is the default networking layer solution of Knative. It is leveraged for Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving leveraged in a Knative based platform - Istio as an Ingress Gateway • By default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress gateway which contains credentials for https support of multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway

Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Operation security Mesh security Edge Security Cluster security Service Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application firewall to security best practices Cluster security Access control Service Proxy Ingress Token exchange 1. Istio authentication and authorization policies for every service: mTLS to

Server NLB Controllers Istiod Network Load Balancer (NLB) Network Load Balancer (NLB) Ingress Gateway Ingress Gateway Pods Request Traffic Response Traffic Specs synced from Federated Access Access Point L4 Configuration L7 Route Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per workload K8s cluster #IstioCon Step 3: Evolve into AZ architecture Re-deployed Istio to AZ cluster ○ In Primary-Remote configuration within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway watch API Server Pods, Services Workload

Traffic Proxy with Istio Jintao Zhang API7.ai #IstioCon About Me ● Apache APISIX PMC ● Kubernetes Ingress NGINX maintainer ● Microsoft MVP ● zhangjintao@apache.org ● https://github.com/tao12345666333 Gateway（weibo、WPS） ● Microservices API Gateway（iQIYI） ● Kubernetes Ingress controller（UPYUN） ● https://github.com/apache/apisix-ingress-controller/ #IstioCon Why use Apache APISIX as the data plane for

Namespace SMF SQL DB AMF App B AMF App A SMF Frontend SMF Ingress Gateway Redis DB SMF App X AMF Identity SMF Identity SMF Identity 10 ©2021 Aspen Namespace AMF Namespace SMF SQL DB AMF App B AMF App A SMF Frontend SMF Ingress Gateway Redis DB SMF App X https://aspenmesh.io/how-to-capture-packets-that-dont-exist/

Cluster IP resolved 4. Traffic intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to ingress in the mesh ● Traffic flow (Container -> VM) 1. Manual registration istioctl -n onprem register