20 by specifying a container resource as an HPA target ● In the meantime, we need to add the Istio sidecar into the HPA calculation 22 Define HPA target for multi-containers pods Stabilizing Istio CPU: 1 Memory: 100MB Pod App container Container requests 23 Define HPA target for multi-containers pods Stabilizing Istio CPU: 1 Pod App container Container requests HPA configuration (70% resource: name: cpu target: type: Utilization averageUtilization: 70 Will trigger when the container is using more than 700m CPU 24 Define HPA target for multi-containers pods

Appendix B on page 40. 2 | Google Istio Security Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment account creating or updating the VirtualService is authorized to manipulate VirtualServices in the target namespace. Due to this, it is possible for accounts with access to only specific namespaces to surreptitiously Cluster, Istio’s configuration, and execution information about running programs. It could be used to target other services or potentially in a DoS attack if a large request is made repeatedly. Description

implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations Workload Data Exfiltration Man-In-The-Middle Denial of Service

Match & redirect ● ~5% improvements #IstioCon TCP/IP Stack Bypass (cont.) ● Leverage eBPF ● Target Pod/VMs on the same node ● Use case: edge computing ○ Limited number of nodes ○ More traffic

NewReader(r) if err != nil { return nil, fmt.Errorf("failed to parse layer as tar.gz: %v", err) } // The target file name for Wasm binary. // https://github.com/solo-io/wasm/blob/master/spec/spec-compat.md#specificati