Solo at

Microservices can be complicated and difficult to manage. These complexities have given rise to a new solution called service mesh. This workshop explains how to get started with Istio by incrementally adopting Istio and observing the benefits that Istio service mesh brings to you. We will explore various functions and benefits that Istio provides to your organization.

Cilium is an open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.

At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because eBPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

Support for SPIRE (SPIFFE Runtime Environment), a production-ready implementation of SPIFFE, was introduced to Istio in 1.14. Thanks to Envoy’s SDS API, SPIRE can be configured as a source for issuing Istio workload identities. In addition to issuing strongly attested identities through a combination of different attestation mechanisms, SPIRE can also be integrated with existing PKIs, and allow the federation of different trust domains. These features offer support for diverse workload and node attestation options by using attributes from both the workloads and the nodes to create more granular identities compared to the traditional trust domain, Kubernetes namespace, and service account combination. To bring traditional VM workloads to the Istio service mesh, one must use Kubernetes concepts of namespaces and service accounts outside Kubernetes. With SPIRE, we can create identities based on the actual attributes of the VM workloads and the infrastructure they run on. Granular identities, extensibility in the form of plugins, and the ability to integrate with existing PKIs make SPIRE a powerful tool. In this talk, we’ll introduce the building blocks of SPIRE and look at several scenarios on how to integrate SPIRE into your multi-cluster and VM workload scenarios.

Service Mesh technologies are tools that enhance the micro-services deployments by adding monitoring, security, and resiliency, often operating on top of Kubernetes and using a sidecar model where a proxy is deployed within each pod to add these cross-cutting concerns, though recently, we are seeing a new challenger to the sidecar approach emerging, the sidecarless approach based on the revolutionary eBPF technology that is pushing the boundaries further and enabling the service mesh features (like monitoring) at the network layer. In the following session we will build a service graph in Grafana to track the interactions between multiple Kubernetes services, using metrics generated by an eBPF program created using an open source project called Bumblebee.

Istio is the most widely used service mesh platform in the world for large-scale production deployments. In September 2022, Google and Solo.io announced the release of the Istio Ambient Mesh to the community. Ambient offers a revolutionary data-plane architecture that allows service mesh users to ditch sidecars. It slashes operational complexity and enables incremental mesh adoption, all while reducing cost and computational overhead within a service mesh.

Injected sidecars can be replaced by two new components. First is a node-level zero-trust tunnel (ztunnel) that provides mTLS and Layer-4 capabilities. A service-account-level proxy called a waypoint leverages Envoy to deliver Layer-7 capabilities.

This talk will help you understand both the why and how of Istio Ambient Mesh. It includes a demo showcasing the new capabilities, including onboarding new services without sidecars and mixing Ambient with traditional sidecar-injected services. It will also provide pointers to further no-cost educational opportunities and user certification options.