This schedule only shows sessions in English. See the full schedule here.

  • 16:00-16:50 UTC

    Welcome & opening keynote

    By Craig Box & Lin Sun

    Craig Box and Lin Sun, program chairs and Istio steering committee members, welcome you to IstioCon and discuss the past, present and future of Istio.
  • 17:00-17:40 UTC

    Using Istio to build the next generation 5G platform

    By Neeraj Poddar & David Lenrow

    Building the next fastest, secure and reliable 5G platform is challenging in its own right but doing that while modernizing your infrastructure and onboarding Cloud-Native Functions (CNFs) from multiple vendors can be a herculean effort In this talk, we will cover how Istio can be used in 5G platforms to achieve uniform security and visibility across these CNFs deployed in multiple clusters across different sites including edge. However, rolling out Istio at this scale brings its own challenges around lifecycle management, tenant isolation, identity management and visibility beyond metrics and traces.
  • 17:40-18:20 UTC

    I want to sketch a mesh for you

    By Christian Posta

    Virtual conference presentations lack the dynamic and expressive feeling of a live talk in so many dimensions, and explaining complex concepts can be difficult. Even in person, one of the best ways to convey problems, solutions, and architecture discussions is through diagramming and white boarding. As one of the authors of Istio in Action for Manning Publishers, I’ve gone through many refinements of diagrams to help explain Istio. In this talk, we’ll use live diagramming, architecture sketches, demos and no slides, to illustrate how best to get started with Istio and iteratively adopt it into production.
  • 18:20-18:45 UTC

    Istio Service Mesh at Enterprise Scale

    By Jason Webb & Vrushali Joshi

    In order to support modern, responsive, real-time experiences across thousands of microservices, at Intuit we needed a solution for high-performance networking at scale. We began to accept that the limitations of our Hub and Spoke API Gateway model would be impossible to patch. With a significant move to Kubernetes within the company and with Service Mesh technologies on the near horizon, we began the journey to bring Service Mesh to our enterprise.
  • 18:30-21:00 UTC

    Workshop: Using Istio

    By Lee Calcote & Abishek Kumar

    This workshop introduces service mesh concepts and each aspect of Istio. Gain hands-on experience with this popular tool as you learn how to deploy and configure Istio alongside microservices running in Kubernetes.
  • 21:00-21:40 UTC

    Improving Security with Istio

    By Alex Soto

    As we start to go toward cloud-native infrastructure and build our applications out of microservices, we must fully face the drawbacks and challenges to doing so. One of the most important aspect is securing (authentication and authorization) the services correctly. In this session, we’ll show how Istio can simplify your security model when adopting (micro) services architecture. We expect most developers haven’t adequately solved for these issues, so we’ll take it to step by step and build up a strong understanding of Istio and how it is used to secure the service mesh.
  • 21:40-22:20 UTC

    What Envoy Hears When Istio Speaks

    By Rob Salmond

    Istio listens to Kubernetes and speaks to Envoy. We will explore these conversations and learn to understand what’s being said.
  • 16:00-16:25 UTC

    Going dynamic with Envoy at Atlassian

    By Nicolas Meessen

    Atlassian has been deploying Envoy to the compute nodes of its internal PaaS over the past 2 years to simplify service-to-service communication for internal developers. Today we deploy Envoy with static configuration and we want to take advantage of dynamic features like client-side routing, direct communication, and fault injection. We decided Istio was the best choice to deliver this over the next year. We’ll talk through Atlassian’s journey with service-to-service communication, Envoy and the evolution of our home-grown control planes, then walk through the analysis that led to Istio being the best decision for Atlassian’s business moving forward.
  • 16:25-16:50 UTC

    The good, the bad, and the meshy: a journey adopting Istio across 100 clusters at T-Mobile

    By Joe Searcy

    This is a story of struggle, tradeoffs, and triumphs. Istio, as you may know, is a mission-critical piece of software for securing and connecting microservices across platforms. However, it can be daunting to introduce, operationalize, or adopt it successfully. In this talk, we dig into T-Mobile’s journey of adopting Istio across 100+ clusters to support microservices for fraud detection, billing, sales and APIs across many teams. The journey was not all rainbows and unicorns.
  • 17:00-17:40 UTC

