Achieve Compliance, Zero Trust with Istio Ambient Mesh

READ THE WHITE PAPER

Join us at IstioCon 2022 for exciting news!

Rose Sawvel | April 04, 2022

IstioCon 2022Spring is here and that means event season is upon us. Get excited! Kicking things off is the 2nd annual IstioCon conference, Monday, April 25 to Friday, April 29. This year’s IstioCon is a virtual event designed to connect community members across the globe with Istio and the Istio ecosystem. Information will be shared through a variety of keynotes, tech talks, lightning talks, workshops, and roadmap sessions. 

Highlighting lessons learned from running Istio in real-world production environments, at IstioCon 2022 you’ll find a large number of end users providing information about how they’ve approached and achieved great success using service mesh to create better experiences for their end users.  

IstioCon 2022 features intelligence shared by renowned Istio experts and maintainers from across the community and ecosystem. You’ll find sessions with Soloists who have been founding members of the Istio community since Istio’s early days, including current and former Istio Steering Committee and Technical Oversight Committee members Lin Sun, Christian Posta, Neeraj Poddar, Ram Vennam, Nick Nellis, and more.

Register here to get access to end user stories and sessions with leading Istio experts at IstioCon.

 

Twelve sessions you won’t want to miss at IstioCon 2022

The Solo.io team is excited to be participating in this year’s premiere Istio conference and we’re thrilled to appear in a combination of 12 keynote talks, sessions, lightning talks, and workshops. Here’s where you can find Soloists at this year’s IstioCon:

 

External CA integration with Istio explained (Lin Sun, Josh van Leeuwen)

Monday, April 25, 12:40 pm EST

Most organizations already have their PKI system in place before they adopt Istio or any service mesh. There are a few approaches in the Istio community, either plugging in your intermediate CA as secrets manually, or use the istio-csr open source project, or leverage Kubernetes CA or Kubernetes Certificate Signing Request (CSR) API. This talk dives into the few approaches out there in the service mesh community to tackle this challenge and the tradeoffs among them.

 

Lessons Learned on Multi-tenancy Controls in Istio (Alex Ly, Will McKinley)

Monday, April 25, 2:30 pm EST

As Istio adoption becomes mainstream within your organization, new challenges surrounding multi-tenancy and security across multi-cluster will naturally start to grow:

  • Which group owns what process/workflow?
  • Which cluster(s) does each policy affect?
  • How to provide control to some groups, while blocking access to others w.r.t. the mesh?
  • How does an administrator set this up in a secure fashion?
  • How can we stay informed about potential policy violations?
  • How can this be fully automated?

In this discussion, Will and Alex will discuss these topics in detail and review strategies and experiences tackling these challenges with some of the largest deployments of service mesh in the world.

 

What to expect when you install multiple Istio revisions in different namespaces? (Neeraj Poddar)

Tuesday, April 26, 11:35 am EST

Installing multiple Istio control plane revisions in different namespaces might be your first instinct to ensure better hygiene in production but you can run into unexpected challenges in doing so.

In this lightning talk, Neeraj will explore some of the hidden land mines that you might run into with this setup and how to best install and manage multiple Istio revisions safely in production.

 

Building simplified service mesh API for developers (Lin Sun, Ying Zhu)

Tuesday, April 26, 3:10 pm EST

One of the key goals of service mesh is to decouple developers and operators so that developers can continue to focus on writing code for their services, while operators adds security, resilience, and policies to these services they manage. In the Istio community over the past few years, we have observed that customers such as AirBnb, Salesforce, eBay etc building out abstractions over Istio for their developers. This talk will introduce these abstractions, compare them, along with the thought process behind the service mesh API for developers built at Solo and AirBnb.

 

Understanding the new Istio Telemetry API (Neeraj Poddar, Douglas Reid)

Wednesday, April 27, 12:00 pm EST

We have introduced the new Telemetry API in v1.11 which provides a flexible and uniform way for configuring how telemetry is generated in the mesh. Since the initial release, we have made continuous improvements in functionality by adding support for various telemetry types and expanding to more providers. In this session, we will go over the motivations and use cases that drove the design of the new API and deep dive into the following aspects:

  • Inheritance and override semantics.
  • Provider selection and enabling multiple providers for any telemetry type.
  • How to easily add dimensions in Prometheus metrics, provide tracing configuration and filtering access logging at various scopes from mesh wide to a specific workload.

 

Sidecarless with eBPF or sidecar with Envoy proxy? (Idit Levine)

Wednesday, April 27, 1:20 pm EST

eBPF and service mesh both optimize the functionality around networking, observability, and security. Are they competing? Or complementary to each other? To what extent can eBPF play a role in a service mesh, and how does the role of the service proxy change? 

