#IstioCon V0.2 Mesh Expansion ● Prerequisites ○ IP connectivity to the endpoints in the mesh ○ Istio control plane services (Pilot, Mixer, CA) accessible from the VMs ○ (optional) Kubernetes DNS server accessible Istio and manually register the services running #IstioCon V0.2 Mesh Expansion (cont.) ● Traffic flow (VM -> Container) 1. Dnsmasq accepts DNS queries 2. Access the built-in Kube DNS (exposed by ILB) intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to ingress in the mesh ● Traffic flow (Container -> VM) 1. Manual registration istioctl -n onprem register mysql 1.2.3.4 3306 #IstioCon

application traffic end to end in production • Allow platform to use Istio authorization policy to control the access to each Knative service based on Istio service roles. How Istio is leveraged in a Knative overload issue still exits 800 Knative Services #IstioCon o 1400 total with dev release with flow control fix looks great, ingress_ready p100 < 30s o [Istio 1.9.x] Support for backpressure on XDS pushes configuration churn. This is disabled by default and can be enabled by setting the PILOT_ENABLE_FLOW_CONTROL environment variable in Istiod. o Final solution is envoy delta-XDS push in future Istio release

Hierarchy of control planes ● Global Control Plane ○ Users provide application specs to Global Control-Plane ○ Syncs specs to AZ control-planes ○ Hosts global services - Global IPAM, Access-control Policy Policy store, etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc Cluster K8s Cluster AZ Control Plane AZ Control Plane AZ Control Plane Global Control Plane Region Rn Delegate #IstioCon Load balancing & Traffic Flow ● Two tiers of hardware Load-Balancers

Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS • ��������� • ������� Scanning Replication Service Level Agreement (Authorization) SLA: Tenant Mapping (Project) SLA: Flow Control Log Notary Clair Jobs Authentication API Credentials LDAP Platform Tools Updated Components

Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS • ��������� • ������� Scanning Replication Service Level Agreement (Authorization) SLA: Tenant Mapping (Project) SLA: Flow Control Log Notary Clair Jobs Authentication API Credentials LDAP Platform Tools Updated Components

“Write once, run anywhere” data analytics portability DATA ENG DATA WH AI/ML OP DB DATA FLOW Unified security & governance with open cloud-native storage formats Open data fabrics, lakehouses / 51 6 Confidential—Restricted … AND NATIVE INTEGRATION WITH BIG DATA WORKLOADS Support access control policy, lineage and governance Support HDFS and S3 API based applications Application Security

mode check box to enable the connection. Note: Most broadband providers will use Dynamic Host Control Protocol (DHCP) to provide you with an IP address. If a Static IP address is required, it will be word processor also allows you to use various templates, apply different styles to your document, control your page layout and insert, edit and create graphics inside your text document. Instructions to this dialogue box to define finer specifications for the table such as alignment, column width, text flow, borders and background. Define the table specifications as per your requirements and preferences

state ● Accessed from eBPF programs as well as from applications in user space #IstioCon Work Flow of Acceleration ● Attach SOCK_OPS program to global cgroup ● Capture socket in established state

connecting, before disconnecting, and after disconnecting. You can also configure various settings to control the behavior of these commands. Shell commands in DBeaver can be triggered by specific events. These connection to your database using Kerberos, providing user identification, authentication, and access control. Setting Description Username Specifies the name of the user or role within the database. This authenticate: To use a plain URL connection you must enable the for the Oracle autonomous Access control list database. Then add your IP address to the IP list. Use the Custom connection configuration

connecting, before disconnecting, and after disconnecting. You can also configure various settings to control the behavior of these commands. Shell commands in DBeaver can be triggered by specific events. These connection to your database using Kerberos, providing user identification, authentication, and access control. Setting Description Username Specifies the name of the user or role within the database. This authenticate: To use a plain URL connection you must enable the for the Oracle autonomous Access control list database. Then add your IP address to the IP list. Use the Custom connection configuration