#IstioCon Istio at Scale: How eBay is building a massive Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey Access Point Spec ● Capture Traffic Management & Routing intent as “Access Point” Specs ○ Leverage Istio object model: Gateway, VirtualService, DestinationRules, etc. apiVersion: apps.cloud.io/v1 kind: gateways: - apiVersion: networking.istio.io/v1beta1 kind: Gateway spec: ... virtualServices: - apiVersion: networking.istio.io/v1beta1 kind: VirtualService

#IstioCon Accelerate Istio-CNI with ebpf Xu Yizhou & Guo Ruijing #IstioCon Agenda ● Istio-CNI ● tcp/ip stack overhead between sidecar and service ● Background knowledge of ebpf ● Acceleration for for Inbound/Outbound/Envoy to Envoy #IstioCon Istio-CNI ● The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup phase, ● Removing and NET_RAW capabilities for users deploying pods into the Istio mesh. ● The Istio CNI plugin replaces the functionality provided by the istio-init container. #IstioCon Tcp/ip stack overhead between

#IstioCon Istio 2021 Roadmap A heartwarming work of staggering predictability Neeraj Poddar (Co-founder & Chief Architect, Aspen Mesh) Louis Ryan (Principal Engineer, Google) #IstioCon Highlights expansion/Multi cluster mesh https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon Impact on users https://thenewstack.io/when-service-meshes-can-emerge-from-envoy-istio-shadows/ #IstioCon Listening #IstioCon Listening to our users ... UX Working Group - Upgrade Survey 2020 #IstioCon Theme for Istio 2021 #IstioCon Day 2 operations https://dzone.com/articles/defining-day-2-operations #IstioCon

app/careers tetrate.io/careers Internal Presentation THE END Internal Presentation Understanding Istio Internal Presentation Cash App EKS -> Cash App EKS Internal Presentation Cash App EKS -> Square

#IstioCon Apache APISIX from Gateway to Full Traffic Proxy with Istio Jintao Zhang API7.ai #IstioCon About Me ● Apache APISIX PMC ● Kubernetes Ingress NGINX maintainer ● Microsoft MVP ● zhangjintao@apache com/tao12345666333 #IstioCon Agenda ● What is Apache APISIX ● Why use Apache APISIX as the data plane for Istio ● How to implement it ● The future #IstioCon What is Apache APISIX #IstioCon Apache APISIX ● https://github.com/apache/apisix-ingress-controller/ #IstioCon Why use Apache APISIX as the data plane for Istio #IstioCon Easy to use The concepts in APISIX are few and simple. You can quickly get started with

Virtual Machine Really Ready-to-go with Istio? Kailun Qin, Intel Haoyuan Ge #IstioCon Quick Summary (from Google Cloud Next ’19 [1]) VM works on Istio! [1] Istio Service Mesh for VM Native, Chris Crall environments ● Observability ○ See VM metrics alongside containers ● Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation reasons ■ Legacy applications ■ Deterministic workloads with strong requirements ● For Istio ○ What is Istio? A service mesh. But more: an open service platform! ○ More use cases! ○ (Consul, Kuma…)

Using Istio to Build the Next 5G Platform David Lenrow Open Source Service Mesh Evangelist Neeraj Poddar Co-founder & Chief Architect, Aspen Mesh February 22, 2021 2 ©2021 Aspen Mesh. All rights reserved https://medium.com/5g-nr/5g-service-based-architecture-sba-47900b0ded0a 5G Architecture with Istio 7 ©2021 Aspen Mesh. All rights reserved. Visibility, Observability, Debugging Uniform metrics mTLS Autonomous PKI service for certificate lifecycle management at scale What Do You Get From Istio? Traffic Management Powerful Layer 7 (HTTP/2) routing 8 ©2021 Aspen Mesh. All rights reserved

Performance tuning and best practices in a Knative based, large-scale serverless platform with Istio 张龚, Gong Zhang, IBM China Development Lab 庄宇, Yu Zhuang, IBM China Development Lab #IstioCon Speakers Knative Serving and Istio, contributor of the Knative and Cloud Foundry community, maintainer of a Knative benchmarking tool called kperf, speaker of Open Source Summit China 2019 about Istio integration with Engineer in IBM Cloud. Working on IBM Cloud Code Engine (Serverless platform), focusing on Knative, Istio, and Tekton, community, leading team to develop and offer serverless capabilities in IBM Cloud,

practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio Github: lei-tang Session agenda 1. Service mesh security architecture and vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations Identity K8s RBAC K8s CNI AuthZ Policy Peer AuthN Policy KMS Control Plane Hardening Istio Security Releases Complete Security Coverage Consistency Depth Visibility Completeness Service

Twitter: samosx | GitHub: samos123 Based on blog post: https://samos-it.com/posts/securing-redis-istio-tls-origniation-termination.html What are we solving? Architecture: K8s app using Redis over TLS into Redis traffic Istio TLS Origination Architecture: K8s app using Redis over TLS only (TLS origination) app-1 Namespace ms-1 K8s Pod External DB container app container istio-proxy TCP TLS ● ● app talks unencrypted TCP to Redis ● Sidecar istio-proxy encrypts the Redis traffic and sends to external redis ● App doesn’t need to configure certs ● Traffic becomes more “visible” How traffic