►
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Google Cloud Sponsored Session - Istio Adoption Journeys - Sean Suchter, Google
A lightning talk about what customer problems prompt Istio adoption. Specific examples of pain points will be explained, along with what solutions are available from Istio and how (and when) they can be achieved.
A
All
right,
hi,
I'm,
Sean,
Souter
I'm,
the
director
of
engineering
for
sto
at
Google,
I'm
gonna,
talk
about
sto
adoption
journeys.
If
this
will
go,
do
it
so
folks
here
of
course
know
what
is
do
is
we
were
pleased
to
see
that
it's
the
happens
to
be
the
number
four
fastest
growing
github
project
according
to
github,
so
we
thought
that
was
cool.
A
How
do
I
make
this
easier?
It's
I
are
not
RF
yeah,
we'll
see
so
I'm,
not
gonna.
Do
a
Tech
Talk
in
five
minutes.
Instead,
I
am
gonna
talk
about
some
typical
ways
that
people
adopt
SDO
through
a
series
of
unfortunate
events.
So
here
we
go
so
start
February.
Your
pager
goes
off
some
services
throwing
airs.
What
do
you
do
so
you
start
looking
at
what
changed
recently.
You
start
looking
at
all
the
logs.
You
generally
start
poking
around
to
try
to
find
the
root
cause
of
your
complex
set
of
services.
A
Then
make
up
everything,
that's
in
production,
wouldn't
it
be
nice?
If
you
something
could
just
show
you
what's
failing
right.
So,
of
course
this
is,
you
know
exactly
one
of
the
things
that
each
deal
lets
you
do
right.
You
can
see
exactly
what
in
your
infrastructure
is
thrown
in
the
air.
Is
there
is
an
example.
Dashboard
shows
you
where
the
airs
are.
A
You
can
actually
set
s
ellos
and
you
know
get
get
things
to
paid
you
when
there's
a
problem
right
here,
not
overall,
there's
a
bunch
of
deployments,
I'm,
not
gonna,
call
them
out,
but
there's
lots
of
different
people
who
use
this
stuff.
The
next
month
the
CSO
comes
to
you
and
says:
I've
heard
that
we
don't
just
need
to
have
a
hard
outer
shell.
We
actually
need
defense-in-depth
and
we
need
to
encrypt
everything.
A
Well,
I,
guess
we're
gonna
have
to
look
at
every
single
app
and
see
if
any
of
them
are
sending
any
unencrypted
traffic.
Well,
no,
we
can
do
a
little
better
than
that.
Of
course,
estilo
supports
MPLS.
We
can
encrypt
traffic
from
every
single
app,
whether
they
use
HTTP,
HTTPS
G,
RPC
TCP,
you
know
whatever
you
can't
imagine
CSO
loves
that,
but
then
they
come
back
the
next
month
and
they
say
well
I.
That
sounds
great,
but
I've
actually
heard
that
that's
only
as
good
as
your
certificates.
How
do
you
actually
pay
attention?
A
A
So
that's
all
good
and
your
developers
are
graded
security.
The
developer
comes
and
says,
but
maybe
I
shouldn't
have
put
slash
admin
and
on
the
public
Internet.
Can
we
do
something
about
that?
No
problem,
let's
block
that
at
ingress,
so
you
can
actually
do
our
back
role
based
access
control
and
you
can
do
rules
on
lots
of
different
things,
namespace
services
and
actually
methods
like
slash
admin.
A
You
can
do
you
know
you
have
role
based
semantics.
These
can
actually
be
very
flexible.
You
can
do
things
like
hey,
let's
block
things
or
let's
allow
things
based
on.
You
know,
custom
headers
you
can
actually
and
because
this
is
done
inside
the
envoys
and
doesn't
have
extra
calls,
it's
actually
very
high
performance.
A
So
then
June
comes
around
and
you
know
it's
not
your
developers.
They
have
a
problem
with
somebody
else's
developers
because
there's
a
new
CVE,
so
we
need
to
protect
against
that.
You
know
well,
instead
of
having
to
run
around
and
see
whether
every
single
app
is
vulnerable.
All
we
need
to
do
is
just
insert
a
you
know:
block
up
there.
You
know
at
the
sto
layer
we
can.
You
know
block.
This
instantly
sounds
good,
so
you
can
do
you
know
we've
done
these
kinds
of
advanced
filters.
