Solo at

Sometimes you go all in on the cloud; sometimes you need to sharpen that Edge a bit.

When pursuing Edge Computing, the largest considerations for adoption are:
– Ease of deployment
– Zero-trust security posture
– Resource allocation and consumption
– Telemetry and Observability
– Latency and application response times
– Resilience and reliability

Large enterprises in heavily regulated industries or the public sector must adopt practices like a zero-trust security posture both inside and at the edge of its application networks. They must simultaneously be able to determine application performance through telemetry, and mitigate issues. They need to ensure the resilience & reliability of the edge in the face of catastrophe, like a cluster or region failure.

What’s the right approach to meeting these conditions?

Enter Ambient Mesh, the perfect vehicle for meeting these challenges!

This talk dives into how Ambient Mesh offers a revolutionary data-plane architecture for Edge Computing. Ambient Mesh can configure both perimeter and internal proxies to deploy an enhanced security posture while slashing operational complexity and enabling incremental mesh adoption, all while reducing cost and computational overhead at the Edge.

Service-to-service security is the number one reason why platform engineers leverage a service mesh. When we worked on the initial implementations of Istio Ambient Mesh, a sidecarless data plane for Istio, security was a very top concern: we could not regress or make the mesh less secure from what we already get with a sidecar architecture. When we introduced Istio Ambient mesh back in the fall of 2022, we believe we made the right architecture decisions to preserve the powerful zero-trust properties of an Istio service mesh. In this talk we dig into the security posture of Istio Ambient Mesh sidecarless data plane and understand how we do mTLS, workload identity, and establish good security boundaries between an infrastructure and application world.

Istio ambient mesh introduces a new sidecar-less data plane mode designed for simplified operations, broader application compatibility, and reduced infrastructure cost. Sidecars and sidecar-less can co-exist with Istio ambient mesh. Lin, who is a founding member of Istio, will present how to integrate Argo Rollouts with applications running either Istio sidecar or without sidecar for traffic shaping. She will demonstrate using ArgoCD and Istio’s networking resource(VirtualService) to gradually increment the weights to slowly send traffic to a new version of your application automatically. While incrementing, she will show ArgoCD can monitor the prometheus metrics provided by Istio to ensure that the new version is performing adequately. If the metrics do not match the defined success criteria, Argo Rollouts automatically rolls back the version. She will show the power of ArgoCD rollout with applications running sidecars and sidecar-less with live demo.

GitOps has seen widespread adoption in the last few years due to the clear advantages over traditional CI/CD tools. However, with adoption comes the growing pains of scale: running and managing multiple clusters across different cloud providers represents a major hurdle for organizations wanting to adopt Kubernetes as a standard deployment platform. In particular, observability and security at scale are two thorny aspects that need to be addressed; we will demonstrate how it’s possible to tame the complexity of such scaled infrastructure via open-source tools, such as ClusterAPI, ArgoCD and Prometheus+Thanos to provide control and visibility over an arbitrary number of clusters. We will show a sample, created after our collective experience at large scale customers, which can automate the deployment of hundreds of clusters and applications automatically and securely, and collect metrics from all the ephemeral clusters along the way.

Join the maintainers of Istio to learn about the current ongoing efforts and future roadmap of Istio as we continue to make Istio more performant and secure by providing new deployment options with the Ambient architecture.