Istio / IstioCon 2022

Workshop presented during IstioCon 2022 by Red Hat. This hands-on lab showcases how the Istio Service Mesh allows developers and IT staff to gain a deep understanding of their Kubernetes native applications based on Quarkus and Spring Boot, and how to take an existing application and form a service mesh around its services to obtain such understanding. Developers will also learn how to use the service mesh to provide powerful visualization and control over their distributed Kubernetes native applications.

Workshop presented by Solo.io at IstioCon 2022. In this hands-on workshop, we explore many Istio concepts (multi-cluster topologies, identity federation, authorization, and more) and demonstrate how Gloo Mesh can simplify the management of a complex heterogeneous service mesh with a particular focus on multi-tenancy.

This workshop was led by Eitan Suez and Peter Jausovec from Tetrate at IstioCon 2022. It consists of a series of labs that together comprise a hands-on tour of Istio.

Workshop recording from IstioCon 2022 where we show how to run distributed services on multiple Google Kubernetes Engine (GKE) clusters in Google Cloud Platform (GCP) using Anthos Service Mesh (ASM). ASM is Google’s fully managed Istio-compliant service mesh, which ultimately unburdens your operations and development teams.

This workshop was presented at IstioCon 2022 and led by Christine Kim, Mike Coleman, Mathieu Benoit & Nim Jayawardena.

Presented by Ram Venman at IstioCon 2022.

As a Field Engineer at Solo.io, the speaker helps organizations of all sizes install and upgrade Istio in production every day. What we already know is that there is no one-size-fits-all approach to perform upgrades. Enterprise platform owners and service owners maintain distinctive environments and Istio deployment models depending on their tenancy, security, and cost requirements. The varying risk tolerance for a potential downtime during an upgrade is another factor to consider. Developing a custom plan is often critical to address an organization’s unique architecture and constraints.

In this session, the speaker will outline the various upgrade strategies, their advantages and disadvantages, the gotchas that you need to watch out for, and most importantly - some best practices you can apply from day 1 to ensure successful upgrades in the future.

Presented by Anil Attuluri & Shriram Sharma at IstioCon 2022.

Securing services behind a Gateway (also called API Gateway) is a common pattern in the industry. With proliferation of microservices architecture and increased communication between them it’s natural for these services to be on Service Mesh. By moving the API Gateway to Service Mesh, microservices that have external clients can continue to take traffic from API Gateway while converging their ingress onto a single path over Istio Service Mesh. At Intuit, this approach resulted in a complete zero trust model architecture and greatly simplified the networking and traffic management for the applications. It also helped accelerate their journey to Service Mesh. This was made possible with Istio’s Sidecar tls termination implementation which provides a way for regular TLS termination on Service mesh sidecar. In this talk Shriram and Anil will elucidate the pattern used, the Istio feature implementation and their journey to make API Gateway part of the Service Mesh.

Presented by Josh Tischer at IstioCon 2022.

Dual Stack support is very limited in today’s cloud ecosystem. Learn how to run/test Istio on a Dual Stack cluster in AWS on both Openshift 4.8+ and KubeAdmin. OpenShift 4.7+ is one of the few options that officially supports Dual Stack mode for bare metal clusters and Azure. We are excited to share our experience and empower your team with another option for Dual Stack support.

Presented by Gregory Hanson at IstioCon 2022.

You have successfully deployed Istio, there are sidecars injected in all your services and pods can talk to each other. Now it’s time to start looking outside your service mesh and getting your pods talking to services outside of your cluster. It’s time to introduce ServiceEntries. Defining traffic routing behavior in Istio for external services does not happen automatically. Users need to often create four separate CRD’s to define external traffic routing behavior and that introduces four potential avenues for bugs to get introduced. This talk will cover common pitfalls in egress configurations and debugging techniques for when those calls to external databases start failing.

Presented by Mathieu Benoit & Ernest Wong at IstioCon 2022.

