#IstioCon Set Sail for a Ship-Shape Istio Release Brian Avery / twitter: @briansvgs / Red Hat Senior Software Engineer Eric Van Norman / twitter: @kf0s / IBM Senior Software Engineer #IstioCon First

#IstioCon How HP set up secure and wise platform with Istio John Zheng/ john.zheng@hp.com #IstioCon Agenda ➢ HP Horizon platform design with Istio ➢ Secure Platform ➢ Wise Platform ➢ Excellent • Project runs as tenant, need control rights Solution cluster connect core cluster with Istio multi-cluster - Replicated control planes Some standalone cluster without Istio can access core cluster level, reduces application workload. Intelligence Platform for Multiple Tenant Support • Support multi-tenants (Add extra http header/ logs wisely) • Verify whether JWT token in blacklist or not • Different

Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File Permissions Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative Interface Exposed To Workload d is set to false, communication between the control plane will be secure by default.”1 In the “Default” profile used to represent a production environment, the “controlPlaneAuthP olicy” is set to “NONE” Modify the default policy mesh config map for “controlPlaneAuthPolicy: MUTUAL_TLS” • Create a istio setup with control plane security enabled: istioctl install --set values.global.controlPlaneSecurityEnabled=true

Non-Linux ○ unikernels ● Domain specific workloads ○ Network Functions (NFV) #IstioCon Hybrid and Multi Clouds #IstioCon Istio VM Integration is? A Tumultuous Odyssey… [1] Istio 1.8: A Virtual Machine sensitive data ○ Strong isolation for multi-vendor services ○ End-to-end security! (not just between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra low latency enhanced performance is desired ● Overheads introduced ● No high performance data path support ○ Multi-Gbps bandwidth ○ Ultra low latency #IstioCon Performance Limitations: Solutions ● Software techniques

complete, leading to 5xx errors Example: for sleep 30 + sleep 45 in the application container, we set terminationGracePeriodSeconds to 90 seconds. 20 Warning: These are workarounds, not solutions! Stabilizing pattern in a better way, these workarounds should be deprecated. 21 Shortcoming 2: Autoscaling multi-containers pods Stabilizing Istio Kubernetes offers 2 ways to autoscale pods: ● HorizontalPodAutoscaler calculation 22 Define HPA target for multi-containers pods Stabilizing Istio CPU: 1 Memory: 100MB Pod App container Container requests 23 Define HPA target for multi-containers pods Stabilizing Istio

Meetup China ebpf Background Knowledge map ● Share collected information ● Accessed from eBPF programs as well as from applications in user space ● Map type o HASHMAP o SOCKHASH: Hold socket SOCK_OPS ➢ Set callbacks for TCP state changing ➢ Help functions: BPF_MAP_UPDATE_ELEM, BPF_SOCK_HASH_UPDATE ● SK_MSG ➢ Attach to a SOCKHASH map, capture the packets sent by a socket in SOCKHASH map and determine

Financial support The following table describes the event bundles that allow IstioCon to showcase a multi-vendor ecosystem of partners associated with certain levels: ● Tiers & sponsors’ logos will be displayed and will be connected with a provider that can produce those items. ● Sponsoring vendors will set up a seperate registration form on their own platform, directed from the event site. The participants away cloud credits, e-book, subscriptions to their services, discount codes, etc. ● Sponsors will set up a seperate registration form on their own platform, directed from the event site. The participants

Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving and Eventing) that introduce event-driven and serverless capabilities for mount secrets under istio-system to ingress gateway which contains credentials for https support of multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway for cluster PILOT_DEBOUNCE_AFTER=100ms and PILOT_DEBOUNCE_MAX=10s are the env vars on pilot that can be tuned. o Set PILOT_DEBOUNCE_AFTER=1s helps under our workload. (we tested with 100ms, 1s, 2s, 5s, 10s) o With 800

security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference Best in Class Team ● Creators of the service mesh Istio, gRPC, Apache SkyWalking ● Tetrate’s product build on top of the upstream Istio ● Why not Istio OSS? ● Problems unsolved ○ Multi-cluster and VM (lower onboarding cost) ○ Enterprise team structure gap (Workspace, Tenants, etc) ○ Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls, across clusters ● High availability & resiliency enabling

Shaping ✓ Latency ✓ Single Point of Failure Adoption Challenges ● Multi-region deployments ● Non-flat networks ● Multi-tenant configuration ● Management of Istio installation ● Self-service Install/Upgrade ○ Admiral cluster registration ● Higher Level Logical Service for Developers ○ Multi-cluster Identity ○ Multi-region Endpoint ○ Istio config integrated with gitops deployment ○ Init modifications