►
From YouTube: Istio Networking WG meeting - 2019-02-14
Description
- Istio 1.1 state
- Pilot ingesting Endpoints via MCP update
- Secure Egress Traffic Control in Istio 1.1
A
I
think
it's
good.
Okay!
Well,
hi!
Everybody!
Welcome
to
this.
Your
networking
working
group
meeting
and
today
we
have
three
items
on
the
agenda.
So
first
we'll
do
a
brief
on
the
state
of
these
two
one
one
just
before
anybody
asks
because
I
know
that's
on
top
of
everybody's
mind
and
second,
the
little
update
on
what's
going
on
with
the
end
points
post
1:1.
So
there
have
been
some
like
discussions.
A
Don't
slack
some
questions,
so
I,
just
wanna
sort
of
update
the
community
with
what
we're
doing
in
this
space
and
the
third
item
reading
will
talk
a
bit
about
secure,
egrants
traffic
control.
So
that's
for
also
for
each
to11
and
yeah.
We
can
start
so
Josh
I
think
you're
the
release
manager
for
21.
Yes,.
A
A
B
We
always
test
out
new
versions
of
Google
Hangouts
internally.
That's
why
it's
so
flaky,
sorry
guys.
So
so
a
quick
update
on
one
one
we're
trying
to
create
release
candidate
zero
this
week
the
current
status
is,
we
did
a
trial
run
because
we
have
new
people
creating
releases
for
the
first
time
to
create
snapshot,
snapshot
six
four
one,
one
that
went
out
I
think
on
Tuesday
snapshot.
Six
has
got
almost
everything
that
release
handed
zero
will
have.
B
So,
and
by
the
way,
the
difference
between
a
snapshot
and
in
a
release,
candidate
and
even
the
release
in
terms
of
the
process
is
just
a
name,
a
naming
convention
and
and
the
testing
that
follows.
So
if
anyone
wants
to
understand
what
release
candidate
zeros
can
be
like
pickup
snapshot
is
right
away.
E
E
B
A
B
B
A
D
E
A
A
Is
there
like
anything
else
that
it
would
be
good
to
focus
on
with
like
do
we
need
to
test
the
multi
cluster
or
like.
E
B
B
E
B
H
B
H
A
Ok
good.
So,
let's
move
to
the
second
item,
which
is
related
to
the
end
points.
So
what
is
going
on
with
the
end
points
and
that's
like
a
sort
of
common
update?
There
are
a
few
people
working
on
that,
like
nating,
gali
Nino
in
in
pilot
and
also
like
Jason
is
working
on
and
those
are
working
on
the
mCP
side.
A
So,
as
you
probably
remember
some
almost
a
year
ago,
there
was
this
final
tecum
position
proposal,
which
was
about
adding
a
layer
of
API
around
pilot
and
making
pilot
a
bit
slimmer
and
not
necessarily
dependent
on
the
platform
like
on
kubernetes,
and
we
that's
like
a
longer
term
work
item.
We
did
it
in
step.
A
So
there
is
a
pending
PR,
which
has
been
called
approved
in
golly
to
generate
what
we
call
synthetic
service
entries
that
contain
basically
kubernetes
services
and
kubernetes
endpoints,
and
they
are,
there
can
be
additional
like
plugins
into
Ghale,
so
those
synthetic
service
entries
will
be
sent
to
pilot
via
MCP
and
this
is
pending
and
will
be
merging
to
I.
Guess
one
one
one
as
soon
as
we're
done
with
one
1
billion.
E
A
Exactly
so,
the
next
phase
is
actually
to
make
the
equivalent
changes
in
pilot
to
ingest
those
endpoints
and
hook
them
up
lead
directly
into
the
XDS
push
code
for
endpoints
like
that,
would
send
the
configuration
to
enjoy
and
the
Nino
is
working
on
this
like
what
this
enables.
It
obviously
like
enables
use
cases
like
you
know:
Multi
cluster,
like
I,
breathe,
ten
points
and
all
that,
and
it
makes
our
pilot
as
we
discussed
before
a
bit
slimmer.
So
it's
a
fairly
important
piece
of
work.
A
We
hope
to
land
it
in
the
next
I
guess
one
one
one
release,
and
so
please,
if
you
like
well,
we'll
make
an
announcement
when
this
is
like
ready
to
go
or
in
its
code
review
or
maybe
testing,
it
will
definitely
have
to
undergo.
You
know,
performance
tests
and
everything
in
the
initial
of
face.
