SberBank story: moving Istio from PoC to production Igor Gustomyasov, Sber Maksim Chudnovskii, IBM Sber position across key areas Best client experience Technological leadership In financial services ExportTo tuning is required 1. Resource consumption 2. Resource Mounts (#15517) 4. Tests on the production-size environment aren’t a waste of time 1. Istio Discovery Restarts (#25495) 2. Proxy Probes (#26792) Discovery for OCP & Kubernetes • Multi-cluster Service Topology • Cloud-Native Event Hub • Full Support for VM-Based Workloads • UX Simplification CONTACT US Head of integration department Igor Gustomyasov

customizations to fit it into different envi- ronments, but it’s difficult to say which is a hardened, production-ready approach. Having a secured profile with an opinionated cluster configuration will help guide Route Hijacking 023 High Pilot Debug Interface Exposes Sensitive Information 002 Medium Default Production Profile Not Sufficiently Hardened 003 Medium Weak Hash Used for Integrity 009 Medium Go Trace between the control plane will be secure by default.”1 In the “Default” profile used to represent a production environment, the “controlPlaneAuthP olicy” is set to “NONE” instead of “mTLS”: mesh: |- ... defaultConfig:

meetings with the Istio team to discuss questions and issues that came out throughout the period of the audit. Found issues were reported as they came up which gave the Istio team time to triage and assess investigation that revealed a vulnerability in Golang itself. The finding was reported by the auditing team to the Istio maintainers, because Istio does not cap the size of requests made on an h2c connection managed Istio offering which has MultiplexHTTP configured. A�er issue 10 had been reported to the Istio team, Istio maintainer John Howard assessed Golangs recommended solution for capping H2c requests which

com/gracezhang1110, www.linkedin.com/in/gong-zhang-75560670/ Advisory Software Engineer of IBM Cloud Code Engine team focusing on Knative Serving and Istio, contributor of the Knative and Cloud Foundry community, maintainer Cloud Code Engine (Serverless platform), focusing on Knative, Istio, and Tekton, community, leading team to develop and offer serverless capabilities in IBM Cloud, which based on these Opensource technologies monitor and mount secrets under istio-system to ingress gateway which contains credentials for https support of multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway

Solo.io 3 | Copyright © 2020 Istio Adoption with Gloo Mesh Crawl Walk Run Fly Upstream Istio support (24 X 7) LTS (N – 3) FIPS, ARM Tech Advisory Developer portal API Gateway Security (EW) Observability in Production Cluster 1 Acco unt User Cluster 2 Istiod Order s User AWS EKS Istiod Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane SRE / Platform Team Deploy Debug in Production 19 | Copyright © 2020 Build Store Deploy Debug Debug in Production Debug Logs Access Logs Metrics 20 | Copyright © 2020 Build Store Deploy Debug Debug in Production 21 |

CxO / Engineering manager / Tech Lead 43.8% of attendees were either evaluating Istio for production use, or have tried at least one example but haven’t used it seriously #IstioCon Most popular debugging, ● Istio Security, ● WebAssembly, ● Multi Cluster, ● Istio Roadmap and ● Istio in production. Participant feedback The majority of participants agree that they had enough information new users at the end of February 2021. Impact for the project Source: http://eng.istio.io/ The team (1/3) Organizer’s Committee Co-lead Aizhamal Nurmamat kyzy (Google) Co-lead María Cruz (Google)

were either evaluating Istio for production use, or have tried at least one example but haven’t used it seriously 19% of attendees are using Istio in production. #IstioCon Most popular sessions users during the month of April 2022. Impact for the project Source: http://eng.istio.io/ The team (1/3) Program Committee Co-lead Lin Sun (Solo.io) Co-lead Mitch Connor (Google) Member Neeraj Poddar (Intuit) The team (2/3) Organizer’s Committee Co-Lead María Cruz (Google) Co-Lead Sakhi Patel (Google) Member Rose Sawvel (Solo.io) Member Alex Bush (Google) The team (3/3) Event Production (Software

Experiences from running Istio in a k8s production environment Line Moseng @linemoseng Johnny Horvi Norwegian Labour and Welfare Administration 5,2 million nais.io github.com/nais CD CD metrics app apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: app apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness:

Join CNCF Istio has applied to become a CNCF project Release v1.0 Istio is ready for production Started Started by teams from Google and IBM 2017 2018 2022-04 2023 2022-09 Community Growth Read this quick explanation on how to report bugs, in code or in documentation. ● The Istio security team responds rapidly to vulnerability reports. Read how to submit an issue. Become a Contributor ● The Istio. ● You can access our trove of technical content and working documents by joining the istio-team-drive-access@ Google Group. ● Interested in helping with Chinese language documentation? Join the

Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference Best in Class Team ● Creators of the service mesh Istio, gRPC, Apache SkyWalking, Zipkin from Google, Twitter, & VMWare Why not Istio OSS? ● Problems unsolved ○ Multi-cluster and VM (lower onboarding cost) ○ Enterprise team structure gap (Workspace, Tenants, etc) ○ UI&UX Background ● Leads to complexity and lack of operational Global control plane ○ Local control plane TSB Management Plane ● Front Envoy ● Multi Cluster support ● XCP Central -> XCP Edge TSB Control Plane ● VM integration ● XCP Edge ● Upstream Istio ●