This session will demonstrate how Gatekeeper policies could help you make sure your Kubernetes cluster and your Istio mesh are secure and compliant with common and your own best practices. We’ll see in action how to guarantee that the deployed resources like Namespace, Service, AuthorizationPolicy, Sidecar, etc. are properly written. And because shifting left security guardrails is important, we’ll also illustrate how you could catch such policy violations in your Continuous Integration (CI) system, before actually applying these resources in your Kubernetes clusters.

Presented by Rob Salmond at IstioCon 2022.

The Istio and Kubernetes landscapes are rife with jargon, and high on the list of overloaded terms is the word “gateway”. This term has multiple specific meanings that are both distinct and related to each other. In this talk we will quickly run through the different uses of the word Gateway, what they mean, how they’re related, and how to pick them out when you see them used in context.

Presented by Mariam John at IstioCon 2022.

Are you interested in contributing to Istio and wondering how to get started or would you like to learn more about our community?

Istio is an open source project with a very diverse and active community of users, vendors and contributors. Since its launch in 2017, Istio has seen exponential growth and adoption, with more companies starting to use Istio in production. One of the key contributing factors to this growth is the great community of contributors who have been actively contributing to the project.

There are many ways in which you can contribute to Istio. In this talk, we will go over how the Istio community is structured and the various roles and workgroups within the community. We will also go over how you can get started with contributing and grow within the community.

Presented by Faseela Kundattil & Adolfo García Veytia at IstioCon 2022.

Over the last decade, the use of open source by organizations has increased drastically and is considered as a catalyst for innovation.However, opensource is seen as inherently insecure due to various reasons such as insecure development practices, lack of required infrastructure and awareness. The Cloud Native ecosystem is one of the exemplary communities which could make a great impact on improving the security posture of open source software while allowing organisations to consume open source in a fast, secure & sustainable manner. This talk will highlight a few ongoing initiatives across cloud native projects for standardised generation of Software Bill Of Materials, and how the same procedure was applied to Istio by adopting SPDX standard using K8s bom. We will also discuss how these security standards can help ease the consumption of the opensource code by organisations, and the importance and the necessity of cross collaboration and pollination between projects.

Presented by Nick Nellis at IstioCon 2022.

Did you ever want to better understand how Istio enables some of its features such as mTLS, route manipulation or multi-cluster communication? With the help of istioctl you can look at how Istio configures Envoy and use that information to build your own local istio-proxy. Learning how Istio configures Envoy is not only good for debugging, but also enables you do more complex routing like secure multi-cluster communication. In this session, Nick will explain how you can configure a local istio-proxy to connect securely to a cloud based service mesh all the while explaining concepts like PKI, mTLS, east/west routing, and request/response transformations.

Presented by Amey Bhide & Takeshi Yoneda at IstioCon 2022.

WebAssembly (WASM) filters enable users to extend Envoy functionality. In this talk, we will discuss Proxy-WASM, Go SDK, our experience writing a Go-based WASM filter, problems we encountered writing a WASM filter at Splunk and a way to build a singleton WASM filter.

Presented by Christine Kim & Nim Jayawardena at IstioCon 2022.

Have you read about Load Balancing while onboarding to Istio, but never tried it out? Or maybe you just want to learn more about how Istio uses its Envoy sidecar proxies to support Load Balancing. This talk will discuss why we need Load Balancing, its benefits, and how you can stress test your service mesh so you don’t risk your own traffic. We’ll demo a simple multi-cluster setup of an online store sample app – Online Boutique – to showcase some Load Balancing capabilities. You will walk away with an understanding of Istio’s load balancing options.

Presented by Iris Ding & Srinivasa Addepalli at IstioCon 2022.
Security is a key feature for Isito service mesh. Service-to-service communication can be secured automatically without application code change. In the mesh edge side, the ingress and egress gateway can help you do TLS termination or origination as well. Private keys are important parts to fullfill all these functions and currently they are all exposed in clear text. This exposes rich attack surface for your service mesh. In this talk you will learn about confidential computing and how you can leverage it to improve the overall security level for Istio service mesh.

Presented by by Jacob Delgado at IstioCon 2022.

Following the Istio Security Best Practices page is a daunting task for newcomers to Istio. Even experienced operators have difficulty discerning where to begin. In this talk I will present an easy way for beginners to adopt Istio and settings/configuration based on my years of experience setting up and deploying Istio. Attendees will gain peace of mind knowing they can implement Istio securely according to established best practices.

