users easy access to features such as observability, traffic management and security without requiring users to add these to their application code. It also offers more advanced features to support A/B testing Security Components One of the advantages of using Istio is that it offers a series of security features related to identity, policies, TLS encryption, authentication, authorization and internal auditing the proxies and checks whether the policy of each proxy is up to date. Authentication has two core features in Istio: 1. Peer authentication: used for service-to-service authentication to verify the client

each maturity level: experimental, alpha, beta, and stable ● Ensuring appropriate documentation, testing, and code completion is done for each level ● Making sure that features continue to mature #IstioCon announcements ● What to look for when examining releases ○ Performance ○ Resource usage ○ Open issues ○ Features being promoted ○ Release notes and upgrade notes #IstioCon Continuous Release Health ● New dashboard to allow visibility of release health ● Open issues and priorities ● Issues being promoted ● Features awaiting documentation ● Weekly performance ● Open release blockers #IstioCon Thanks also to

risk configurations commonly used by administrators, and provide perspective on whether security features sufficiently address the concerns they are designed to provide. Four consultants over a period of is not recommended in this case but a similar approach could be build a self- hosted checklist of features and configuration options that Istio believes match security best practices. See Appendix B on page are debug interfaces exposed that cannot be disabled by Istio, so that even when all the security features are enabled, there does not appear to be a way to restrict a Pod’s access to them. Attempts to modify

Validation of the proxy’s status for VM-based workloads #IstioCon V1.8 VM Auto Registration ● Experimental ● Auto-scaling ● Automatically add a WorkloadEntry for a VM instance that connects with a (Remote Direct Memory Access) ● Advance transport protocol (same layer as TCP and UDP) ● Main features ○ Remote memory r/w semantics in addition to send/receive ○ Kernel bypass / direct user space

pilot-agent environmental variables Disclaimer: Environmental variables and their use are considered experimental. There is no guarantee that they will not be deprecated in a future release. Use at your own there are other, better ways of enabling functionality; environmental variables are considered experimental. #IstioCon Thank you! Jacob Delgado Aspen Mesh

Proxy Configuration #IstioCon Functioning Welcome App #IstioCon istioctl... ● analyze ● experimental ● proxy-config ● proxy-status ● upgrade (--dry-run) ● verify-install ● bug-report #IstioCon

at the Istio enhancements repository Checklist and approval required for feature promotions: Experimental->Alpha->Beta->Stable #IstioCon Let’s See It Live! https://github.com/instana/robot-shop #IstioCon

End of 2021 100% services migrated to Istio 8 Features currently used: ● HTTP/2 Load-balancing ● Traffic Shifting ● mTLS Features under investigation: ● Retries ● Circuit breaking Istio Istio Main time consumers with Istio: 1. Troubleshooting 2. Spreading adoption 3. Supporting new features 29 To succeed in Istio adoption you need to have: Stabilizing Istio ● Dedicated resources for temptations from users to open features too early ● Mechanisms to improve the reliability of Istio 30 Choose your fights, start small Stabilizing Istio Start with few simple features such as: ● Injecting

optimization during Knative Service provisioning ○ Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled ● Reference Agenda #IstioCon Knative and Istio Istio high configuration churn 30s #IstioCon Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled • Enable Istio mesh on Knative – Data flow with Istio mesh/mTLS seconds for Knative application pod cold start. Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled • Enable Istio mesh on Knative – Impact without optimization

An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication ● Traffic