hardening controls and should be replaced with a more secure-by-default option. • The Pilot admin interface exposes unnecessary ser- vices and is accessible to anyone within a default cluster. • The Envoy 017 High Ingress Gateway Configuration Generation Enables Route Hijacking 023 High Pilot Debug Interface Exposes Sensitive Information 002 Medium Default Production Profile Not Sufficiently Hardened 003 File Permissions Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative Interface Exposed To Workload Containers 018 Low DestinationRules Without CA Certificates Field Do Not Validate

Mesh 中的七层流量管理能力 ❏ 几种扩展 Istio 流量管理能力的方法 ❏ Aeraki - 在 Isito 服务网格中管理所有七层流量 ❏ Demo - Dubbo Traffic Management ❏ MetaProtocol - Service Mesh 通用七层协议框架 #IstioCon Protocols in a Typical Microservice Application Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 balancing at requet level ○ HTTP host/header/url/method, ○ Thrift service name/method name ○ Dubbo Interface/method/attachment ○ ... ● Fault Injection with application layer error codes ○ HTTP status code

complexity ○ Need consistent policy enforcement ○ Need consistent metrics aggregation ● Traffic management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security workload certificate attributes #IstioCon Security & Usability Limitations (cont.) ● Access management: CNI needs improvements ○ Much required to avoid escalated Pod privileges ○ No support for smart Concurrency limitations ■ Lack of docs etc. #IstioCon VM High Performance Networking ● VM  Host IO interface ○ Relay ■ DPDK ○ Passthrough ■ SRIOV ● SRIOV ○ Single Root I/O Virtualization ● SIOV ○

rust -t webassemblyhub.io/yuval/addheader-rust:v1 ./addheader-filter ABI: Application Binary Interface 13 | Copyright © 2020 > meshctl wasm push webassemblyhub.io/yuval/addheader-rust:v1 Build Store Order s User AWS EKS Istiod Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane SRE / Platform Team Deploy Wasm WasmDeployment Wasm Registry Istiod 18 | Copyright to build, push, share, deploy, debug Wasm into Istio service mesh Wasm Registry Multi-cluster management, orchestration of Wasm lifecycle 22 | Copyright © 2020 • https://solo.io • https://solo.io/blog

TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload Architecture ● Multi cluster ● Multi mesh ● Components ○ Management plane ○ Global control plane ○ Local control plane TSB Management Plane ● Front Envoy ● Multi Cluster support ● XCP Central -> Kubernetes Gateway API Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload

Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate Management ○ Ingress mutual TLS ○ Egress mutual TLS ● Challenge & Future Works GoPay & Istio About ● IP that used by all services) Implementing Mutual TLS Centralized Certificate Management ● Central certificate management manage our certificate lifecycle for HTTPS and mutual TLS communication. ●

在Google：microservices become API Apigee API Management complements Istio with the robust features of Google Cloud's Apigee API management platform, Apigee Edge, by extending API management natively into the microservices

Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Enforcement ■ Updating hardware devices is slow ○ Achieving micro-segmentation at Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Management, Tracing, Rate Limiting, Protocol Adapter, Circuit breaker, Caching, etc. #IstioCon Service Architecture Evolving Security Current Status #IstioCon Step 1: Access Point Spec ● Capture Traffic Management & Routing intent as “Access Point” Specs ○ Leverage Istio object model: Gateway, VirtualService

used on top of Kubernetes. It offers users easy access to features such as observability, traffic management and security without requiring users to add these to their application code. It also offers more ● Certificate management ● Authentication ● Authorization ● Policy Enforcement Points (PEPs) ● A set of Envoy proxy extensions to manage telemetry and auditing Certificate management Alongside each

ιστία) 1. sail What about the rest of the boat? Upcoming Talks: Aperture - Load Management Meshery - WASM plugin management Argo - Multi-cluster orchestration JP Morgan SLO Generation Reflecting on the