Presented by Anil Attuluri & Siva Thiru at IstioCon 2022.

API-as-a-Product is an emerging concept in software development. Open API 3 enables faster and collaborative API development and its custom extensions can be leveraged to augment API contracts with additional functionality. Here at Intuit we built a system that uses Open API spec, Istio Service Mesh and other extensions to generate capability/orchestration APIs and dynamically generate the runtime for them. It includes K8s resource manifests and Istio VirtualServices for routing rules to enable faster API delivery. This runtime supports API patterns like aggregation, transformation and proxy and can be used uniformly across both north-south (via API Gateway on Mesh) and east-west traffic. Such an API orchestration runtime will allow you to create and present new and elegant APIs on top of existing APIs while adhering to industry best practices. Come and learn how Intuit’s API Management Platform team built a low code / no code runtime solution for API orchestration using Istio.

Presented by Yoichi Kawasaki at IstioCon 2022.
ZOZOTOWN was launched in Dec 2004 and currently is one of the biggest fashion E-commerce company in Japan run by ZOZO (https://corp.zozo.com/en/). It was implimented as monoliths, and became a big fat monolith application built upon onprem as it grew. In last 3 years they have worked on ZOZOTOWN modernization project that they call ‘ZOZOTOWN replace’ where they achived gradual migration to kubernetes-based microservice architecture and adopted istio / service mesh as a key enabler for our new ZOZOTOWN platform. Topics covered in the presentation will include:

ZOZO’s gradual migration storategy
How they integrated Isito into their microservice platform where they had their existing in-house API Gateway
How they achieved zero downtime migration to istio-based microservice architecture
Further Istio usage at ZOZO to achive more sophisticated DevOps experience

Presented by Aaron Teague at IstioCon 2022.
One of the great things about Istio is that it provides a solid mechanism for service to service auth within a mesh using mTLS and AuthorizationPolicy

But what if the thing accessing your services is not in the mesh. What if it’s a person and not a process? What if it’s a customer instead of an employee in your organization? Suddenly, the options and tools to fulfill them become overwhelming. Let’s break down our patterns and tools to determine which to use and when.

Presented by Jianfei Hu at IstioCon 2022.
Istio offers best security practice in its own blog. In this talk, we will show how a tool can make configuration scanning, offering suggestion to enhance the your configuration security. We believe such config analysis tool can make the best practice easier to consume and adopt for Istio users.

Presented by Ying Zhu & Lin Sun at IstioCon 2022.
One of the key goals of service mesh is to decouple developers and operators so that developers can continue to focus on writing code for their services, while operators adds security, resilience, and policies to these services they manage. In the Istio community over the past few years, we have observed that customers such as AirBnb, Salesforce, eBay etc building out abstractions over Istio for their developers. This talk will introduce these abstractions, compare them, along with the thought process behind the service mesh API for developers built at Solo and AirBnb.

Presented by Ameer Abbas at IstioCon 2022.

Building distributed applications is hard! Building globally scalable distributed applications is harder! Maintaining and growing these services as your business grows is even harder!

This session takes an opinionated approach on how to create globally scalable platforms on multi-cluster, multi-regional and multi-tenant Kubernetes cluster architectures using Istio.

The session covers (design opinions and reasonings for) the following concepts.

Designing multi-cluster Kubernetes platforms
Application multi-tenancy
Global networking, ingress, multi-cluster load balancing, locality considerations
Security - AuthN, AuthZ, NetPol
Ops - Observability, dashboards
Application and cluster life-cycle management
Demo (on GCP)

Presented by John Howard at IstioCon 2022.

In this talk, we will discuss the status of adoption of The Gateway API within Istio. Topics will include:
Gateway auto provisioning
Using Gateway API for mesh
Gateway API path to beta and future plans
Using Gateway API to integrate with cloud load balancers

Presented by Rahul Dhir at IstioCon 2022.
WP Engine has adopted Istio as a core technology for its internal microservices platform over the past 2 years, enabling internal engineers to ship products and features quickly and reliably. The platform has a multi-tenant architecture and uses various technologies such as containerized builds, GitOps deployments, and automated policy enforcement all in conjunction with Istio to meet our business and technical goals.

