►
Description
Featuring Louis Ryan and Lin Sun. Istio is changing the way Cloud Native developers think about Application Networking concerns such as Routing, Security, and Observability. Join Louis and Lin who both are members of the Istio TOC to learn the state of Istio. We will cover our ongoing efforts to make operating your service mesh boring with Istio and an exciting new model for running your data plane, reducing resource usage, and increasing control over CVE exposure with our ambient sidecarless topology.
A
A
A
B
Morning,
everybody,
my
name,
is
Lee
Ryan
I
work
on
istio
at
Google,
I've
been
with
the
project
since
before
it
was
a
project.
I
sit
on
the
TOC
in
the
steering
committee
of
istio
and
I'm.
Just
super
excited
to
be
here
today
and
to
talk
about
where
the
project
is
where
the
Project's
going
and
and
it'll
hear
from
some
of
you.
A
I
worked
at
the
issue
where
I
was
at
IBM
so
being
on
the
project
since
zero,
one
being
also
one
of
the
SEO
technical
oversight,
community
members
and
also
steering
committee
members.
In
the
past
we
wrote
a
book.
I
actually
wrote
two
books
about
istio,
so
one
book
is
is
still
explained.
Well,
I
was
at
IBM,
and
this
week
we
brought
a
lot
of
books
about
istio
ambient
explained.
So
hopefully
some
of
you
will
get
our
books
with
Christian.
A
A
And
then,
if
you
look
at
the
istio
perspective
and
how
users
are
using
SEO
or
evaluating
in
istio,
you
can
see
it's
very
high,
pretty
much.
Everyone
is
either
looking
at
using
SEO
or
they
are
evaluating
istio.
The
upgrade
survey
I
was
just
mentioning,
as
you
can
tell,
the
sentiment
is
improving.
The
user
starts
to
get
me
happier
and
happier
with
istio
upgrade,
which
is
really
great
to
hear
because,
as
a
community,
we
put
a
lot
of
focus
to
make
upgrades
easier.
B
A
This
is
a
result.
Downloading
the
Google
Cloud
you
can
see,
skip
version
is
upgraded,
upgraded
was
from
15
to
19,
it's
more
and
more
users
are
leveraged
skip
version.
So
that's
what
we
call
revision
based
upgrade
where
you
can
upgrade,
for
instance,
from
it's.
Your
1102
is
your
112
by
not
going
one
version
at
a
time.
The
adjacent
upgrade.
A
A
A
So
that
was
good,
so
check
it
out
if
you're
interested.
So
if
you
did
a
performance
evaluation
of
istio,
LinkedIn,
tumor
and
console
connect
now
next
I
want
you
to
talk
about
istio
ambient.
So
where
is
your
ambient
service
measures
alongside
September
7.?
There
was
huge
huge
excitement
in
the
community.
Yes,
because
he
actually
put
out
that
tweet
for
the
istio
project.
A
A
Yes,
everybody
most
of
you
excellent.
So
we
were
super
super
excited
about
that
too.
Now,
I
want
to
quickly
talk
about
things
for
the
upcoming
years.
You
guys
don't
know
for
it's.
Your
project
would
be
focused
on
day
two
operation
to
make
user
easier,
with
upgrade.
Keep
the
lights
on
to
be
able
to
operate
the
istio
on
a
larger
scale
make
the
second
goal
we
have
is
also
make
ambient
production
ready.
A
So
if
you
talk
about
ambient
briefly,
MBA
right
now
is
in
an
experimental
branch
in
the
SEO
projects,
so
as
a
community
we're
working
very
very
actively
to
identify
the
future
gaps,
the
box
that
we
can
merge
ambient
to
master
branch
of
istio,
so
we
can
have
image
in
official
release
of
istio.
So
one
of
the
primary
goal
is
to
make
ambient
production
ready.
So
you
guys
can
long
ambient
in
your
environment.
So
as
part
of
the
continued
to
operation,
we're
going
to
continue
to
focus
on
upgrade
troubleshooting
improve
extensibility
on
Improvement,
Horizon,
plugging
I.
B
B
B
So
why
why
ambient
so
I'm
going
to
assume
that
most
of
you
here
have
run
a
service
mesh
in
production
or
are
working
on
companies
where
service
meshes
are
used
in
production?
And
so,
if
you've
used
a
service
mesh-
and
it
doesn't
really
matter
which
one
you
use
today-
they
all
run
on
a
sidecar
model
right
and
you'll
find
a
variety
of
different
issues
with
the
sidecar
model
right
that
I
have
had
a
lot
of
personal
experience
with
over
the
last,
you
know,
say
five
years,
and
they
definitely
have
issues
right.