I
think
we
talked
about
using
regular
MCPE
for
endpoints
and
we
will
measure
the
performance
and,
if
needed,
we
will
switch
to
incremental
mCP
so
incremental
sense,
just
really
just
the
incremental
updates,
so
yeah,
no
not
for
one
one
for
one.
A
A
A
E
A
E
So
these
super
visible
to
the
customer
because
they
would
change
the
whole
multi
class
configuration.
But
it's
it's
fixing
a
buggy
multi
cluster,
where
we
have
problems
because
they
guess
that
were
is
not
reachable
and
some
security
issues
around
multi
class
/.
So
it's
we
treat
it
as
a
security
fix,
so
it's
even
is
a
bit
riskier
and
it
sounds
like
a
feature
it's
important
not
for
for
for
enough
users
that
are
trying
to
get
it
in
yeah.
A
E
More
determined
what
here
I'm
doing
some
coding
to
move
the
console
adapter,
also
out
of
pilot
and
eventual
also
moves
remove
the
definition
from
from
Paulo,
so
in
1.2.
Deafening
will
have
some
bigger
changes
around
this
and
it's
important
to
note
that
you
can
have
any
mCP
implementation
services.
It's
it's.
A
E
A
E
D
A
E
E
H
E
E
A
I
A
A
A
C
A
E
D
F
F
F
So,
as
you
can
see,
is
a
project
administrator
I
want
to
ensure
that
my
phone's
only
make
outgoing
connections
to
the
points
services
they
are
expected
to
connect
to,
so
that
he
had
hackers
break
into
my
pods.
They
can't
use
them
to
attack
arbitrary
targets
and
the
requirements
are
basically
to
provide
the
maybe
seguirá
firewall
in
a
severe
fire
wall
and
also
recognizable
source,
IP,
okay
and
so
to
present
requirements
that
we
collected
from
our
customers.
F
F
We
want
to
provide
monitoring
of
the
of
estimation
SMI
and
source.
We
want
to
be
able
to
define
a
policy
rules
for
pasta
or
run
for
any
micro
series,
may
excess
started
for
the
phone
or
my
little
bug
the
phone.
So
we
want
to
use
also
as
a
destination,
both
wildcard
domains
and
specific
hosts,
and
we
also
want
to
define
policy.
F
We
sold
their
souls,
for
example,
to
this
old
wall
main
space
or
salesy,
found
the
source,
and
we
want
to
specify
that
for
nothing
Micro
seriously
and
may
exist,
starter
home
and
while
microcell
is,
he
makes
this
my
little
home.
We
want
to
do
it
securely
event
and
temporary
here,
the
police's,
and
preferably
we
want
to
do
it
and
currently
to
be
micro-services.
So
you
do
not
want
to
change
and
conveniently
not
want
to
change
the
code
of
the
applications.
F
So
these
are
the
requirements
and
just
remind
you
of
security
threads.
So
any
micro
CMI's
indicate
either
from
the
outside
from
the
inside,
that
some
malicious,
the
holder
or
the
ropes
person
and
the
attackers
may
want
to
perform
different
kinds
of
attacks.
It's
still
daytime
transferred
outside
of
the
cluster.
They
may
want
to
connect
to
external
services,
to
download
software
and
things
for
the
America
software.
They
may
want
to
bring
the
external
services
using
the
cluster
and
we
want
also
to
perform
heinous
attacks
on
the
cluster,
and
there
are
also
completely
unknown
text.
F
We
don't
know,
but
you
still
want
to
prevent
them.
In
short,
we
want
to
control
and
monitor
the
traffic
from
our
cluster
and
when
you
find
policies
for
being
there
and
get
restarted
from
hollow
plastic,
so
there
are
two
other
solutions
to
the
static
control.
The
first
we
have
to
donate
this
network
policies.
F
They
are
transparent.
Okay,
so
you
don't
have
to
change.
Containers
or
holy.
They
are
to
donate,
is
aware,
so
you
can
specific.
For
example,
each
code
can
access
for
each
namespace
can
access
which
external
service.
However,
they
are
not
dns
the
world.
Okay,
so
you
can,
you
have
have
to
use
IP
address
or
ranges
of
IP
addresses
you
can
multi-domain.
F
This
is
a
problem
that
is
your
souls
now.
Another
solution
is
to
use
some
legacy
oopsey
or
firewall,
and
to
configure
micro
services
to
use
the
proxy
or
external
traffic.
