#IstioCon Is Your Virtual Machine Really Ready-to-go with Istio? Kailun Qin, Intel Haoyuan Ge #IstioCon Quick Summary (from Google Cloud Next ’19 [1]) VM works on Istio! [1] Istio Service Mesh Jianfei Hu, Google Cloud Next ‘19 #IstioCon Why Add VMs to the Mesh? ● = Why Service Mesh? ○ More services = more complexity ○ Need consistent policy enforcement ○ Need consistent metrics aggregation ● Traffic management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability

Aspen Mesh. All rights reserved. How to Make Legacy NFs Talk to CNFs in the Mesh UDM Virtual Machine Namespace SMF SMF Frontend UDM Egress Gateway Redis DB SMF App X certificates at gateways Learnings Along the Way 14 ©2021 Aspen Mesh. All rights reserved. ● 4G to 5G translation (Protocols like Diameter, SCTP, GTP) ● High speed data path (SR-IOV/DPDK) ● Customizing workload

the mesh: abstraction and automation of Virtual Service generation Vladimir Georgiev, Thought Machine #IstioCon Sync calls failures inside the mesh ● Everyone says to fail fast and retry quickly, this to be language agnostic? #IstioCon Virtual Services API ● Solves our problems, but… ● All Service Owners must be aware of the Virtual Services API in order to define their SLOs. ● Potential typing having hundreds of services. #IstioCon Abstracting to proto files Annotations API definition Greeting service example #IstioCon Please Build System ● https://github.com/thought-machine/please ● Uses

ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes ○ Upto 100,000 Pods in a cluster ○ 10,000+ K8s services - including prod, pre-prod, staging, etc. ● Applications deployment for HA ○ In all regions Hosts global services - Global IPAM, Access-control Policy store, etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to

discovery. • Istio Ingress/Egress: Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy assessment). • Istio Control Plane: Istio operator, side car injector, and other Istio control plane services • Istio Documentation: The documentation and secu- rity guides hosted on istio.io. NCC Group started either by the controlPlaneSecuri ty configuration directive or other means. This left all default services exposed within the cluster. • The default istio profile that is labeled for produc- tion lacks

two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars. The proxies consist of Envoy proxies and an mode is enabled. As stated by the crypto/tls documentation: “In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing or http request that would be passed into httputil.DumpRequest() which could exhaust memory of the machine. The following demonstrates the issue: 1 package main 48 Istio Security Audit, 2023 2 3 4 5

First release in production Feb 2021 ~25% production services ~50% development services migrated to Istio End of 2021 100% services migrated to Istio 8 Features currently used: ● HTTP/2 Stabilizing Istio The reality: ● The control plane is burning down when pushing your thousand services updates to the hundreds of proxies running ● Proxies are OOM Killed every X minutes since they Istiod average CPU usage 37 The Sidecar CRD to save the mesh Stabilizing Istio Main drawback Services must know their dependencies, document and update them. If this wasn’t the case before, Istio

#rollbacks, MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) – Early testing of services components auto-generated from end-to-end tests – Significantly reduced time and cost for API testing Testing E2E API Tests Engineering effort grows superlinearly as #APIs grow Customer services Order services Catalog Customer history … Order details Payments Audit Search Suggest … Order service in isolation. All producer services are mocked. 4 Terminology Component testing Test a set of services as a single sub-system while isolating them from other services, for example payment processing

in mesh traffic ● Summary #IstioCon Istio Architecture Connect, secure, control, and observe services. #IstioCon Security Architecture #IstioCon Bookinfo architecture without service mesh ● Reviews-v1 calls ratings, black stars ● Reviews-v3 ○ calls ratings, red stars Initializing services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 kubectl label namespace default istio-injection=disabled/enabled ） Initializing services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2

Best client experience Technological leadership In financial services 98+ mn retail clients 2.7 mn corporates The leader in digital services and sales New IT Platform Reliability 99.99% 0 loses, 0 standalone, RAS As of December 1, 2020 In non-financial services by 2023 10+ mn SberPrime subscribers ~500+ bn RUB e-commerce GMV In financial services Market shares in Russia, % 32.2 42.3 23.5 44.9 1.0 Make It Simple Event Hub DBs SERVICE MESH Istio Ingress Istio Egress Other External Services Tracing Store Logging Store LB January 2019 PROD PoC March 2020 Innovation trigger Peak