B
Kubernetes
does
not
make
it
easy
to
run
inside
cars
in
production
right,
there's
an
actually
an
abstraction
in
kubernetes,
four
sidecars,
or
things
like
that,
and
nor
is
there
likely
to
be
one
anytime
soon,
that's
going
to
make
it
easier
for
us
and
because
sidecar
is
right,
we're
injecting
a
piece
of
code
into
every
single
pod
that
you
run
in
your
system
right.
It
creates
a
lot
of
life
cycle
and
maintenance
issues
for
us
right
when
we
have
to
reserve
a
certain
amount
of
CPU
for
every
Sidecar.
B
If
it's
on
you
underutilized
right,
and
so
you
probably
go
look
in
your
fleets
right
and
you
see
how
much
CPU
or
memory
is
being
reserved
by
side,
cars
right
and
then
you
look
at
the
actual
utilization,
the
sidecars
and
it's
pretty
there's
a
lot
of
mismatch,
and
so
that's
that's
actually
a
big
problem
for
people
at
scale
right,
and
that
is
a
problem
that
we
need
to
solve
the
other
one
that
probably
most
people
are
familiar
with
is
anytime.
You
run
an
istio
upgrade
or
any
maintenance
operation
right.
B
You
need
to
roll
out
a
CV
fix
it
Envoy,
which
you
know
if
we're
being
reasonable
and
responsible
like
every
software,
will
have
cves
and
you
need
to
do
these
types
of
Maintenance
operations.
You
have
to
do
rolling
restarts
of
your
Fleet
and
that's
pretty
you
know
pretty
expensive.
It's
pretty
intrusive
into
your
operations
right,
it's
something
you
have
to
schedule
into
your
operational
calendar
and
you
know
if
you're
doing
Ops
you're,
probably
busy
enough
already,
and
you
need
one
last
thing
to
do
so.
B
How
do
we
get
to
this
world
where
the
mesh
is
more
transparent?
Right,
like
the
goal
of
service
mesh,
is
to
give
application
operators
the
policy
and
control
to
manage
their
applications
right
to
see
the
traffic
going
in
and
out
right
to
observe
it
to
implement
the
security
policies
and
to
devolve
that
control
down
to
individual
teams
right,
while
also
giving
administrators
and
operational
people
centralized
control.
At
the
same
time.
B
B
So
there's
there's
a
lot
of
work
that
goes
on
right.
When
istio
performs
a
sidecar
injection
right,
we
have
to
inject
it.
We
have
to
do
iptables
work
or
whatever
the
other
cni
is
doing
right.
You
know
this
there's
some
quirks
right
because
sidecars
capture
all
application
traffic
as
it
flows
over
the
network.
We
actually
sit
on
all
the
ports,
inbound
and
outbound
in
an
application,
and
there
are
lots
and
lots
of
different
applications.
B
So
we
have
to
know
the
difference
between
those
two
things
on
the
same
port,
and
this
starts
to
create
some
complications
for
traffic
detection,
and
you
know,
as
you've,
probably
seen
in
some
of
the
istio
blogs
and
the
instructions
right,
particularly
if
the
server
is
using
a
server
sends
first.
Protocol
right,
client
connects,
doesn't
send
any
bytes
service
and
the
first
piece
of
information
back.
It
creates
timing
problems
right
to
detect.
Oh,
is
this
mtls?
B
B
How
do
we
address
some
of
these
issues
and
probably
the
one,
the
other
one
you're
most
familiar
with
right?
The
enablement
profile
right?
How
do
you
go
about
enabling
the
capabilities
of
the
service
mesh
in
a
an
incremental
process
right?
So
we
talk
about
you,
know:
security,
observability,
traffic
control,
right
the
kind
of
three
fundamental
properties.
Most
people
want
to
adopt
those
in
some
order
of
those
features
right
like
a
lot
of
customers
today,
users
of
istio
today,
you
know
the
first
thing
they
want
to
get.
B
B
In
addition
to
that
I
assume
you
can
get
to
that
next
phase
right.
You
also
want
to
do
this
kind
of
team
by
team
within
your
organization
right,
mtls
or
not,
is
typically
an
operator
choice
right.
We,
you
know
the
company
have
decided.
We
must
use
mtls
in
production.