The decision to implement an internal platform with Istio has revolutionized the way WP Engine ships software by minimizing the common cross-cutting concerns engineers have to consider in building their applications. Implementing this platform has improved consistency between services, reduced operational overhead across the organization, and enhanced the security and observability of our runtime environments.

In this talk, we’ll discuss WP Engine’s journey building a platform with Istio and how its benefits are moving our business forward.

Presented by by Zufar Dhiyaulhaq at IstioCon 2022.

Managing Rate limit configuration in Istio is a tedious task since currently, we are setting up the EnvoyFilter object to configure the rate limit function.

There are some drawbacks with this approach, developers need to understand very complex configurations within EnvoyFilter. Maintenance also becomes a problem because every time the infrastructure team wants to upgrade the mesh, Developers need to check if the rate limit configuration is working on the newer version of the mesh.

In GoPay, we are trying to improve the experience for developers to apply rate-limiting functions to their services. This is archived via Kubernetes operator that helps us abstract the details from developers.

Presented by Rama Chavali and Devesh Kandpal at IstioCon 2022.

Salesforce is onboarding several open source stacks onto Service Mesh. As part of that, we have been solving a lot of advanced usecases with the features supported by Istio. This presentation walks you through how we have used Istio features to onboard these open source stacks onto Mesh. This presentation specifically covers

Hbase running in a Multicluster setup with Istio DNS
Cassandra running in a Multicluster setup with Istio DNS
Onboarding Trino
RabbitMQ with K8s Peer discovery
AWS services like Elastic Cache (with Auth support) and Postgres (with startTLS support)

Presented by Louis Ryan and Eric van Norman at IstioCon 2022.

Message from Solo.io for the Istio community during IstioCon 2022.

Presented by Etienne Fontaine at IstioCon 2022.

Let your SEO managers handles HTTP redirections at scale on your mesh.

istio-redirector is an open-sourced service built at BlaBlaCar to let our SEO specialist manages HTTP redirections during our SOA migrations.

More than 20k redirections are now managed by our product team. Istio offers a great way to handle redirections at scale, in a distributed and cloud agnostic way.

Message from Tetrate to the Istio community. Presented by Tetrate during IstioCon 2022.

Presented by by Rajath Ramesh & Edward Samuel Pasaribu at IstioCon 2022.

In a micro-service architecture - development and testing changes, in a service or set of services involved in a feature, without affecting stability of shared environments like staging, pre-prod, etc. is challenging.

We are excited to share an approach to tackle it by spinning up a developer/feature environment on demand, which only contains a subset of services that have code changes. Traffic to other services and datastores, which are not in the developer environment, is routed to a shared environment. This whole setup is orchestrated by Istio service mesh. With this, we can have multiple developer environments running in-parallel sharing the same shared environment - enabling the developer and/or feature development team to have an isolated environment to test out the code changes and rollout with confidence.

This has been adopted across our organisation, improving the developer productivity & experience along with stability of shared environments while keeping costs in check.

Message from Red Hat to the Istio community during IstioCon 2022.

Presented by Devarajan Ramaswamy & Nizam Uddin at IstioCon 2022.

Scaling systems to handle high throughput is an art and a journey fraught with several hurdles and blockers. We shall demonstrate how every little configuration can cause a huge impact at very high RPS, how we managed to beat 500K RPS with minimum latency and how we geared the system to be capable of handling upto 1M RPS. We shall show using the example deployment topology of Istio Service Mesh, how we addressed the issues of connection handling, load balancing shortcomings, cross cluster pitfalls, side effects of HPA, uneven resource utilization, etc.and achieved a smooth response graph at very high throughputs.

Presented by Anthony Roman & Lei Tang at IstioCon 2022.

In this session, we will start with an overview of service mesh security best practices, discussing the various aspects of security that must be considered when securing services with a mesh. Since the components of the mesh are also part of the environment, we will discuss methods to ensure the mesh itself is secure. Ultimately, we will zoom in on one aspect, considering the entire lifecycle of authoring, implementing, monitoring, and validating security policies at scale.