    Getting Started and Beyond: Istio Multicluster with GitOps

    By Ryota Sawada

    Istio documentation covers many scenarios how you can start up Istio and get your hands dirty with its offerings. Things become a bit more tricky when it involves multiple clusters, and even more complicated when there are other Open Source projects you need to deal with. The presentation will be mainly driven by demos. The first demo will be based on simply starting multiple KinD clusters locally, and get Istio offerings in action.
  • 17:40-18:20 UTC

    Developing & Debugging WebAssembly Filters

    By Idit Levine & Yuval Kohavi

    WebAssembly filters allow users the power to extend and customize Istio to their liking. But how do organizations actually develop them? Tooling exists for traditional software development, but established methods and tooling are difficult to come by in the emerging WebAssembly ecosystem. In this talk we will attempt to answer the following, based on our experience working Istio + WebAssembly in customer environments for over one year: How do we write WebAssembly filters?
  • 18:20-18:45 UTC

    Large scale data ingestion using Istio/Envoy

    By Animesh Chaturvedi

    This talk will share the experience of building a data lake using Istio / Envoy. This talk will cover why we selected Istio for building a data lake in early 2019. Our journey with Istio and go in depth the challenges we ran into scaling the ingestion pipeline to scale to process several hundred tera bytes a day.
  • 18:30-21:00 UTC

    Istio Multicluster Workshop

    By Denis Jannot & Christian Posta

    This workshop is based on Istio and Gloo Mesh. Each participant will have a dedicated VM and we will go through diferent labs.
  • 21:00-21:40 UTC

    Extending Envoy with WASM from start to finish

    By Ed Snible

    This talk is for every engineer interested in creating traffic management and telemetry capabilities for the mesh itself. Istio has offered extensibility through WebAssembly since 1.5. User code, running in the sidecar, can implement custom traffic management and telemetry. No Istio control plane access or special builds of the sidecar are needed. C++ and JavaScript developers can write, compile, deploy and test extensions quickly, with just a bit of Istio EnvoyFilter YAML on their clusters.
  • 21:40-21:50 UTC

    Local Istio Development

    By John Howard

    This talk will walk through how to run Istio locally to improve development velocity, where “local” includes various combinations of local Kubernetes cluster, local docker registry, running Istiod as a local binary (and in a debugger), and running the proxy locally.
  • 21:50-22:00 UTC

    How all devs use Istio Security without knowing Istio

    By Isan Rivkin

    At SimilarWeb we use Istio in all of our Kubernetes clusters and utilize Istio’s Authorization and Authentication policies for each service. As a small production engineering team, we wanted to let our developer’s full autonomy for writing new services with Helm without needing to know Istio internals. To solve that problem we abstracted Istio completely inside a generic Helm chart for common use cases. For more complex cases create a MutatingWebhook in k8s that reads annotations from the deployments and configures the deployment to support all Istio related logic.
  • 22:00-22:10 UTC

    How Istio helped us investigate failures on our microservices

    By Shota Shirayama

    We introduced Istio on our microservices. Istio’s logs, metrics and features are very helpful for us to investigate in detail in case of failures. One day we had big trouble due to a node failure, and it was very hard to find the root cause about why our application had not been recovered automatically. At that time, we finally found the root cause of it on our application logic thanks to Istio and we could reproduce the same failure on development environment with Istio as well.
  • 22:10-22:20 UTC

    Simple Certificate Management (Using ECC Working Certificates)

    By Jacob Delgado

    There are numerous environmental variables that can be used to control the behavior of Istio. Environmental variables in Istio are considered experimental and there are no guarantees they won’t be removed in future versions of Istio. In this talk, we will explore a few related to certificates used for inter-workload communication within your service mesh: Some of the pilot-agent environmental variables related to certificates How to toggle them during installation using istioctl and helm
  • 16:00-16:50 UTC

