your fights, start small Stabilizing Istio Start with few simple features such as: ● Injecting sidecars, HTTP/2 LoadBalancing ● Traffic shifting for canaries Build confidence in the system and understanding First, headless services, now labels... Who said that migrating to Istio is only about adding sidecars?? 50 Label selector updates for app and version labels Adopting Istio Fair enough, let’s do the IstioOperator manifest. 55 Istio proxy performance and capacity Adopting Istio ● Putting sidecars everywhere has a cost ○ Latency ○ Compute resources The Istio 1.9 community reference values

leverages Istio as its service mesh, and one aspect of Istio is its reliance on sidecars for secure network communication. Sidecars, which are language agnostic, act as service proxies and allow for all traffic container. The second benefit is that sidecars are injected automatically, no matter the workload. This means that even if your software team does not know about sidecars, they are still going to utilize benefits. This is what baked-in security looks like in practice. 3. Enforce zero-trust security 4. Sidecars enable better security A platform is an intricate system and it cannot be bought ready made from

& thousands of Pods with sidecar Envoys ○ Measure Config convergence time ■ Time taken by all sidecars to get config from Pilot without any errors ■ For thousands of services & endpoints ■ With different ○ Disabled egress traffic to restrict config pushed to sidecars ● Main Takeaways ○ P99.9 time from single Pilot instance to 0 - 3,000 sidecars < 1 second ○ Pilot CPU & memory within acceptable limits:

“distroless” version of it’s Docker image which builds a minimal, hardened version that can be used for Sidecars. These types of security controls should not be optional. Reproduction Steps Attach to a Pod that Distroless image which can be used by other Istio control plane components (like Pilot) as well as the sidecars used by Pods and workloads. Make this configuration the default option for all systems possible on how to disable them when users want to opt-out of these controls. This should be enabled for Sidecars and services within the Istio control plan as well. 23 | Google Istio Security Assessment Google

What’s New Since 2022 CNCF Graduation Ambient Mesh A new dataplane mode for Istio without sidecars. Graduated Announcing Istio's graduation within the CNCF Join CNCF Istio has applied to

definition HTTP filters Network filters UDP listener filters … Match outbound listeners in all sidecars Or Istio gateway The Lua code that Envoy will execute. Which port number the filter will apply

API TargetsGlobal view - Querier ● Stateless, horizontally scalable. ● Fan out queries to all sidecars and stores. Merge and deduplicate query results. ● Global view + HAUnlimited Retention ● Prometheus

is natively encrypted, such as HTTPS 3. use k8s network policies to limit traffic bypassing sidecars Cluster security best practices: safely handle policy exceptions Cluster security Access control

资源名称 CDS EDS LDS RDS Virtualservices ✔ Gateways Serviceentries Destinationrules Envoyfilters Sidecars ConfigClientQuotaspecs ConfigClientQuotaspecbindings Authorizationpolicies Requestauthentications

service access cross user namespace. o The sidecar CR helps to limit the known egress hosts for sidecars, sidecar needs to knows mesh in his own user namespace only. o We can limit the mesh size to