Presented by Idit Levine at IstioCon 2022.
eBPF and service mesh both optimize the functionality around networking, observability, and security. Are they competing? Or complementary to each other? To what extent can eBPF play a role in a service mesh? How does the role of the service proxy change? In this talk, we will dig into the role of eBPF for a service mesh data plane and what are some of the tradeoffs in terms of features, resource overhead, feature isolation, security granularity and upgrade impact for various data-plane architectures: shared proxy vs shared proxy per node vs sidecar proxy vs shared proxy per service account etc.

Presented by Kenan O'Neal at IstioCon 2022.
Quick dive for beginners on TLS origination to improve security. This talk will focus on settings that may not be expected for new users with a focus on validating settings. I will touch on what settings Istio uses by default and how to configure Destination Rules to correctly check certificates.

Presented by Nina Polshakova at IstioCon 2022.

Istio provides native Virtual Machine integration for legacy applications which requires IP connectivity to the East/West gateway deployed in the mesh, and optionally connectivity to the pod networking for enhanced performance.

In production deployments, the communication between Kubernetes nodes and non-Kubernetes nodes are often handled with sophisticated techniques like VPC or VPN, but on a developer machine your Kubernetes nodes may be running in a simulated environment such as minikube, k3s or kind. It can be tricky to test this locally on a developer setup. How can you test calls from a Kubernetes service locally to and from a service on a VM without using LoadBalancer type Kubernetes services - using only Cluster-IP or Pod-IP?

In this session, I will talk about challenges you may face in a developer setup and how using the Calico Networking Plugin enables you to develop VM integrated meshes without LoadBalancer services in both single network and multi network environments.

Presented by Neeraj Poddar & Douglas Reid at IstioCon 2022.
We have introduced the new Telemetry API in v1.11 which provides a flexible and uniform way for configuring how telemetry is generated in the mesh. Since the initial release, we have made continuous improvements in functionality by adding support for various telemetry types and expanding to more providers. In this session, we will go over the motivations and use cases that drove the design of the new API and deep dive into the following aspects:
- Inheritance and override semantics.
- Provider selection and enabling multiple providers for any telemetry type.
- How to easily add dimensions in Prometheus metrics, provide tracing configuration and filtering access logging at various scopes from mesh wide to a specific workload.

Presented by Christian Posta at IstioCon 2022.

Istio derives a bulk of its power from Envoy proxy which gets deployed as a sidecar to a running application. However, sidecar deployments are not the only way to achieve service-mesh capabilities. In this talk we discuss the work we’ve been doing to “virtualize” the Istio sidecar for our users by giving options for sidecar, service-account, shared-node, and even remote proxies and micro proxies.

Message from Google Cloud for the Istio community during IstioCon 2022.

Presented by Josh van Leeuwen and Lin Sun at IstioCon 2022.

Most organizations already have their PKI system in place before they adopt Istio or any service mesh. There are a few approaches in the Istio community, either plugging in your intermediate CA as secrets manually, or use the istio-csr open source project, or leverage Kubernetes CA or Kubernetes Certificate Signing Request (CSR) API. This talk dives into the few approaches out there in the service mesh community to tackle this challenge and the tradeoffs among them.

Presented by Mitch Connors at IstioCon 2022.

Keeping Istio up to date can be quite a chore. With monthly patch releases and quarterly minor releases, many users fall behind on upgrades, exposing their traffic to known CVEs and bugs. Upgrades can feel risky and unpredictable, with gateways acting as a single point of failure, and proxies upgrading unexpectedly.

This talk will cover lessons learned at Google, where we have performed 1700 control plane upgrades and 3000 data plane upgrades on behalf of our users in the last year. We will explore the patterns and practices employed to keep users up to date, and show how open source users can take advantage of these principles as well. We will demonstrate using OSS tooling and gitops to handle upgrading an entire service mesh across a minor release with only two (automatically generated) pull requests.

Presented by Bernard Van De Walle at IstioCon 2022.