So
you
use
some
popsicle
to
point.
Okay,
configure
the
amount
of
services
in
change.
Micro
service
is
only
defined
some
environment
variables,
so
it's
not
non-scalar
so
legacy
with
it
with
OC
or
firewall
is
not
transparent.
It's
not
even
admissible,
but
it
is
in
as
well
okay,
so
you
can
define
of
little
domain
names
and
host
names,
and
so
on.
F
So
comparing
with
that,
Easter
is
like
the
best
of
all
the
worlds
lovely
the
static,
so
it
is
transparent
in
DNS
where
and
this
could
own
in
this
world.
So
you
know
you
do
not
need
to
commit
to
configure
the
applications.
You
don't
need
to
define
environment
variables
using
special
toxic
protocols,
and
you
can
use
the
same
instead
of
policies
for
English
English
and
to
excite
the
pasta.
Traffic
use
the
same
single
policy
language.
F
Okay,
all
the
more
you
have
to
configure
your
external
monitoring
for
access
control
systems
only
once
and
use
it
for
all
the
ingress,
egress
and
the
bastard
party-
and
it
is
integrated
with
the
major
service-
account.
Okay
and
you
can
also
gain
insta
traffic
management
features.
You
can
apply
load
balancing
so
can
create
a
tangled
surprise,
hold
rejection
and
so
on
or
to
the
user
started,
and
it
is
also
integrated
with
the
existing
these
two
policy
and
telemetry
adapters,
and
we
had
several
Arsenal's
that
are
sporting,
so
easier.
F
D
F
And
so
here
we
had
a
beautiful
that
name.
So
just
explain
the
situation
we
apply
to
provide
security
policies
by
source.
Okay,
we
applied
in
here
less
mean
between
the
application
code
and
the
heat
before
the
poll
do
this:
okay,
where
we
had
two
different
design
eyes
and
we
immunize
the
original
one,
this
mile
connection
there
and
we
had
his
mild
MPLS
tunnel.
F
The
outer
is
my
and
let
outers
my
was
reported
to
the
mixer,
but
the
routing
was
performed
by
the
Emerson
I
say
so
we
had
this
beautiful
is
the
most
person
he
needed
for
free
powders
nanotech
and
what
we
implemented
in
East
1.1
to
be
able
to
inter
filters
to
prevent
this
today.
So
in
in
the
gate
with
40.
In
on
way,
we
had,
we
have
a
semi
verified
filter
which
compares
that
which
verified
so
now
I
can
be
out
at
some
time.
F
We
are
equal
and
if
not,
it
works
the
traffic
and
we
have
the
sidecar
on
boy.
We
had
forward
downstream
as
night,
inter
it
just
all
works.
The
dinner
sinai'
is
the
outer
smile
and
ALS
connection.
So
in
short,
what
we
implemented
in
1.1.
We
we
closed
this
beautiful,
ok,
now,
my
we,
we
can
provide
secure
control
in
strap
with
already
with
all
the
benefits
of
this
team.
E
D
F
E
E
E
E
G
G
G
D
Yeah
I
think
this
is
also
related
to
the
issue.
I
opened
a
yesterday.
A
lot
of
users
are
also
stumped
on
when
they
using
is
do
when
they
so
the
first
thing
they
do.
Is
they
inject?
They
inject
a
psychology.
They
are
micro-services
and
if
any
of
their
services
happen
to
use
external
services
outside
of
the
mesh,
they
would
spend
a
lot
of
time.
Just
your
fingers.
You
know
why
is
this
not
working,
and
why
is
because
it
co
has
a
configuration
that
protects
everything
going
outside
of
the
mesh
and
necessary.
Thank
you.
D
The
cube,
Aneta
cluster,
so
everything
going
outside
of
the
mesh
like.
If
you
go
to
Amazon
or
Google
IBM
cloud
services,
it
would
be
totally
blocked
by
default
and
a
lot
of
user
just
stumped
on
that.
A
lot
of
user
asked
us.
You
know
what
is
a
single
global
configuration
to
disable
that
behavior,
because
I'm
just
evaluating
it
still,
you
know
I,
don't
want
to
learn.
How
do
I
config
my
services?
You
talk
to
you
external
service
just
yet,
because
I
want
you
again,
I,
say
running
in
the
mesh
first,
so.
E
Then
we
did
quite
a
bit
of
research
on
this
as
well,
and
we
had
a
lot
of
discussions.
