#IstioCon Is Your Virtual Machine Really Ready-to-go with Istio? Kailun Qin, Intel Haoyuan Ge #IstioCon Quick Summary (from Google Cloud Next ’19 [1]) VM works on Istio! [1] Istio Service Mesh Multi Clouds #IstioCon Istio VM Integration is? A Tumultuous Odyssey… [1] Istio 1.8: A Virtual Machine Integration Odyssey, Jimmy Song #IstioCon V0.2 Mesh Expansion ● Prerequisites ○ IP connectivity workloads themselves #IstioCon V1.6-1.8 Better VM Workload Abstraction Item Kubernetes Virtual Machine Basic schedule unit Pod WorkloadEntry Component Deployment WorkloadGroup Service registry and

Aspen Mesh. All rights reserved. How to Make Legacy NFs Talk to CNFs in the Mesh UDM Virtual Machine Namespace SMF SMF Frontend UDM Egress Gateway Redis DB SMF App X certificates at gateways Learnings Along the Way 14 ©2021 Aspen Mesh. All rights reserved. ● 4G to 5G translation (Protocols like Diameter, SCTP, GTP) ● High speed data path (SR-IOV/DPDK) ● Customizing workload

mode is enabled. As stated by the crypto/tls documentation: “In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing or http request that would be passed into httputil.DumpRequest() which could exhaust memory of the machine. The following demonstrates the issue: 1 package main 48 Istio Security Audit, 2023 2 3 4 5 panic(err) } fmt.Println("Here") } This program will not print out “Here” and will cause the machine to be inoperable from memory exhaustion. An attacker could exploit this by repeatedly sending large

the mesh: abstraction and automation of Virtual Service generation Vladimir Georgiev, Thought Machine #IstioCon Sync calls failures inside the mesh ● Everyone says to fail fast and retry quickly, definition Greeting service example #IstioCon Please Build System ● https://github.com/thought-machine/please ● Uses BUILD and allows for creation of miscellaneous rules Misc please rule for autogeneration

speeds - Expensive #IstioCon Local Machine Local Cluster + Registry docker push kubectl apply docker pull Local Kubernetes Local Registry #IstioCon Local Machine Local Cluster + Registry docker

Discovery Service (SDS) ○ Auto mTLS ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine expansion/Multi cluster mesh https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon Impact Feature Graduation ● Enhancement workflow ○ CNI ○ IPv6 ○ Dual-stack (IPv6/IPv6) ○ Virtual Machine Expansion ○ Multi cluster mesh ○ Helm v3 life-cycle management ● Evaluate current feature status

Istio从架构上可以分为4个板块： • Istio Proxy: Mesh的基础 • 网络安全：兼容Spiffe标准实现 • 配置管理：为C++实现的Proxy接 入k8s的动态配置管理 • Attribute Machine: 授权，Quota ，Tracing，监控的基础 Istio管理下的微服务 • 右图是部署mock1.v1 Pod之后发生的事 情： • Sidecar Injection: 注入initContainer

Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow, PyTorch, Jupyter Notebook, etc. ○ Central Logging & Tracing - Prometheus

with the versions of Istio relevant to this assessment. These steps assume a Ubuntu 18.04.4 LTS machine with minikube20 configured to use KVM, and Go installed. The latest Istio documentation for installing