#IstioCon Apache APISIX from Gateway to Full Traffic Proxy with Istio Jintao Zhang API7.ai #IstioCon About Me ● Apache APISIX PMC ● Kubernetes Ingress NGINX maintainer ● Microsoft MVP ● zhangjintao@apache https://github.com/api7/amesh #IstioCon How to use it Change the injection-template: ● proxy_init ● proxy Ref: https://github.com/api7/amesh/blob/main/docs/en/demo.md #IstioCon The future ● Donate

settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration User Guide Table of contents Configure connection Network database requires a secure connection. SSH tunnel SOCKS Proxy Set up a SOCKS proxy if you need to route the connection through a specific proxy server. SSL Configuration Enable and if your connection 1171. External resources access How to configure a proxy for drivers download How to configure network for license activation How to configure a proxy for external databases access Sometimes DBeaver needs

settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration User Guide Table of contents Configure connection Network configuration settings database requires a secure connection. SSH tunnel SOCKS Proxy Set up a SOCKS proxy if you need to route the connection through a specific proxy server. SSL Configuration Enable and if your connection 1171. External resources access How to configure a proxy for drivers download How to configure network for license activation How to configure a proxy for external databases access Sometimes DBeaver needs

settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration User Guide Table of contents Configure connection Network database requires a secure connection. SSH tunnel SOCKS Proxy Set up a SOCKS proxy if you need to route the connection through a specific proxy server. SSL Configuration Enable and if your connection 1010. External resources access How to configure a proxy for drivers download How to configure network for license activation How to configure a proxy for external databases access Sometimes DBeaver needs

optional attribute gives the system a unique way to refer to the apphook. It is used the create a reverse mapping for the URL’s namespace. name is a human-readable name, and will be displayed to the user include('polls.urls', namespace='polls')) URL namespace 'polls' isn't unique. You may not be able to reverse all URLs in this namespace. Now we need to create a new page, and attach the Polls application add_modal_item(). Add the new code to the end of the populate() method: from cms.utils.urlutils import admin_reverse [...] class PollToolbar(CMSToolbar): def populate(self): menu = self.toolbar.get_o

Workload security Operation security Mesh security Edge Security Cluster security Service Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application external access. Edge security best practices Cluster security Access control Service Proxy Ingress Token exchange 1. Istio authentication and authorization policies for every automatically validate policy exceptions are as expected. Gatekeeper Service 1 Proxy Service 2 Proxy Namespace foo Istio authn & authz policies Namespace bar 2. Enforce k8s RBAC policies:

Kube DNS (exposed by ILB) 3. Obtain the Cluster IP resolved 4. Traffic intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to ingress in the mesh ● Traffic flow (Container -> VM) 1. Manual ○ a collection of non-K8s workloads ○ metadata and identity for bootstrap ○ mimic the sidecar proxy injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support with Added using a short-lived K8s service account token ● Automatic certificate rotation ● Validation of the proxy’s status for VM-based workloads #IstioCon V1.8 VM Auto Registration ● Experimental ● Auto-scaling

Services #IstioCon Istio scalability optimization during Knative Service provisioning o istioctl proxy-config shows missing endpoint in some of the ingress gateway and recover automatically after ~30mins for Istiod to discover the endpoint of ready pods and then push them to the sidecar. o Istio-proxy (envoy) sidecar costs ~2 seconds for Knative application pod cold start. Unleash maximum scalability tio- Performance ● Debugging Envoy and Istiod https://istio.io/latest/docs/ops/diagnostic-tools/proxy- cmd/ ● Pilot agent config https://istio.io/latest/docs/reference/commands/pilot-agent/ ● Istio

ms-1 K8s Pod External DB container app container istio-proxy TCP TLS ● app talks unencrypted TCP to Redis ● Sidecar istio-proxy encrypts the Redis traffic and sends to external redis ● App

surface 5G specific tags ● Optimize HTTP/2 stream and connection settings ● Configure sidecar proxy concurrency Tuning Istio to Meet 5G Requirements 13 ©2021 Aspen Mesh. All rights reserved. ● certificate TTLs ● RSA to ECC migration ● Missing www-authenticate header ● Tuning per-workload proxy concurrency ● Consuming Istio generated certificates at gateways Learnings Along the Way 14 ©2021