Cloud Native Computing Foundation / ServiceMeshCon NA 2022

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Hands-on Workshop: A Guided Tour of Istio Ambient Mesh Workshop - Christian Posta & Ram Vennam, Solo.io; Christine Kim & Nim Jayawardena, Google

You will be given a quick fly-over of what challenges service mesh solves, existing sidecar architecture and the new Istio sidecarless approach, why you should pay attention to it and when you should use it to help reduce operation complexity and overhead with sidecars. We will dive into how Istio ambient mesh works, how to get started with your existing Kubernetes or VM workloads without any change, and migrate existing sidecar workloads to ambient mesh through interactive hands-on labs.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

A Packet Eye View of the Istio Ambient Mesh- Justin Pettit, Google & Lin Sun, Solo.io

While service mesh has been widely adopted in production, many enterprise users have expressed concerns about the intrusive nature of the sidecar pattern, such as breaking certain applications, requiring disruptive upgrades due to CVEs, and often reserving large amounts of unnecessary resources. This talk explores how service meshes can require zero change to the application with a new sidecarless architecture while still providing the common service mesh functions such as security, observability, traffic management, and resiliency. Justin and Lin have worked closely with the Istio maintainers on defining the new Istio mesh sidecarless architecture. We will discuss the new architecture from the packet eye view through live demos and an architectural deep dive, along with how it can interact with workloads using traditional sidecars. You’ll walk away with instructions on how to try this new architecture from Istio on your own!

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Building Multi-Cloud Service Meshes at Snowflake - Charles Xu, Snowflake

Snowflake (NYSE: SNOW) products are multi-cloud. So is its infrastructure. Multi-cloud is hard because of cloud-specific primitives and cross-cloud feature disparity, but at Snowflake, we do it with hundreds of Kubernetes (k8s) clusters and millions of non-k8s VMs. This talk discusses the challenges we faced and the lessons learned. Some topics include:
How service mesh is critical in cloud-agnostic architectures
Our use cases of HTTP, mTLS, and TCP ingress, and the surprises with persistent TCP connections
Autoscaling ingress gateways while preserving source IP address at Layer 3
Blue-green upgrade the control plane and gateways: why traffic shifting by DNS updates is bad, and how we do it without DNS and in cloud-agnostic way
Open questions with multi-cloud that service mesh could not solve

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Building a Scalable, Compliant, Multi-Cloud Bank with a Service Mesh - Kasper Nissen, Lunar

Kasper Nissen, Lead Platform Architect at Lunar, will share how Lunar built a scalable, multi-cloud bank with cloud native tech, allowing for rapid product iteration while simplifying compliance with strict regulatory requirements. The flexible technical setup also allows them to rapidly absorb newly acquired startups, ensuring they start generating value for the bank quickly. Lunar started by centralizing its log and release management tooling in a single cluster connected to multiple Kubernetes clusters across GCP, Azure, and AWS — all connected through a service mesh. This allowed them to remove state and complexity from edge clusters and manage infra services centrally while exposing these central services to edge clusters. This transformation is part of a strategy to treat the platform as a product and provide the same set of platform features across cloud providers. Attendees will learn how Lunar implemented multi-cluster communication across clouds and how it all fits together with GitOps as a multi-cloud management layer to comply with regulations on the audit trail of all changes, following the principles of least privilege, and the ability to perform cluster failovers.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Closing Remarks - Vik Gamov, ServiceMeshCon Program Committee

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Delivery Done Right with Service Mesh - Brandon Barrow, Shipt & Nick Nellis, Solo.io

Shipt is a personal shopping and delivery company that connects retailers with local customers for everyday essentials brought right to the door. And our service mesh now sparks the connections that shows why every microservice is just as valuable. From grass-roots movement to production, our mesh implementation solved problems around ingress, security, multi-tenancy, and multi-cluster operations at scale. Join us as we delve into our challenges and successes, all to help spark ideas for your implementation.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

How Many Proxies Do You Need? - Liz Rice & Thomas Graf, Isovalent

To provide app-level network functionality like L7 load balancing and TLS termination, Service Meshes use a proxy component that terminates L7 connections on behalf of applications. Traditionally the proxy has been co-located in each application pod as a sidecar container, but Cilium Service Mesh changed this with the innovation of sidecarless service mesh. Istio have also now adopted a sidecarless approach that was recently announced as Istio Ambient Mesh.

But “sidecarless” doesn’t mean “proxyless”! It’s a question of where you deploy the proxies, and how you create the relationship between apps and proxies. In this talk we’ll explore the pro’s and con’s of different models, and explain where eBPF makes a difference (and where it doesn’t) in not only network performance, but also to provide observability and security capabilities.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: The Next Big Things for Istio - Idit Levine, Founder + CEO, Solo.io

After 6 years, most open source projects are focusing more on stability than innovation. But as more companies deploy Istio at scale, the need for new innovation is accelerating. In particular, the data plane, proxy modularity, security, and observability are all areas with rich new innovations that will make it easier to operate, lower cost, and improve application performance. This keynote will highlight why Istio is the future of service mesh.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Domain-Oriented Microservice Architecture with Kuma - Mike Beaumont, Kong Inc