    Istio Project Roadmap

    By Neeraj Poddar & Louis Ryan

    Neeraj Poddar and Louis Ryan from the Istio technical oversight committee, lead an update on the development of the project and the roadmap for 2021.
  • 17:00-17:40 UTC

    Taming Istio Configuration with Helm

    By Ryan Michela

    Helm. It’s not just for installation anymore! In this session, we re-introduce Helm as a powerful tool for automating Istio day-two administrative tasks. Using Helm, we can completely rethink Istio management by creating a domain specific language for Istio configuration. Helm lets us build a simplified facade over Istio, allowing developers to more naturally express their intentions as code instead of forcing them to think in Istio CRDs. In this session we will look at four common Istio configuration patterns, and explore how Helm dramatically simplifies their use.
  • 17:40-18:20 UTC

    Know your peers

    By Alex Van Boxel

    It’s lonely in your pod, but finally, you receive that long-awaited knock on the port… but can you trust that inbound request? This session dives into an essential aspect of a service mesh: trust. We’ll dive into how certificates work into Istio, use peer authentication, and explain concepts like SPIFFE identifiers. Peer thrust can also be leveraged in the application architecture. A mesh is not only for cluster administrators but also for architects and developers, making it well worth to highlight those patterns.
  • 18:20-18:45 UTC

    Sberbank Story: moving Istio from PoC to production

    By Igor Gustomyasov & Maksim Chudnovskii

    50+ On-Premise Kubernetes Clusters in a Private Cloud, 500+ Compute Nodes, 10+ Istio Meshes, and 2 years of joint efforts with IBM. This is Sberbank’s journey from the technology preview stage to a production-grade Istio mesh installation. Joint speech from IBM and Sberbank representatives will cover the history of their collaboration in detail: key faced problems and solutions, main architectural decisions, and plans for the future.
  • 21:00-21:40 UTC

    Deep Dive into Istio Auth Policies

    By Lawrence Gadban

    One of the primary benefits of using Istio is its comprehensive security model, which enables users to express complex authentication and authorization policies for the services running within their mesh. While these security features are commonly used, they can cause confusion and are frequently misunderstood. This talk will explore the security mechanisms available in Istio and will dive into how these policies are translated from high-level user-facing configuration to runtime policies in the various Envoy proxies that comprise the Istio data plane.
  • 21:40-21:50 UTC

    5 tips for your first contribution

    By Albert Sun

    A first commit to can be daunting and there is a large amount of learning and commitment required to contribute to By presenting my experiences, I want to encourage both people familiar and unfamiliar to Istio, to contribute. I also hope to give some insight on the PR process for contributing to, and show some relatively easy first commit examples. I found a home in the Docs WG, and I hope to help introduce others to this community by helping with their first commit.
  • 21:50-22:00 UTC

    Your laptop as part of the service mesh

    By Lorenzo Fundaró

    In this talk, we will show how we used Istio’s EnvoyFilter to dynamically route requests from our QA cluster to a developer’s laptop and back. This networking hack significantly eased development, especially when running end-to-end tests and helped us reduce infrastructure costs.
  • 22:00-22:10 UTC

    Kubernetes Operator to manage rate limit istio configurations

    By Santiago Núñez-Cacho

    Wouldn’t it be great to have an easy way to dynamically, via istio, limit the traffic to a service in Kubernetes? Figure out you have one or more ingress gateways for the incoming requests, and you want to limit the requests from a single IP, or to limit requests with an specific http header in an specific amount of time. With this operator you just have to create and deploy a simple Custom Resource (CR) with your desired rate limit configuration.
  • 22:10-22:20 UTC

    Prepping the sails for a ship-shape Istio Release

    By Eric Van Norman & Brian Avery

    Another Istio release is out! You may be nervous, but we have been continuously improving our release qualification process to hopefully ease your concerns. In 2020, we collected feedback and used it to focus on producing higher quality and more consistent releases. We created a Definition of Done to determine what it means for releases and features to be considered stable. This has led to release notes tooling, standardized feature maturity levels and release gates.
  • 16:00-16:25 UTC