I
think
the
problem
we
are
encountering
amidst
this
obvious
is
a
way
to
to
have
original
destination.
We
discussed
in
the
past
problem
where
it
is
that,
with
the
default
configurations
that
we
are
shipping,
port
80
is
already
taken
by
ingress
gateway,
so
we
get
comport
conflicts
and
all
kind
of
problems.
However,
with
the
new
side
current
and
isolation,
it
is
possible,
if
you
put
a
sidecar
resource
in
a
namespace,
it
is
possible
to
configure
it
to.
E
You
know
for
that
particular
namespace
to
have
a
default
to
go
to
be
open
by
default,
and
this
particular
thing
also
avoids
the
whole
issue
about
backward
incompatibility.
I
mean
if
someone
actually
wanted
the
block
by
default
and
they
averaged
1.1,
they
will
suddenly
be
surprised,
so
I
think
it's
a
it's
a
it's
a
reasonable
solution
to
tell
users
that
if
they
want
to
have
open
by
default,
they
should
use
the
sidecut
because
they
are
also
solve
the
scalability
problem
and
it's
an
opt-in,
see
alternative
again
to
put
some
default
options.
E
D
I,
don't
think
people
will
get
you
the
human
virtual
services
or
destination
rule
when
they
trying
to
run
their
services
in
the
mesh.
The
first
thing
they
want
to
see
is:
that's
my
service
continue
to
work
in
the
match.
You
can
leverage
any
of
the
feature
of
the
issue
other
than
you
know.
I
got
my
psyche.
I
injected.
Ok,
now
can
I
see
what's
going
on?
Is
my
service
actually
running?
D
E
Hundred
percent
agree
with
you,
I
mean
that's.
Why
we
try
to
find
a
solution
for
this
as
well.
The
problem
is
that,
with
what
we
have
right
now
in
1.1
I,
don't
think
we
have
any
other
practical
solution,
because
that's
how
I
mean
which,
if
you
can
enable
sidecar
globally
and
then
all
this
will
be
isolated
and
we
can
get
this
to
work.
E
E
It
doesn't
know
for
port
80,
that's
I
mean
we
tested.
Is
that
that's
how
we
put
into
this?
It
fortunately
doesn't
work
for
port
80,
and
it
has
a
problem
of
hey
if
you
upgrade,
and
you
are
kind
of
relying
on
the
fact
that
we
block
by
default
user
will
be
in
a
insecure
situation
because
suddenly
they'll
be
able
to
make
requests
outside
is.
D
E
E
E
D
E
Little
but
but
if
we
find
the
consistent
answer
about
how
we
deal
with
this
kind
of
default,
behavior
changes,
I
mean
one
proposal
was
I
believe
if
it's
an
install
a
fresh
install,
we
can
use
a
new
behavior
and
if
it's
an
upgrade
with
chips
of
old
one
or
clear
documentation,
is
a
different
proposal
being
floating
both
work
for
this
class
of
problems.
I
mean
egress
policy
N,
and
this
one.
If
we
find
a
solution,
then
we
can
probably
up
you
add
this
to
the
list
of
things
to
default,
to
change
for
demo
profile.
E
D
E
D
F
Yeah
implementation
and
possible
attacks
and
how
Israel
prevents
the
attacks?
Okay,
so
first
you
directly
throw
at
me
and
it
started
to
get
worried
Midway,
and
you
also
have
to
apply
special
security
medals
for
the
Midway.
You
should
probably
run
it
on
a
separate
node
and
we
should
not
run
other
application
application
from
that,
node
and
so
on.
Actually,
it
may
be
from
some
scholarship
committee
and
scans
on
that
component
and
on
the
known
so
process
to
direct
the
traffic
truly
is
Midway
by
file
of
the
tables.
F
Then
you
try
monitoring
and
excess
porridges
between
the
telemetry
policy.
Then
the
third
step
is,
you
have
to
provide
some
a
free
firewall
with
the
TGO
configuration
that
limit.
Only
outgoing
traffic
from
the
cluster
you'll
allow
only
traffic
that
originates
from
being
equal
to
go
outside
okay.
So
this
is
how
you
actually
prevent
tampering.
F
Then
the
whole
picture.
Is
you
having
these
two
components?
I,
guess
the
control
plane
and
we
eat
with
some
special
C
community
measures
and
a
measure
of
stream
via
twice
the
length
of
the
packets
should
not
be
able
to
break
neither
the
limiting
operation
or
pilot
mode.