A
We've
done
this
for
path,
traversal
attacks,
injection
attacks
and
you
can
actually
write
custom
things
to
do
advanced,
blocking
rules
that
we've
actually
used
this
internally
as
well,
and
you
get
to
go
on
vacation
for
one
month
and
nothing
goes
wrong
hold
on,
so
you
come
back
and
the
East
Coast,
Data
Center
went
down
and
the
CIO
is
now
on
your
case
saying
we
cannot
be
in
just
one
data
center.
We
need
actual
redundancy,
and
so
sto
supports
multi
cluster.
Where
you
can
have.
You
know
multiple
different
clusters,
different
geographies
other
reasons.
A
In
this
example,
you
can
see
that
we've
got,
you
know
one.
You
know
the
front
end
is
talking
to.
It
thinks
the
back
end,
but
the
back
end
is
split
between
multiple
data
centers.
Of
course
it
could
be
completely
remote.
The
front
end
doesn't
care
you
of
course
get
all
of
the
strong
security
policy
and
control.
So
you
know
you
could
actually
send
if
you
wanted
to
eat
them.
You
need
a
VPN
to
your
other
data
center
because
it's
encrypted
over
the
wire
and
it's
protected
via
strong
rotated
certificates.
A
Everything
that
I
was
talking
about
I
kind
of
talked
about
from
the
perspective
of
containers,
but
you're
brown
field
operator
says
that
all
sounded
great
I'd
like
to
get
that
on
my
VMs
and
it
turns
out.
Of
course
you
can
do
all
of
this
everything
that
I
just
said
you
can
do
on
VMs
as
well.
It's
all
it's
pretty
much
all
the
same,
get
an
envoy
in
your
VM.
You
get
all
the
benefits
that
we
just
talked
about
so
now.
A
This
is
this
is
your
developer
and
he
is
ready
to
deploy
the
new
version
of
his
application
and
trust
me,
it's
fine!
It's
it
compiles.
So
let's
be
a
little
careful
about
how
we
deploy
it
hat.
So,
of
course,
you
can
do
canary
deployments.
We
just
had
a
whole
nice
talk
about
that.
You
know
where
you
have
a
you
know:
traffic
split
and
you
can
have
the
hey,
the
new
v2.
You
know
and-
and
you
know,
direct
a
small
amount
of
traffic
to
that
there's.
You
know
lots
of
different
modes
for
this.
A
The
last
you
know
one.
Now
your
we're
getting
really
advanced.
Our
production
has
gotten
really
complex.
Now
we
have
you
know
hundreds
of
services
all
running
we're
starting
to
give
it.
You
know
the
CSO
is
starting
a
little
worried
about
the
complexity.
You
know
we're
getting
containers
from
outside
vendors
we'd
like
to
get
you
know
some
advanced.
You
know
intrusion
detection
going
on.
Let's
buy
one
of
those
pallets
of
networks,
firewalls
and
ship
that
to
AWS
or
GCE
GCP
and
have
them
install
it.
Wait
they
don't
take
custom
hardware,
but
we
noticed
that.
A
There's
this,
you
know
pallets
or
networks
says
they
have.
This
is
to
you
integration.
What's
that
about.
So
we
actually
feel
like
the
a
big
opportunity
in
service
mission
is.
Do
is
to
have
this
ecosystem
of
different
vendors.
That
will
allow
powerful
network
level
integrations.
So
last
year
we
actually
at
Google
started
this
integration
with
wasm
to
our
incredibly
high
performance.
A
You
can
have
multi
language
code
embedded
right
in
the
Envoy
to
do
you
know
microsecond
level,
checks
on
things
and
potentially
modifications
so
I'm
going
to
talk
a
teeny
bit
like
three
slides
about
you
know
sto
in
general,
its
direction.
This
is
a
quote
from
Larry
wall.
I
like
it
easy
things
should
be
easy.
Hard
things
should
be
possible.
A
So
we're
working
on
it
like
I'm,
not
gonna,
go
through.
All
of
these.
This
are
features
from
1/3
and
1/4.
1/4
got
released
last
week,
1/3
was
last
quarter,
but
I'm
going
to
talk
about
why
the
first
one
was
an
ease
of
use
feature.
The
second
one
was
an
ease
of
use
feature.
The
third
one
was
an
ease
of
use,
feature
I,
think
you're,
probably
getting
the
idea,
the
ease
of
use
feature
and
the
fourth
one
ease
of
use
feature:
oh
and
it
also
improved
performance.
So
if
you
you
know,
this
is
my
last
thing.