    Airbnb on Istio

    By Weibo He & Stephen Chan

    In this presentation, we will walk through Airbnb’s Istio Journey - why we needed a modern service mesh, how we vetted Istio as the solution, where we are today, the lessons we learnt along the way, and our future plans. We will cover topics including: Airbnb’s multicluster/cell setup, problems we ran into/ideas for UX improvements Airbnb’s upgrade setup for gradual rollout of newer versions of Istio Airbnb’s test pipeline for vetting features we care about How we handled k8s & mesh expansion in a consistent philosophy How we approached migration (zero downtime, no regression) Airbnb’s learnings/pain points/future expectation with Istio Current areas of open discussion - come talk to us more about this
  • 16:25-16:50 UTC

    The Salesforce Service Mesh: Our Istio Journey

    By Pratima Nambiar

    Istio and Envoy are foundational building blocks of the Salesforce Service Mesh. This presentation walks you through our service mesh journey. I will briefly talk about why we chose the service mesh design pattern, how we initially built it using envoy and our in-house control plane and our subsequent pivot to Istio. I will discuss how we are currently leveraging Istio and our plan to increase adoption of Istio to further enhance our Service Mesh platform.
  • 17:00-17:40 UTC

    How to manage any layer-7 traffic in an Istio service mesh?

    By Huabing Zhao & 阳 唐

    Traffic management is probably the most used feature of Istio. However, handling layer-7 traffic other than HTTP and gRPC can become challenging in an Istio service mesh. In this session, I’ll discuss a few possible approaches to extend Istio’s traffic management capability to other layer-7 protocols such as Dubbo, Thrift, TARS, Redis, MySql, MongoDB, etc. I’ll introduce Aeraki, an open-source project that provides a framework to allow Istio to support more layer 7 protocols than just HTTP and gRPC.
  • 17:40-18:20 UTC

    Istio Debugging: Finding and Fixing Issues in a Multi-cluster Service Graph

    By Scott Weiss & Eitan Yarmush

    Istio has some basic tooling to facilitate request troubleshooting, but it has something much more powerful at its core: Envoy proxy. When requests in the mesh start failing, Envoy is the definitive source for debugging information as it has a wealth of telemetry and logging that can be enabled to pinpoint problems along the request path. Trouble with certificates? Incorrect headers? Connection pooling or upstream errors? Un-routable request? In this talk, we’ll look at how to build a repeatable and automatable set of tools to quickly debug a request path across multiple hops and potentially across multiple clusters and Istio control planes.
  • 18:20-18:45 UTC

    Istio Adoption: Planning for Success & Problem Solving

    By Geoff Flarity, Jan Zantinge & Liam White

    As service mesh gains wider adoption, more and more companies are looking to bring Istio to their organization. Istio will impact many teams, from operations to developers, and it’s important that they are well equipped. First you’ll hear a success story from the Square Cash team, who decided to move to Istio from Square’s homegrown Envoy service mesh. They’ll discuss why it was the right move for them, how they executed the move, and what they’d do differently if they were to do it a second time.
  • 18:30-21:00 UTC

    Istio Cookbook: Kiali Recipe Workshop

    By Lucas Ponce

    Kiali is a management console for Istio. It provides dashboards, observability, configuration and validation capabilities. This workshop will walk you through practical examples of Istio using Kiali.
  • 21:00-21:40 UTC

    Istio Product Security Working Group - What is it and why it’s important

    By Jacob Delgado & Brian Avery

    The Istio Product Security Working Group operates behind a bit of secrecy given the nature of the group’s work; mostly triaging security reports and threats. In 2020, there were over 11 security bulletins released that spanned from Istio 1.3 to Istio 1.8. In this talk, we will explain why the group was created, how it operates, and its mission to make Istio more secure. Namely, we will discuss: A brief history of how the group was formed Why it was necessary for the group to be created A look at Istio security vulnerabilities in 2020 How we triage security reports and fix them Pro-active measures the group is working on to make Istio more secure Please join us to learn about the responsibilities of the Product Security Working Group and how to stay informed about the security of your environments.
  • 21:40-21:50 UTC