Splunk is heavily using Istio for the last 3 years, using it as our baseline for network ingress, policy and authentication. This session explores how we manage, install and operationalize istio at scale on more than 40 clusters across multiple regions and providers. We will describe in detail our journey, including the trade-offs that were taken into account before jumping into Istio as well as the lessons learned over time. We will also go into details on how our internal users are using Istio and how we support them.

Presented by by Faseela Kundattil & Ingo Meirick at IstioCon 2022.

In this talk we discuss how Ericsson is using istio in its modernised 5G Cloud platform to onboard various Cloud Native Functions seamlessly and how our cloud native infrastructure evolution using istio is solving some of the problems in the areas of security, observability and traffic management. Integration of istio in an end to end 5G platform has come with its own challenges, and we would like to highlight the various conscious choices we had to opt in terms of tenant isolation, onboarding of legacy workloads, enhancing security, dual-stack enablement etc. We will use this as an opportunity to bring more insight to how to build a fast and secure cloud native platform for 5G applications, and also to raise more awareness in the community for enhancing istio for telco use-cases. This session will give an overview of how Ericsson’s istio journey has evolved over the years, and how istio can be leveraged for realising the needs of 5G cloud native platforms.

Presented by by Alex Ly & Will McKinley at IstioCon 2022.

As Istio adoption becomes mainstream within your organization, new challenges surrounding multi-tenancy and security across multi-cluster will naturally start to grow:
- Which group owns what process/workflow?
- Which cluster(s) does each policy affect?
- How to provide control to some groups, while blocking access to others w.r.t. the mesh?
- How does an administrator set this up in a secure fashion?
- How can we stay informed about potential policy violations?
- How can this be fully automated?

In this discussion, Will and Alex discuss these topics in detail and review strategies and experiences tackling these challenges with some of the largest deployments of service mesh in the world.

Presented by Gergő Huszty & Tong Li at IstioCon 2022.

The external control plane deployment model in Istio enabled some new use cases for mesh management. The ownership and the management of the control plane may belong to a completely different entity, other than the end-user. Leveraging this new model, a cloud vendor can create a cost effective, managed, multi-tenant mesh control plane, safely isolated from the mesh clusters. Behind the scene, the vendor can manage/scale/update the service with or without the user’s intervention.

In this talk we describe such a managed solution, focusing on the extra challenges that the basic Istio external control plane setup does not solve.

Presented by Sanjay Pujare at IstioCon 2022.

gRPC has been a popular choice for building microservices based service mesh architectures especially after the recent introduction of service mesh features such as service discovery, load balancing, mTLS for transport security, and observability which eliminated the need for sidecar proxies - like Envoy - in the service mesh. The introduction of these features in gRPC enabled a “proxyless service mesh”. Besides supporting Google’s Traffic Director proxyless service mesh product, proxyless gRPC also works with Istio because of the use of “xDS” - the industry standard and open protocol created by Envoy.

The talk includes the use-case of how you can manage gRPC workloads without having to deploy an Envoy sidecar. It will also include the current efforts to standardize Istio support across all gRPC languages and multiple environments. One of those environments is ASM - which is managed Istio in Google Cloud and the talk will include a description of that implementation.

Presented by Lucas Copi & Rafael Polanco at IstioCon 2022.

We discuss how IBM leverages Istio as the bedrock of its Cloud for Financial Services. Providing a performant, secure, and compliant control plane for its core systems. It will discuss the challenges and pitfalls encountered during adoption; the evolution of the deployment process and its impact on production environments; and the configurations needed to maintain scale and performance for robust systems. The goal of this talk is to provide insight into the IBM Cloud Istio journey and generate a discussion on what is coming next.

Presented by Neeraj Poddar at IstioCon 2022.

Installing multiple Istio control plane revisions in different namespaces might be your first instinct to ensure better hygiene in production but you can run into unexpected challenges in doing so. In this lightning talk, Neeraj will explore some of the hidden land mines that you might run into with this setup and how to best install and manage multiple Istio revisions safely in production.

Lin Sun and Mitch Connors welcome you to IstioCon, followed by a special announcement from Eric Brewer!

https://events.istio.io/istiocon-2022