Okay,
everything
should
be
mcls,
but
the
next
step
up
you
don't
necessarily
want
to
be
doing
that
Fleet
wide
right,
you'd
like
to
like
to
be
doing
this
in
an
incremental
fashion.
B
You
know
I'd,
like
this
team
to
start
doing,
L7
policy
controls
or
authorization
policy,
and
let
me
play
with
it
for
a
while
in
production.
Let
me
see
if
it's
helping
their
productivity.
You
know,
let
me
experiment
with
observability
and
things
like
that
at
L7
and
be
able
to
roll
that
out,
incrementally
maybe
team
by
team
instead
of
doing
this
big
kind
of
Fleetwood
thing
right
and
the
fact
that
those
features
are
all
coupled
together
makes
that
hard
today.
B
Are
you
happy
with
the
number?
Would
you
like
the
number
to
know
I
see
some
shaking
heads?
Yes,
so
we've
had
this
feedback
for
a
while,
and
you
know,
we've
done
a
lot
of
work
over
the
years
to
incrementally
improve
the
footprint
of
the
sidecar
based
solution
right.
We
put
a
lot
of
optimization
work
in
done
a
lot
of
work
with
the
envoy
Community,
but
there's
only
so
far
you
can
go
by
doing
sidecars
right.
There
are
just
physical
limits,
so
how
do
we
have
a
step
function
in
resource
cost?
B
Now
the
other,
the
advantage
of
the
Waypoint
proxies,
we
don't
have
to
have
one
per
pod
right.
Most
of
the
cost
and
complexity
that
you
know,
you're
actually
seeing
in
your
meshes
today,
is
because
of
the
cost
of
the
configuration
and
processing
for
L7,
not
for
L4,
and
so
the
L7
part
of
the
sidecar
dominates
the
resource
consumption
in
the
system
and
by
making
it
remote
in
the
network.
We
can
share
it
among
all
pods
that
belong
to
the
same
service
account.
B
So
if
you
look
at
ambient
mesh
today,
when
you
install
it
and
you
enable
an
L7
feature,
typically
you'll
end
up
with
one
main
Waypoint
proxy
for
each
service
account
and
if
you
look
in
typical
kubernetes
installations
right
most
kubernetes
installations,
they
have
one
service
account
per
namespace,
and
so
every
pod,
in
that
namespace
will
be
sharing
that
Waypoint
proxy.
And
so
you
get
order
of
magnitude
reductions
in
cost
for
L7
processing.
B
The
Waypoint
is
going
to
also
vertically
and
horizontally
scaled
right.
So
let's
say
you
have
10
000
pods
in
a
namespace.
Well,
probably
one
Waypoint
proxy
is
not
going
to
work
for
that,
although
Envoy
is
really
really
fast
right,
you
might
need
10.,
you
don't
need
a
thousand
right,
and
so
you
can
end
up
with
large
or
magnitude
reductions
in
cost,
particularly
for
really
really
big
services
right.
The
bigger
your
service
is
the
more
pods
it
has,
the
better
the
cost
saving
will
be.
B
B
So,
let's
start
with
the
the
Z
tunnels,
so
probably
the
first
thing
you
know
this
diagram
doesn't
really
make
it
very
clear
right.
The
Z
tunnel
is
running
one
per
node,
that's
a
demon
set
and
we
have
applications
on
each
node
and
Z.
Tunnels
are
providing
a
secure
mechanism
and
we
use
something
called
h-bone,
which
is
a
fancy
way
of
saying
we're
running
HTTP
connect
which,
for
those
of
you
who've,
worked
on
the
internet
over
the
last
20
years.
B
You
could
also
call
it
websockets,
it's
a
fancy
version
of
websockets
running
over
http
2.,
and
we
tunnel
all
the
traffic
through
that
and
you
can
make
that
go
very,
very
fast
by
the
way.
So
this
is
this
is
not
your
grandmother's
websocket.
There
is
a
tunnel
for
every
service
account
right,
so
this
is
not
done
at
the
level
of
the
node
right.
B
If
you
look
at
a
lot
of
other
cni
implementations
today,
like
that
create
ipsec
tunnels
or
other
forms
of
tunnels,
they
create
a
tunnel
between
each
node
and
the
identity
of
each
pod.
Running
on
the
Node
is
not
part
of
the
tunnel
security
properties,
so
we
create
one
for
each
service
account
pair.
So
we
can
strongly
authenticate
every
identity
in
the
network,
which
is
exactly
how
sidecars
work
today.
We're
not
changing
the
security
properties
of
how
bytes
flow
over
the
network.