    Istio as an API Gateway

    By Md Zannatul Ferdous Shourove

    Istio is the most popular Service Mesh. But API Gateways are also very important components in the Cloud Native mix. But if you go for a completely separate tool for API Gateway requirements and for other stuff use Istio, then you effectively have to maintain two different tool and build the expertise in your team for two different disciplines. But Istio can take care of almost all your API Gateway requirements(except for a few).
  • 21:50-22:00 UTC

    Kubernetes Gateway APIs and the future of Istio networking APIs

    By John Howard

    This talk will describe the new Kubernetes Gateway API being developed by the Kubernetes SIG Network as “an evolution of the Ingress API”, and how this will impact Istio.
  • 22:00-22:10 UTC

    Automate mTLS communication with GoPay partners with Istio

    By Zufar Dhiyaulhaq & Vijay Dhama

    One of our main goals in GoPay is to automate mutual TLS communication between GoPay and our partner. We will share how we decide to use and manage Istio, change the configuration to suit our mTLS use cases, how we adapt Istio changes related to mutual TLS, and how our central certificate is managed, and how to set up automatic mutual TLS communication with Istio Egress TLS origination and Istio Gateway.
  • 22:10-22:20 UTC

    Redis TLS Origination with the sidecar

    By Sam Stoelinga

    So you’ve actually done security well and are using an external Redis provider that only allows TLS to talk to it. You could simply configure each of your applications to use TLS from the application pod or you can use Istio to handle the TLS part. This lightning talk demonstrates how to use Istio to do TLS origination for Redis (TCP) using the sidecar instead of the egress gateway.
  • 16:00-16:25 UTC

    FICO's Istio Journey

    By Jeet Kaul

    FICO started it’s mesh journey in 2019, picking up Istio at 0.8. It’s been a bumpy road! Istio has matured a lot in that time, and the organization’s deployment and usage of Istio has matured significantly too. Jeet, a VP of Engineering at FICO, will walk through FICO’s journey with Istio from 2019 to today, discussing why they chose Istio initially, some of the growing pains they experienced, and what business goals they’ve been able to achieve because of Istio.
  • 16:25-16:50 UTC

    Istio at scale: How eBay is building a massive multitenant service mesh using Istio

    By Sudheendra Murthy

    Managing a service mesh that spans hundreds of thousands of containers across the globe is no easy feat. At high scale, achieving fast configuration convergence time to thousands of proxies, while limiting the CPU & memory utilization of control-plane & proxies is a challenging problem. This talk describes eBay’s initial journey into building a scalable service mesh that provides the traffic management, load-balancing, security and observability features at scale leveraging Istio.
  • 17:00-17:40 UTC

    Debugging Istio within the Department of Defense

    By Nick Nellis & Adam Toy

    Since the release of Istio 1.0, a major development effort has been spent on making it easier to use. Whether you are already running Istio in production or trying it out for the first time, it’s important that you know about the latest and greatest when it comes to debugging and maintaining istio. Adam Toy from the Department of Defense will walk you through how the USAF’s Platform One program is utilizing Istio to establish a zero-trust PaaS infrastructure, as well as some of the new things Istio has to offer in terms of debugging and maintainability he has learned along the way.
  • 17:40-18:20 UTC

    The benefits of integrating Apache Kafka with Istio on Kubernetes

    By Sebastian Toader & Zsolt Varga

    During the past several years Apache Kafka emerged as the default enterprise message bus. With Istio on its own way to becoming the service mesh “standard” within the enterprise, running a Kafka cluster inside a mesh became a frequent requirement. We’ve been running Kafka over Istio for a few years now, and in this talk, we’d like to share our experience, the common problems and eventually the benefits that led us to make this integration possible.
  • 18:20-18:45 UTC

