Redis TLS Origination through the sidecar Author: Sam Stoelinga | Twitter: samosx | GitHub: samos123 Based on blog post: https://samos-it.com/posts/securing-redis-istio-tls-origniation-termination External DB container app container istio-proxy TCP TLS ● app talks unencrypted TCP to Redis ● Sidecar istio-proxy encrypts the Redis traffic and sends to external redis ● App doesn’t need to configure metrics available How it looks after TLS origination How to do Redis TLS origination with the sidecar? 1. Create ServiceEntry for external service such that Istio knows about Redis 2. Create DestinationRule

#IstioCon o Init-container added which cost ~5 seconds for Knative application pod code start. o Every sidecar needs full mesh information by default. Not a scalability solution. o Activator needs to probe the time for Istiod to discover the endpoint of ready pods and then push them to the sidecar. o Istio-proxy (envoy) sidecar costs ~2 seconds for Knative application pod cold start. Unleash maximum scalability o User cases: no service access cross user namespace. o The sidecar CR helps to limit the known egress hosts for sidecars, sidecar needs to knows mesh in his own user namespace only. o We can

secrets etc. ○ Setup dnsmasq, Istio components in the VM and verify functionality ○ Configure sidecar interception; restart Istio and manually register the services running #IstioCon V0.2 Mesh Expansion built-in Kube DNS (exposed by ILB) 3. Obtain the Cluster IP resolved 4. Traffic intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to ingress in the mesh ● Traffic flow (Container -> VM) 1 Workload Group ○ a collection of non-K8s workloads ○ metadata and identity for bootstrap ○ mimic the sidecar proxy injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support

with ebpf Xu Yizhou & Guo Ruijing #IstioCon Agenda ● Istio-CNI ● tcp/ip stack overhead between sidecar and service ● Background knowledge of ebpf ● Acceleration for Inbound/Outbound/Envoy to Envoy #IstioCon functionality provided by the istio-init container. #IstioCon Tcp/ip stack overhead between sidecar and service Overhead sidecar traffic from 3 scopes ● Inbound ● Outbound ● Envoy to Envoy(same host) #IstioCon

#IstioCon Control-plane Scale Testing: Setup ● Setup ○ Create Gateway Pods & thousands of Pods with sidecar Envoys ○ Measure Config convergence time ■ Time taken by all sidecars to get config from Pilot Scale Testing: Results ● Default wide-open egress sidecar configuration does not scale ○ Results in high memory usage & convergence times since each sidecar knows about all services in the cluster ○ Disabled

tracing to surface 5G specific tags ● Optimize HTTP/2 stream and connection settings ● Configure sidecar proxy concurrency Tuning Istio to Meet 5G Requirements 13 ©2021 Aspen Mesh. All rights reserved