Microservice and service mesh architectures bring big benefits along with significant architectural complexity. A single call to one service can fan out to countless other microservices in a homogenous mesh, making debugging a Herculean task. Without cautious architecture an organization can end up with a "distributed monolith". One strategy to avoid this is the domain-oriented service architecture. A DOA applies the ideas of domain-driven design to a distributed system. Services are grouped into domains and domains communicate over gateways. Kuma (CNCF Sandbox project) has recently introduced first class support for a DOA architecture with its gateway feature. The new MeshGateway API features logical service level domain isolation and enforcement of cross domain routing and control policies. This talk illustrates how to achieve a domain-oriented architecture in a microservice platform with the power of Kuma's MeshGateway.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Make Way for the Gateway - Christine Kim, Google

The Kubernetes Gateway API has graduated to beta! As the successor to the Ingress API, the Gateway API has been created with the goal of having the superset of abilities previously provided - with more. The legacy ingress in Kubernetes has been limiting in the past, so what does this mean for someone who has grown comfortable using Istio’s Ingress? Will you have to learn something new again? Have no fear - we’ll go through a quick run down on the similarities and differences of Istio’s Ingress Gateway and the new Gateway API, and see a simple demo on how to use the Gateway API. We’ll mainly focus on the 3 main APIs (GatewayClass, Gateway, HTTPRoute), and see how the setup enables role oriented behavior and work towards having better DevOps practices.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Writing Service Mesh Control Planes in Rust - Eliza Weisman, Buoyant, Inc

In this session, Linkerd maintainer Eliza Weisman will discuss the Linkerd team's experience using Rust, why they chose it for their data plane, and, most recently, how Linkerd has extended the use of Rust into the control plane as well. The Rust programming language has rapidly grown in popularity. It offers several features that help write reliable, fault-tolerant, and efficient software — all desirable properties for a Kubernetes controller. Linkerd, the graduated CNCF service mesh, has been using Rust for its data plane proxies since the release of Linkerd 2 in 2018. The data plane has to be as fast and secure as possible, so Rust was a natural choice. However, like much of the Kubernetes ecosystem, the Linkerd control plane — which manages the behavior of the data plane — has generally been implemented in Go. Linkerd 2.11 introduced the new policy controller, Linkerd's first control plane component implemented in Rust. Join this session as Eliza shares the team's challenges, benefits, and lessons learned using the Rust.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Your Wish Is Our Command: Declarative Certificate Management in a Service Mesh - Jackie Elliott, Microsoft

Certificate management is hard. Integrating your certificate management systems with your service mesh is even harder. The ability to rotate certificate authorities and make dynamic updates to certificate settings is critical to providing a production ready service mesh. However, performing these updates and rotations is often a manual and error-prone process that can result in significant disruption to business operations. In this session Jackie will walk you through an approach to solving this problem: a custom resource designed to declaratively manage certificate configuration for the mesh. You will leave this talk with a strong grasp of what can go wrong and how to coordinate all of the moving parts of managing certificates in a service mesh.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Panel Discussion: Service Mesh Maturity: Are We There Yet? - Mitch Connors & John Howard, Google; William Morgan, Buoyant; Nitya Dhanushkodi, HashiCorp & Keith Mattix, Microsoft

This panel will bring together perspectives from contributors to four major service mesh projects on recent developments in the Service Mesh Landscape. Topics will include: The Gateway API (it's a real GAMMA changer), How Not To Use Service Mesh (2022 edition), and What is a Service Mesh (reprised from 2019).

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sidecarless Mesh Monitoring with eBPF and Grafana - Adam Sayah, Solo.io

Service Mesh technologies were invented to fill the gap created in the micro-service world, especially when it comes to security and monitoring. Usually using a side car, a service mesh will inject metrics that can be gathered and rendered using the Prometheus and Grafana stack but the growing discussion around sidecarless services meshes and eBPF invite us to ask the following question, what are the pros and cons of a sidecarless monitoring stack in comparison to a sidecar approach? in this talk we will explore this subject in detail: - We will look into eBPF and the possibilities offered by this technologies. - We will compare the eBPF based monitoring to Envoy based technologies. - And finally, we will try to answer an important question, can eBPF metrics and Envoy metrics coexist, and if so how to render meaningful dashboards using Grafana.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Stretching CNI Boundaries with Service Meshes, a Roadmap for the Future - Alex Leong, Buoyant

Container Network Interface (CNI) plugins such as Calico or Cilium are typically used to provide container network connectivity and network policy. However, service meshes such as Linkerd and Istio also use CNI plugins to configure the networking rules that allow their sidecar proxies to intercept incoming and outgoing traffic. This means that it is increasingly common to have more than one CNI plugin installed at a time, which can lead to race conditions where the CNI plugins overwrite each other's configuration. In this talk, Alex Leong will demonstrate how to detect and resolve these problems and suggest a set of best practices for CNI plugins to ensure compatibility with other plugins. She'll also explore some potential changes to the CNI plugin specification, which could solve these problems at a structural level.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Welcome + Opening Remarks - Lin Sun & Nic Jackson, ServiceMeshCon Program Committee

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Hands-on Workshop: Zero Trust Networking in Practice with a Service Mesh Workshop - Jason Morgan, Buoyant & Ashley Davis, Jetstack

In this hands-on workshop, participants will learn the basics of adopting a zero-trust approach to Kubernetes network security using a service mesh. Topics will include encryption, authentication, and authorization of traffic within the cluster; PKI considerations and setup for in-cluster and cross-cluster mutual TLS; applying a deny-by-default / principle of least privilege approaches to authorization; the relationship between zero-trust and perimeter security; and more. Participants will learn the elements of overall Kubernetes security that must be in place before a service mesh can be effective, including a basic threat model for Kubernetes clusters as a whole. This workshop will use Linkerd, cert-manager, and Kyverno but the techniques will be applicable to many different projects.