    Moving large scale consumer e-commerce Infrastructure to Mesh

    By Rajath Ramesh & Harshad Rotithor

    In this session we will cover Previous Setup: High level overview of setup focussing on external and inter-service/component communication where we mainly used Nginx, HAProxy and Envoyproxy. Challenges and Improvements: Briefly cover the challenges and improvements which essentially was translated into set of requirements Istio Onboarding and Integration: How Istio covered our requirements and steps we took and tools we built/used to on-board micro-services and manage the mesh setup. We will also cover the challenges involved in migrating, solutions derived and learnings gained.
  • 18:45-19:10 UTC

    Istio is a long wild river: how to navigate it safely

    By Raphael Fraysse

    At Mercari, we have few hundreds of services running in Kubernetes. We spent the last year and a half trying to integrate Istio in our microservices infrastructure at scale, with many trial-and-error and lessons learned. This presentation will explain what is making Istio a long wild river and how we managed to navigate it. It will focus on several aspects: Stabilizing Istio Adopting Istio Running Istio By sharing our learnings, we hope to make Istio a long quiet river for the community.
  • 19:40-20:20 UTC

    Leveraging Istio to Reduce Engineering Effort for API testing

    By Venky Ganti & Rahul Lahiri

    Microservices applications rely on complex interactions among services. Engineering teams must create API tests with API mocks to shift testing left. Current approaches to mock creation are manual, which is expensive and inefficient. We illustrate how Istio can be leveraged to significantly reduce engineering effort necessary for API testing. API tests can be built using the following Istio capabilities: Dynamic deployment of Envoy filters to capture relevant examples of API requests and responses.
  • 20:20-21:00 UTC

    Better External Authorization

    By Yangmin Zhu

    I will talk about the better external authorization feature in 1.9 that allows users to easily integrate Istio with external authorization system (e.g. OPA, OAuth2). The better external authorization is the latest improvement that solves a much wanted customer request for better extensibility in the authorization policy. This feature makes it possible and greatly improves the user experience of many critical use cases, for example, integrate with industry standard auth mechanism (e.
  • 21:00-21:10 UTC

    Optimal Canary Deployments using Istio and how it scores over Spring Cloud and Kubernetes

    By Archna Gupta

    This talk will walk through canary deployments process and how to achieve the same using Kubernetes service orchestration or Spring Cloud Gateway focusing on the limitations of these approaches and how Istio overcomes these limitations. Spring cloud Gateway or Kubernetes LoadBalancer service or Ingress controllers only supports the edge service routing and not Internal routing from edge service to another service in cluster. This is where Istio virtual services and destination rules come to rescue – this talk with elaborate further on how Istio provides an optimal solution for canary releases in this scenario.
  • 21:10-21:20 UTC

    Extending Engarde to Bridge the Gap Between Istio Access Logs and Envoy's Documentation

    By Gregory Hanson

    Istio allows users to enable Envoy access logs. These logs provide extensive information and are one of the first steps in diagnosing networking problems in a service mesh. Engarde is a tool which parses Istio access logs into easily readable JSON objects. With Engarde, you get the log field names, but to the average user there are still some knowledge gaps that require a hop over to Envoy’s website to understand what is shown in the logs.
  • 21:20-21:30 UTC

    Building resilient systems inside the mesh: abstraction and automation of Virtual Service generation

    By Vladimir Georgiev

    Istio’s Virtual Service API provides a language agnostic way of implementing graceful retries on failures until a timeout budget is exhausted. Precise timeouts and retries per endpoint result in better performance. Having hundreds of gRPC services means there will be as many YAML files to be configured, tested and managed, however. I will explain how we built a scalable way of managing retries and timeouts across the service mesh per service per RPC.
  • 21:30-21:40 UTC

    Building Platforms with Istio

    By Murugappan Chetty

    Optum is one of the early adopters of Istio and its been used in a number of use-cases within the organization. In this presentation, Murugappan Chetty of Optum will go over the platform that they built with kubernetes, Istio and knative, where internal users run their workloads. Audience attending this session will get to know about Istio features leveraged by the platform like, security, observability, traffic routing, client libraries, external dns etc.
  • 21:40-21:50 UTC

    Closing remarks

    By Lin Sun

    Closing remarks for IstioCon with Lin Sun.