Cloud Native Computing Foundation / ServiceMeshCon North America 2020

Confident Canary Deployment to Production With Istio - Raju Dawadi, Oyster

The session covers covers the production use case of Oyster Financial on using Istio service mesh for handling traffic. The testing in non-production environment and rolling out to live users was not effective for fintech product where the usage is critical. Also, due to the inconsistent in third party, there was need to test traffic in live environment for internal user and that has to be for selective or all services. The usage of Istio feature on routing traffic based on header as well as percentage rollout was used effectively which has made deployment to Prod0 seamless. Also measuring the performance as well as real use case test of newer version helped in providing a good end user experience for evolving fintech startup in Mexico. But the management complexity rises when number of services increases and there are too may configs to be managed. Combination of helm helped a lot throughout the process.

How the DoD Use Istio for End-to-End Encryption and Authentication - Zack Butcher, Tetrate & Jeff McCoy, Platform One

Security remains one of the primary drivers behind service mesh adoption today. We’ll describe why and how Platform One is using a service mesh - Istio - to provide both encryption in transit as well as end-user authentication via SSO for applications across the Department of Defense. We’ll dig into the practical challenges involved in deploying the Istio ecosystem’s authservice, which implements Envoy’s external auth API to provide SSO, and the design considerations that went into making the system incredibly simple for application teams running on Platform One to consume. Finally, we’ll briefly introduce an upcoming NIST IR covering the usage of a service mesh to provide authentication and authorization for applications.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Istio Service Mesh Simplified Beyond a Single Cluster - Lin Sun, IBM & Sven Mawson, Google

We have made numerous improvements to the Istio project over the past year to simplify the experience for users and operators in a single cluster. This year we have been focusing on improving the experience beyond a single cluster, simplifying multicluster deployment by merging the replicated control plane and shared control plane patterns. Within this unified multicluster pattern, users can choose a control plane and network topology based on their business needs and requirements. We have also been simplifying Istio's usage beyond containers, making it easier for users to securely onboard VMs into the service mesh. In this talk, we will be demoing the new and improved experience for using Istio with multiple clusters and expanding the mesh to VMs.

Multi(Control Plane/Network/Mesh)??: A Practical MultiCluster Deployment - Nicholas Nellis & Vikas Choudhary, Tetrate

While Working with several traditional customers spanning defense, finance, etc., we found that the service mesh multicluster models that exist today are completely unusable from an enterprise point of view. They are designed with the network administrator in mind, focusing on how to connect two clusters, and not on how developers across teams like to consume the services exposed by other teams. The multicluster models that app teams want, turned out to be dramatically simpler than the ones out there today. This talk discusses our experiences working with these teams, our learnings from how they built out an API-centric multicluster model and what we as a community of (mostly) infrastructure developers should do to better support the application teams

Multi-Cluster & Multi-Cloud Service Mesh with CNCF’s Kuma and Envoy - Marco Palladino, Kong

Learn how to run a distributed Envoy-based service mesh on multiple Kubernetes clusters and multiple clouds in just a few steps with Kuma, a CNCF project. In this session, we'll be firing up Kubernetes clusters in multiple regions to demonstrate how we can secure, route, connect and observe service connectivity in a distributed service mesh. In this session, we will learn to: - Use Kuma’s multi-zone deployment to spin up a multi-cluster and multi-region service mesh. - Leverage the global/remote control separation to scale reliability with HA. - Use the built-in service discovery and ingress capability for out of the box service connectivity across multiple zones, clusters and regions. - Use Kuma’s policy to determine the behavior of traffic across different clusters, like Traffic Route, mTLS, Traffic Permission and so on.

Running Machine Learning Workloads on a Service Mesh

Data security is one of the key pillars to ensure successful operationalization of machine learning workloads. A service mesh can help build capabilities around mTLS, authorization checks combined with some other goodies to add security, resilience and observability to existing services and applications. JupyterHub is one of the most popular open source tools of choice for teams running machine learning environments. There has been a lot of demand in the community to add support for running JupyterHub with a service mesh on Kubernetes. This talk would cover the journey of adding Istio ServiceMesh support to JupyterHub, the roadblocks, the troubleshooting journey and how Istio makes operating and securing machine learning workloads easier despite the heterogeneous nature of tools that the data scientists use. This combined with network policies and other security best practices for running workloads on Kubernetes makes for a great operational and usability combo.

Service Mesh - The New Single Point of Failure - Mitch Connors, Google, Sabeen Syed, HashiCorp & Thomas Rampelberg, Buoyant

Interested in knowing why your favorite service mesh was implemented that way? Architecture decisions have real user impact. When building a service mesh, it is possible to fall into a trap of choosing implementation that is easier to build but makes it difficult to operate in the real world. While service meshes enable new levels of resiliency for users’ applications, they suffer from a chicken and egg problem: How do you build a resilient and scalable service mesh without having a service mesh to rely on?
Maintainers of Istio, Linkerd2 and Consul will walk through tradeoffs the projects have made during implementation and the impact on users. Topics will include:

- Why it is important to verify environments before installation.
- How to build a service mesh which can be safely upgraded.
- What regular security updates mean for upgrades.
- How to give users the same stability for config changes as they require for code changes
- What to do when the mesh breaks.
- Why the division of responsibility is important.

Service Mesh Security in a Nutshell - Venil Noronha & Manish Chugtu, VMware, Inc.

Security is one of the greatest challenges in the cloud-native world today. Service meshes promise several benefits including better connectivity, and observability, and most importantly security. Securing a cloud-native service involves securing it at several levels i.e. at the perimeter (ingress/egress gateways), when accessing other services, when persisting data, when processing requests, etc., and using a service mesh one can address several of these issues in a consistent and maintainable manner. In this talk, we will present some of the key patterns that one can use for securing cloud-native services when working with north-south and east-west traffic. We will talk about available TLS choices (passthrough, mTLS, etc.), AuthN/AuthZ constructs, JWT support, and extension mechanisms within Envoy/Istio that you can leverage for building customized policy frameworks. We will also discuss application security in the context of multi-cluster service mesh deployments. Come join us!

Service Mesh use cases for Telco and Edge - Kunal Shukla & Prajakta Joshi, Google

Service Mesh is a key paradigm for Telco, 5G and Edge. In this session, the speakers deep dive into how Service Mesh delivers technical and business value for use cases like: - Service Mesh for modern service ops for Telco - Service Mesh for managing heterogeneous environments with container and openstack/VM services - Service Mesh for 5G Core service based architecture - Telco Security - Consistent service management across multi-cloud and Edge - Extending the experience of Cloud to the Edge The speakers also describe some of the new capabilities that are needed in service mesh for these use cases and the road ahead.

Taking Service Mesh a Step Further with WebAssembly - Christian Posta, Solo.io

WebAssembly (WASM) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable target for compilation of high-level languages like C/C++/Rust, enabling deployment on the web for client and server applications. Wasm support in Envoy means that that opens up new possibilities in customizing service meshes built on Envoy with modules that modify the behavior of the sidecar proxy in any language. The possibilities are endless and in this talk we will explain: - The state of Wasm in Envoy and how it works - Demonstrate the developer experience in building, sharing, and deploying modules - Demonstrate a range of modules types and the kind of behavior it can customize in the sidecar proxy

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Wrap Up of Sessions & Panel Discussion Louis Ryan, Prajakta Joshi, Google & Thomas Pampelberg, Buoyant