B
Okay.
So
now
we
have
the
Z
tunnel
layer
and
you
can
just
start
this
up
and
all
traffic
can
flow
over
it
within
your
cluster
bmtls
and
you
have
no
L7
features
at
all
right,
and
so
you
can
go
to
that
first
step
very
easily
right.
There's
no
injection
into
the
applications,
no
need
to
do
pod
restarts
we've
done
demos.
You
know.
Certainly
I've
done
demos
for
customers
where
this
just
comes
up.
B
You
have
an
existing
cluster
you're
watching
with
wireguard
sorry
network,
we're
a
shark-
and
you
just
see
all
of
a
sudden
connections,
turn
into
mtls
connections
and
no
application
went
down
or
came
back
up
or
injection
happened.
It's
a
really
really
important
experience
from
the
developer.
An
operations
perspective.
B
Okay,
so
now
we
have
the
L7
stuff.
How
do
I
enable
it,
and
so
what
we
do
today,
the
recommended
practice
and
what
we've
done
is
you
create
a
Gateway
resource
inside
a
namespace
that
says
I'm
a
waypoint
and
that's
the
enablement
step,
so
we
actually
use
the
API
as
the
enablement
mechanism
for
the
mesh
right.
It's
not
injection
anymore
right,
it's
not
annotations
on
pods
and
none
of
that
weirdness
right.
B
B
B
Right,
so
this
is
kind
of
how
we
think
about
the
adoption
steps
all
right
most
mesh
users
right
want
to
start
with
those
L4
features
right,
particularly
if
they're
security
conscious
like
there
are
some
people
who
just
want
to
go
straight,
all
the
way
up
to
L7
and
no
problem,
but
if
you
only
want
A
reduced
set
of
features
right
because
you're
trying
to
you
can't
absorb
all
of
this
at
once
from
an
operations
or
developer
experience
perspective.
Now
you
actually
have
the
ability
to
do
this.
Incrementally.
B
B
How
about
observability
policy
control
all
right
so
pretty
evenly
split
among
each
of
the
three,
which
is
not
surprising
for
those
of
you
who
need
security?
Is
it
because
you
are
regulated
right?
You
must
meet
some
compliance
standards
to
have
something
in
production,
I
see
a
decent
number
of
hands,
and
so
this
is-
and
this
is
completely
non-optional
right,
like
you
have
no
choice.
B
B
So
part
of
the
reason
right
why
we're
using
H
bone
and
mtls
is
for
that
very
reason:
right,
there's
no
point
in
istio
shipping,
something
that
the
folks
in
the
room
would
just
have
their
hands
up,
can't
actually
bring
into
production
because
it
doesn't
meet
their
compliance
requirements
and
what
we're
seeing
in
the
industry
is
more
and
more
businesses
being
subject
to
compliance
right.
If
you're
in
the
financial
industry,
payments
processing
Insurance
HIPAA
right,
maybe
you
work
for
the
US
government
right.
There
are
all
these
regulations
that
you
must
comply
with.
B
So
each
bone
is
about
the
simplest,
most
interoperable
Network
that
we
can
come
up
with
right.
One
of
the
reasons
why
we
use
hcp
is
the
tunneling
mechanism
is
because
we
know
we
can
get
it
through
pretty
much
any
Edge
proxy
or
metal
box
proxy
that
exists
in
anybody's
corporate
Enterprise.
Today
you
know
they
don't
all
do
mtls
very
well,
but
because
of
websocket
and
HTTP
connect
and
the
internet
and
just
the
force
of
ACP
right.
B
It
is
a
really
good
interoperability
story
right,
so
we've
already
run
experiments
running
h-bone
through
large
Cloud
vendors
Edge
proxies,
and
we
can
make
this
work
so
there's
a
lot
of
value
in
interoperability
and
adopting
a
standard.
If
you
look
at
H
bone
today
right,
there
are
actually
ietf
standards
coming
out,
because
you
know
HTTP
connect
was
basically
for
doing
TCP
tunneling
within
the
ITF.
B
There
are
standards
coming
for
UDP,
tunneling
and
IP
tunneling,
and
so
you
will
see
istio
pick
up
support
for
those
standards
as
part
of
what
we
call
HBO,
and
today
we
run
HBO
and
over
http
2.
over
time.
You
can
expect
us
to
also
be
running
h-bone
over
quick.
We
don't
do
it
today.
There
are
some
performance
issues
with
quick
for
TCP
running
it.