In this talk, we will dig into the role of eBPF for a service mesh data plane and what are some of the tradeoffs in terms of features, resource overhead, feature isolation, security granularity, and upgrade impact for various data-plane architectures: shared proxy vs. shared proxy per node vs. sidecar proxy vs. shared proxy per service account, etc.

 

Testing Istio’s Virtual Machine integration locally with Calico (Nina Polshakova)

Wednesday, April 27, 3:00 pm EST

Istio provides native Virtual Machine integration for legacy applications which requires IP connectivity to the East/West gateway deployed in the mesh, and optionally connectivity to the pod networking for enhanced performance.

In production deployments, the communication between Kubernetes nodes and non-Kubernetes nodes are often handled with sophisticated techniques like VPC or VPN, but on a developer machine your Kubernetes nodes may be running in a simulated environment such as minikube, k3s or kind. It can be tricky to test this locally on a developer setup. How can you test calls from a Kubernetes service locally to and from a service on a VM without using LoadBalancer type Kubernetes services – using only Cluster-IP or Pod-IP?

In this session, I will talk about challenges you may face in a developer setup and how using the Calico Networking Plugin enables you to develop VM integrated meshes without LoadBalancer services in both single network and multi network environments.

 

Virtualizing the Istio Sidecar (Christian Posta)

Wednesday, April 27, 3:50 pm EST

Istio derives a bulk of its power from Envoy proxy which gets deployed as a sidecar to a running application. However, sidecar deployments are not the only way to achieve service-mesh capabilities. In this talk we discuss the work we’ve been doing to “virtualize” the Istio sidecar for our users by giving options for sidecar, service-account, shared-node, and even remote proxies and micro proxies.

 

A Field Guide for Safe Istio Upgrades (Ram Vennam)

Thursday, April 28, 3:50 pm EST

As a Field Engineer at Solo.io, the speaker helps organizations of all sizes install and upgrade Istio in production every day. What we already know is that there is no one-size-fits-all approach to perform upgrades. Enterprise platform owners and service owners maintain distinctive environments and Istio deployment models depending on their tenancy, security, and cost requirements. The varying risk tolerance for a potential downtime during an upgrade is another factor to consider. Developing a custom plan is often critical to address an organization’s unique architecture and constraints.

In this session, the speaker will outline the various upgrade strategies, their advantages and disadvantages, the gotchas that you need to watch out for, and most importantly – some best practices you can apply from day 1 to ensure successful upgrades in the future.

 

Join locally, learn globally (Nick Nellis)

Friday, April 29, 1:20 pm EST

Did you ever want to better understand how Istio enables some of its features such as mTLS, route manipulation or multi-cluster communication? With the help of istioctl you can look at how Istio configures Envoy and use that information to build your own local istio-proxy. Learning how Istio configures Envoy is not only good for debugging, but also enables you do more complex routing like secure multi-cluster communication. In this session, Nick will explain how you can configure a local istio-proxy to connect securely to a cloud based service mesh all the while explaining concepts like PKI, mTLS, east/west routing, and request/response transformations.

 

Workshop: Multi-tenant Istio Service Mesh with Gloo Mesh (Adam Sayah)

Service mesh has emerged to solve the service-to-service communication challenges of microservices while presenting new opportunities for network traffic control, security, and observability.

Istio, the most popular service mesh technology, can also be used to secure cross cluster communication, but managing multiple Istio clusters can quickly become tedious, and raises new questions such as:

  • How should I deploy and manage the lifecycle of multiple Istio clusters?
  • Can my service meshes span across on-prem and cloud?
  • How can I allow multiple teams to share the same service meshes?
  • How can I set up global observability?

In this hands-on workshop, we will explore many Istio concepts (multi-cluster topologies, identity federation, authorization, and more) and demonstrate how Gloo Mesh can simplify the management of a complex heterogeneous service mesh with a particular focus on multi-tenancy.

 

More reasons to attend IstioCon

If all this great information isn’t enough for you to want to attend IstioCon, there will be plenty of open office hours, networking opportunities, and fun activities. We’ll also have some great offers in the virtual swag bag, including a chance to win a complimentary copy of Christian Posta’s (Solo.io Field CTO) newly-released book, Istio in Action plus digital copies of eBooks, white papers, and reports on topics ranging from service mesh comparisons to zero trust security and more to help you along your service mesh journey.

Also, we just wrapped up SoloCon 2022 in February of this year. Feel free to check out the replays from the event to access over 35 sessions about service mesh and application networking, community and open source, and edge and API gateways.

IstioCon 2022

BACK TO BLOG