#IstioCon Istio 2021 Roadmap A heartwarming work of staggering predictability Neeraj Poddar (Co-founder & Chief Architect, Aspen Mesh) Louis Ryan (Principal Engineer, Google) #IstioCon Highlights

#IstioCon Your laptop as part of the service mesh by Lorenzo Fundaró SRE @ Omio #IstioCon What’s on the menu today ● EnvoyFilter in practice ● Demo ● Inspiration #IstioCon Questions #istiocon steps away to find a problem #IstioCon 2. Allow simultaneous tests Only one commit at a time from your microservice #IstioCon 3. Reuse existing infrastructure ● Minimize costs ● Reuse existing infrastructure don’t proxy to original Foo 12 request_handle:respond(response) 13 end #IstioCon Ouch ! ● Your laptop is not part of the mesh club #IstioCon A dummy proxy for the mesh ● Called by Lua code

#IstioCon Secure your microservices with istio step by step JianFeng Ding, LuYao Zhong #IstioCon Agenda ● Istio identity ● mTLS in Isito ● Secure ingress traffic ● Authorize ingress traffic ● Authorize board to Istio ● Strict mTLS if possible ● Secure your ingress ● Enable Access Control to your services via Istio authorization policy Istio will Secure your microservices for you! #IstioCon Thank you

#IstioCon Is Your Virtual Machine Really Ready-to-go with Istio? Kailun Qin, Intel Haoyuan Ge #IstioCon Quick Summary (from Google Cloud Next ’19 [1]) VM works on Istio! [1] Istio Service Mesh protocols ■ Endpoints ○ After adding, sending traffic to the service as if it was a service in your mesh ■ Traffic redirect and forward ■ Retry, timeout, fault injection, mtls policies ■ VM service Abstraction ● Workload Entry ○ single non-Kubernetes workload ○ mTLS using service account ○ work with an Istio ServiceEntry ● Workload Group ○ a collection of non-K8s workloads ○ metadata and

#IstioCon 5 tips for your first Istio.io Contribution Albert Sun | @albertsun0 #IstioCon About Me I’m a high schooler who loves learning about everything related to computers, especially interface interface design. I started working on Istio last summer. Istio.io Work Automation Indicator #7734 Add IBM Cloud Kubernetes Service specific instructions for node port Ingress Host #7663 Homepage Redesign Redesign Proposal #IstioCon #IstioCon “First and foremost: as a potential contributor, your changes and ideas are welcome at any hour of the day or night, weekdays, weekends, and holidays. Please

non developers to use the API ○ Analyze existing redirections without technical skills Ease the work of our SEO Specialist #IstioCon Creating the .csv Importing the file Generating the Istio configuration (crawler, etc..) How does it work ? #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 3 4 2 How does it work ? #IstioCon Creating the .csv does it work ? #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 The files are reviewed, merged and deployed! How does it work ? #IstioCon

security choices are relevant, standards for hardening, and clear direction on which features should work with others to provide the most secure environment. The gaps in documentation include: • /docs/ mesh, would be easily bypassed. Egress gateways designed to restrict outbound communications do not work in themselves: “Istio cannot securely enforce that all egress traffic actually flows through the Fprintf(writer, "Unsupported platform %q; open %s in your browser.\n", runtime.GOOS, url) } if err != nil { fmt.Fprintf(writer, "Failed to open browser; open %s in your browser.\n", url) } } Recommendation Data

Questions ● Join our Slack and interact live with other members of the Istio community. ● Bring your particular Istio questions to the gamified wizards of Stack Overflow. Bugs And Security ● Read this Become a Contributor ● The Istio Community README is the starting point for contributors who want to work on code, docs or other parts of Istio. ● You can access our trove of technical content and working the full IstioCon-VIRTUAL schedule • Abide by CNCF Code of Conduct • Use the official #IstioCon in your social conversations • Join #istiocon slack channel on slack.istio.io for follow up questions •

Stabilizing Istio 2. Ensure that Envoy is stopped after any other container in a pod ● Adjust your pods terminationGracePeriodSeconds to be more than the sum of all sleeps in the preStop hooks. from users to open features too early ● Mechanisms to improve the reliability of Istio 30 Choose your fights, start small Stabilizing Istio Start with few simple features such as: ● Injecting sidecars what you need only Stabilizing Istio The reality: ● The control plane is burning down when pushing your thousand services updates to the hundreds of proxies running ● Proxies are OOM Killed every X minutes

audit they were verified by the Istio maintainers and found to be acceptable use cases. Note: Much work to migrate from gogo/protobuf to golang/protobuf had already been done here: https://github.com/i Istio community a�er they had been reported by the previous auditors. Our review focuses mostly on the work that had been done a�er the final audit report had been handed over to the Istio team, which is 6th be integrated into Istio's build pipeline as a first step to start 53 Istio Security Audit, 2023 work on provenance generation. This would generate provenance that satisfies SLSA level 3 which would bring