Actually,
over
HTTP
2
is
faster,
and
that
has
more
to
do
with
the
operating
system,
low
level
bits
than
anything
really
fundamental.
B
And
again
so
we
just
will
be
standards
driven
the
whole
way
through
this
process,
and
that
will
enable
a
lot
of
interoperability
and
I.
Think
it's.
You
know
good
for
the
industry
as
a
whole.
If
service
mesh
is
not
just
istio,
you
know
focus
on
interoperability
at
the
security
level
right
because
we
can
enable
a
broader
ecosystem.
B
Okay.
So
where
are
we
today?
As
various
people
have
mentioned,
ambient
mesh
exists
in
an
experimental
branch
in
the
istio
project.
We
are
very
hard
at
work,
trying
to
get
that
Branch
merged
into
Mainline
and
be
able
to
ship
out
a
version
as
part
of
a
standard
istio
release.
Then
we
can
then
progress
that
to
Beta
the
z-tunnel
implementation
today
is
in
Envoy
and
I.
Think
it
showed
you
some
numbers
of
like
the
reduction
in
resource
costs
right
and
I
think
we
saw
3x
in
that
graph.
B
That's
based
on
the
current
implementation.
By
the
time
we're
done.
I
expect
that
to
be
closer
to
10x
right,
we
already
have
some
prototypes,
showing
even
more
significant
reductions
in
cost
and
if
you
look,
we
run
experiments
and
Analysis
over
some
of
our
larger
customers
at
Google,
and
when
we
look
at
their
profiles,
we
see
even
bigger
reductions
in
cost.
B
So
but
there's
still
a
lot
to
be
done
right.
We
have
you
know
optimization
of
the
Z
tunnel.
We
can
do
things
with
ebpf
to
accelerate
how
we
get
bytes
into
and
out
of
the
Z
tunnel,
and
that
has
will
have
benefits
for
the
speed
of
cryptography
and
things
that
we
do,
and
you
know
like
any
Alpha
software.
It's
not
super
stable.
B
Yet
you
know
if
you're
super
on
the
edge,
then
maybe
you
could
go,
try
it
out,
but
don't
try
and
take
this
into
production
right
now,
at
least
not
the
Open
Source
One.
But
we
do
expect
this
to
progress
extremely
quickly.
Just
speaking
from
Google's
perspective,
we're
extremely
motivated
to
get
this
done,
we're
working
very
hard
on
it
and
I
think
pretty
soon.
We
will
be
able
to
get
it
to
a
state
where
you
can
actually
start
to
try
this
in
production.
The
other
thing
that
we're
going
to
do.
B
We
talked
about
h-bone
a
little
bit.
We
will
put
H
bone
into
sidecars
right
so
that
we
will
make
sure
that
sidecars
can
interoperate
with
the
ambient
mesh
and
speak
the
same
protocol
right,
because
those
are
actually
two
independent
things.
So
you'll
see
that
go
into
the
sidecar
based
version
of
istio
and
just
roll
that
into
production
and
just
look
like
part
of
a
seamless
upgrade
actually.
B
Maybe
what
I'll
say
then,
if
we're
not
gonna,
do
a
q
a
here
I
will
be
hanging
out
the
istio
booth.
On
the
main
floor
of
the
conference.
We
actually
have
a
booth
now,
since
we
are
part
of
the
cncf
which
I'm
personally
very
excited
about.
So
if
you
have
questions
about
any
of
this
or
things
related
to
the
project,
just
come
find
me:
I'll
be
lurking.
There.
A
A
Yeah
same
here,
if
you
guys
ask
an
interesting
question,
we
definitely
have
the
ambient
book
to
give
out
to
yeah
and
Louis.
It's
awesome
to
hear
from
you,
and
it's
always
good
to
hear
you
know.
Google
is
also
top
priority
for,
from
Google's
perspective,
to
put
it's
your
ambient
in
production
and
which
is
same
as
solo.
What
it
was
just
talking
about,
so
thank
you.
So
much
Louie
give
us
an
update
and
let's
give
us
a
round
of
applause
for
the
project,
update
thanks.
Everyone.
B
Okay,
well,
you
know
thanks
everyone
for
having
me-
and
you
know,
thanks
to
edit
and
the
crude
solo,
for
inviting
me
along
I
always
like
to
talk
to
people,
and
you
know,
I
also
want
to
thank
solo
for
their
strong
partnership
in
in
open
source
right,
particularly,
you
know.
We
worked
closely
together
on
ambient
mesh
and
they've,
been
a
great
partner
to
work.