple Networks ○ All traffic goes though the Gateway ○ Need to setup L3 networking if enhanced performance is desired ● Overheads introduced ● No high performance data

params - debounce interval, push concurrency, etc. #IstioCon Control-plane Scale Testing: Setup ● Setup ○ Create Gateway Pods & thousands of Pods with sidecar Envoys ○ Measure Config convergence

io/latest/docs/reference/config/networking/sidecar/ ● Istio CNI plugin https://istio.io/latest/docs/setup/additional-setup/cni/ #IstioCon Thank you!

plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup phase, ● Removing the requirement for the NET_ADMIN and NET_RAW capabilities for users deploying

abstraction concept that make manage things easier. Before Mutual TLS? HTTPS + Allowlisting Our previous setup is using https with allow listing to only allow specific IP addresses to access our endpoints. Drawback:

are over localhost + Reproducible configuration with other developers and Istio tests + Easy to setup bespoke clusters, including enabling alpha features and multicluster - Local resource utilization

the Istio maintainers, and the documentation also mentions this1: 1 https://istio.io/latest/docs/setup/install/operator/ 7 Istio Security Audit, 2023 It was also stated by the Istio maintainers throughout