If
we
and
the
Institute
Institute
some
health
really
the
firewall
on
the
ruling
party-
okay,
so
now,
let's
be
specific,
so
easier,
provides
number
one
number
two
round
in
the
monitoring
and
access
policy
chicks
and
to
prevent
bypassing
the
gate.
We
have
to
apply
some
additional
measure.
F
You
can
measure.
Why
cake
the
firewall
metal
politics
law-
and
this
is
the
responsibility
of
the
quality
or
the
providing.
Now.
Let
me
explain
me
the
possible
attacks
and
well
control.
Your
thought
is
to
actually
prevents
them,
but
suppose
that
we
have
the
following
policy:
micro-sim
is
a
is
allowed
to
exist
out
of
the
game.com.
My
self-esteem
is
allowed
to
exist,
number
one
opposed
and
calm,
and
all
the
inner
static
must
be
monitored,
and
this
scenario
is
that
microsil
is
saying,
is
compromised
and
the
attacker
wants
to
access
star,
dot,
ID
and
it
on
monitor.
A
F
Mean
so
micro-sim
is
a
is
allowed
to
access
target
ibm.com,
so
the
attacker
will
also
be
able
to
access
target
again
you
come,
however,
the
attacker
wants
to
do
it
unlimited
a
they
want.
Where
the
attackers
wanted
temple,
he
missed
a
monitoring
and
initially
microcell
we
say,
will
try
to
access
Montalban
composed
to
the
Communists
or
limited
according
to
the
policeman.
F
F
The
second
attack
is
to
compromise
he'll
meet
with,
however,
since
it
will
English
wrong
with
additional
security
measures,
it
will
also
be
possible.
Okay.
That
means
that
the
compromise
might
have
seen
this.
You
have
to
go.
You
have
to
direct
the
traffic
field
immediately.
There
is
no
other
choice,
okay,
so
all
the
traffic
between
will
it
will
be
monitored
and
and
all
the
plastics
it
means
people
will
be
able
to
monitor
the
trajectory
to
apply
some
algorithms,
anomaly,
detection
and
so
on,
and
they
will
be
able
take
suspicious
party
wait.
So
initial.
A
F
That
we
attack
early
tried
to
perform
the
attacker
can
try
to
exist,
bong
and
hold
the
home,
which
is
in
between
for
my
cup
series.
A
so
if
possible,
attack
is
unique.
Person
name
is
Myka,
say
miss
Bea.
However,
this
attack
is
prevented
by
Easter
strong
identity.
Support
based
on
ability
service
around
the
this
attack
is
also
not
possible.
F
D
A
F
D
More
minutes,
yeah
I
want
to
give
a
shout
out
to
Shirin.
He
made
a
change
in
yesterday.
I
mean
I,
think
in
pilot.
That
was
really
helpful,
so
I
guess
I
was
recently
stumped
on
that
when
you
create
a
virtual
service
to
point
you
to
hosts
multiple
hosts
I'm.
Sorry,
when
you
create
a
service
entry
point
to
multiple
hosts,
you
actually
need
to
create
virtual
service
bind
to
your
service
entry,
and
it
has
been
like
a
eye-opener.
D
Oh
my
gosh
I
had
to
do
that
for
even
just
to
allow
my
micro
service
to
talk
to
you
two
of
these
cloud
services.
You
have
to
actually
do
virtual
service
in
addition
to
service
entry,
so
that
was
like
stuff
I
stumped
on
there
for
quite
a
while,
so
I
believe
sure
I
actually
made
a
change.
Yesterday,
I'm
still
a
leading
us
as
part
of
all
automated
testing
that
eliminate
the
lead
Archy
for
the
user
to
create
virtual
services
in
that
case,
so
they
would
just
need
to
create
service
entry
for
which
have
a
hosts.
D
E
A
Nope,
okay,
then
I
think
we
get
five
minutes
back
from
our
time,
which
doesn't
happen.
Often,
thank
you
very
much
to
everybody
and
thanks
to
Vadim,
for
the
presentation
and
to
Shriram
who
improved
the
service
entry
like
user
experience,
because
that's
what
it
is
and
thanks
thanks
for
bringing
this
up
like
I,
think
we
should
also
like,
if
this
kind
of
shutouts,
when
something's
very
honest
yeah.
So
thank
you
all
right,
so
happy
testing,
one
one
I
guess,
and
hopefully,
by
the
time
we
meet
next
time
in
two
weeks,
we'll
have
a
very
good
release.