TLS ○ Centralized Certificate Management ○ Ingress mutual TLS ○ Egress mutual TLS ● Challenge & Future Works GoPay & Istio About ● A few hundred developers ● Multiple Kubernetes Clusters ● 250+ microservices Challenge & Future Works Challenge ● Client egress communication sometime got 503 error (Istio #26990). This is fixed by adding retry mechanism in the Virtual Service object. Future Works ● Migrating

create an additional resource type for ingress gateways to abstract their configuration and enable future features. This could be used, in combination with a new Gateway resource field, to implement a two-way Permissive Kubernetes RBAC Permissions may allow excessive write access within a names- pace. If, in the future, a privilege escalation vector is identified for any of the Kubernetes API Groups, escape from a field for trafficPolicy.tls will result in the proxy not verifying the server’s certificate. For future versions of Istio, when a DestinationRule or similar client-side configuration declar- ing a remote

Participant feedback The majority of participants agree that they had enough information about the future of Istio project. Most participants felt empowered to use Istio after attending the conference helpful for the non-native English speakers. "Wonderful event and speakers,looking forward to join future events" "I enjoy the single track mode of this conference as well as the very quick access

predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could

predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could

#IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction #IstioCon Introduction: eBay at a glance 185M Number of Active Buyers worldwide 19M PILOT_DEBOUNCE_AFTER, PILOT_DEBOUNCE_MAX, PILOT_PUSH_THROTTLE, etc. params of Istio Pilot #IstioCon Future Direction ● Support for on-demand config pushes to Envoy via Incremental XDS ● Support for multiple

several high-level goals: 1. Formalise a threat model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code audit for security issues. 3. Review the fixes for since all Istio team members that were involved in the previous security have le� the project. In future security audits we recommend more transparent and public tracking of issues, and explicit notions

their use are considered experimental. There is no guarantee that they will not be deprecated in a future release. Use at your own discretion. ● To enable this, users must set the ECC_SIGNATURE_ALGORITHM

Participant feedback The majority of participants agree that they had enough information about the future of Isito project. Most participants felt empowered to use Istio after attending the conference

PILOT_ENABLE_FLOW_CONTROL environment variable in Istiod. o Final solution is envoy delta-XDS push in future Istio release. Istio scalability optimization during Knative Service provisioning • support for