Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow, PyTorch, Jupyter Notebook, etc. ○ Central Logging & Tracing - Prometheus, ClickHouse, etc. ○ Messaging systems - Kafka, Scala, etc. ● Running on variety of Hardware ○ General-purpose x86 servers ○ GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters in an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes

Mercari What Is Mercari? ● Service start: July 2013 ● OS: Android, iOS *Can also be accessed by web browsers ● Usage fee: Free *Commission fee for sold items: 10% of the sales price ● Regions/languages | grep -v envoy | wc -l | xargs) -ne 0 ]; do sleep 1; done”] This preStop hook will wait for application connections to be drained before stopping the container. 18 Workaround: Use postStart and preStop that Envoy is stopped after any other container in a pod ● Use a `preStop` lifecycle hook in the application container manifest: lifecycle: preStop: exec:

finding, NCC Group uses a composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation, and other factors. For an it exposes. One of which is the “/debug” API hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication to anything that is able to access it’s network Pilot. This has a risk of containing certificates, keys, and secrets used by Pilot at runtime. This web interface also allows unauthenticated users to force force all Istio objects to sync their current

Copyright © 2020 Portable Secure Fast Any Language Outside the Web Web Assembly 7 | Copyright © 2020 Extend Envoy Proxy with Web Assembly (Wasm) Polyglot: Envoy Filters are written in C++ and Wasm Copyright © 2020 SECURITY Technology User Experience 11 | Copyright © 2020 11 | Copyright © 2020 Web Assembly lifecycle 12 | Copyright © 2020 Build > meshctl wasm init addheader-filter --language meshctl wasm build rust -t webassemblyhub.io/yuval/addheader-rust:v1 ./addheader-filter ABI: Application Binary Interface 13 | Copyright © 2020 > meshctl wasm push webassemblyhub.io/yuval/addheader-rust:v1

Operations Workload Data Exfiltration Man-In-The-Middle Denial of Service Privilege Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application firewall to defend against DDoS, injection, remote execution attacks. Edge security Egress

balancer) www.my-application.com External Traffic 75% 25% Deployment Canary Releases Using Kubernetes Deployment POD POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic I C E (Load balancer) www.my-application.com External Traffic POD POD 0% 100% Deployment Deployment Deployment Canary Releases Using Kubernetes – Across application Layers Deployment POD POD S S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% POD POD POD POD S E R V I C E (ClusterIP) 75% 25% POD POD Cross-version Traffic My-data-service Service Demo-canary

app app app app apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: inbound: - name: consumer-a app apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: -f nais.yaml application deployment service virtualservice autoscaler networkpolicy servicerole servicerolebinding serviceentry apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name:

to Enterprise Service Mesh 宋净超（Jimmy Song） September 24, 2022 Shanghai, China Cloud Native Application Networking Secure, Observe and manage microservices Outline ● Background ● Enterprise Service complexity and lack of operational agility ● You can't be Cloud Native at scale without a modern application- aware network Cloud!=Cloud Native Bare metal VMs Kubernetes VMs ● Monolith was decoupled to different from the perspective of a developer building and operating an application Why is Istio? TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management

Management ❏ MetaProtocol - Service Mesh 通用七层协议框架 #IstioCon Protocols in a Typical Microservice Application Service Service Service Service Service Service Message Broker RPC RPC RPC Message Message with application layer error codes ○ HTTP status code ○ Redis Get error ○ ... ● Observability with application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer authorization: Identity/Source IP/ Dest Port ○ Request level auth is impossible #IstioCon BookInfo Application - AwesomeRPC ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header:

use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic Splitting, blue/green deployment How Istio is leveraged Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use Istio authorization policy to control flow with Istio mesh/mTLS #IstioCon o Init-container added which cost ~5 seconds for Knative application pod code start. o Every sidecar needs full mesh information by default. Not a scalability solution