This is the complete program of sessions for IstioCon 2022. Times appear in your local timezone.

You can also see the schedule in grid format.

Filter by language

Filter by track


State of Istio

by Lin Sun & Mitch Connors

An overview of the current state of the project.

Zero Trust with Istio

by Eric Brewer

It’s been clear for some time now that perimeter based network security is not sufficient to secure your application. Large enterprises have moved to a zero-trust model, where security is based on identity, rather than network location, and traffic is encrypted every time it touches the network, but the challenges to operating such a system can be overwhelming. How do you manage secure secret rotation at scale for every instance of every client and service?

Running Istio at Scale for a Secure and Compliant Cloud

by Lucas Copi & Rafael Polanco

This talk will discuss how IBM leverages Istio as the bedrock of its Cloud for Financial Services. Providing a performant, secure, and compliant control plane for its core systems. It will discuss the challenges and pitfalls encountered during adoption; the evolution of the deployment process and its impact on production environments; and the configurations needed to maintain scale and performance for robust systems. The goal of this talk is to provide insight into the IBM Cloud Istio journey and generate a discussion on what is coming next.

External CA integration with Istio explained

by Lin Sun & Josh van Leeuwen

Most organizations already have their PKI system in place before they adopt Istio or any service mesh. There are a few approaches in the Istio community, either plugging in your intermediate CA as secrets manually, or use the istio-csr open source project, or leverage Kubernetes CA or Kubernetes Certificate Signing Request (CSR) API. This talk dives into the few approaches out there in the service mesh community to tackle this challenge and the tradeoffs among them.

Managed service mesh as a distributed cloud service

by Gergő Huszty & Tong Li

The external control plane deployment model in Istio enabled some new use cases for mesh management. The ownership and the management of the control plane may belong to a completely different entity, other than the end-user. Leveraging this new model, a cloud vendor can create a cost effective, managed, multi-tenant mesh control plane, safely isolated from the mesh clusters. Behind the scene, the vendor can manage/scale/update the service with or without the user’s intervention.

Lessons Learned on Multi-tenancy Controls in Istio

by Alex Ly & Will McKinley

As Istio adoption becomes mainstream within your organization, new challenges surrounding multi-tenancy and security across multi-cluster will naturally start to grow: Which group owns what process/workflow? Which cluster(s) does each policy affect? How to provide control to some groups, while blocking access to others w.r.t. the mesh? How does an administrator set this up in a secure fashion? How can we stay informed about potential policy violations? How can this be fully automated?

Proxyless gRPC

by Sanjay Pujare

gRPC has been a popular choice for building microservices based service mesh architectures especially after the recent introduction of service mesh features such as service discovery, load balancing, mTLS for transport security, and observability which eliminated the need for sidecar proxies - like Envoy - in the service mesh. The introduction of these features in gRPC enabled a “proxyless service mesh”. Besides supporting Google’s Traffic Director proxyless service mesh product, proxyless gRPC also works with Istio because of the use of “xDS” - the industry standard and open protocol created by Envoy.

Istio at Splunk: How we learned to love it

by Bernard Van De Walle

Splunk is heavily using Istio for the last 3 years, using it as our baseline for network ingress, policy and authentication. This session will explore how we manage, install and operationalize istio at scale on more than 40 clusters across multiple regions and providers. We will describe in detail our journey, including the trade-offs that were taken into account before jumping into Istio as well as the lessons learned over time.

Workshop: Istio 0 to 60 Workshop

by Eitan Suez & Peter Jausovec

This workshop consists of a series of labs that together comprise a hands-on tour of Istio from 0 to 60, so to speak.


Istio Open Source Ecosystem Outlook From China(Istio 开源生态展望)

by Jimmy Song, Kebe Liu, Huabing Zhao & Ruofei Ma

This panel focuses on the development of Istio’s open source ecology and technology in China. We will do an in-depth discussion on the hot technologies and open source practices in the Istio field at this stage, such as ebpf, proxyless, custom protocol access, open source products and ecological development, etc. 本次圆桌会议聚焦于Istio在中国的开源生态和技术的发展,我们会对现阶段 Istio 领域的热门技术和开源实践做深入的探讨,例如 ebpf、proxyless、自定义协议接入、开源产品及生态发展等。

Zhihu‘s istio Journey

by 阳 唐 & 楚瑜 谢

In this presentation, we will talk about how we upgraded our microservices architecture by using istio in large scale clusters. Including: How to make istio managed services and our existing services communicate with each other. Use istio’s dynamic routing capabilities to implement sandbox functionality. Simplified the configuration management of istio by introducing a new CR (istiofilter) and implementing a new management console. Simplify the rate limit configurations by implementing a new CR.

The road to microservice for Database as a Service (DBaaS) via Istio

by Peng Hui Jiang & Huailong Zhang

Database as a Service (DBaaS) saw a significant growth YoY. One reason for the growth of DBaaS is explosive growth of data. The pandemic created strong data growth. However, well designed DBaaS systems tend to adopt a stateless, loosely coupled architecture, with efficient message passing to produce a scalable, stable and reliable service. In addition, serving for multi-tenants to reduce cost and provide highly availability and scalability is a important offering of DBaaS.

Tencent Music’s service mesh practice with Istio and Aeraki(Istio + Aeraki 在腾讯音乐的服务网格落地)

by Huabing Zhao & ChengQiang Wang

This session will introduce Tencent music’s service mesh practice with Istio and Aeraki. Including: How to extend Istio with Aeraki to manage the traffic of proprietary protocols Deep dive into Aeraki and MetaProtcol Proxy How Tencent Music leverage Istio and Aeraki to build a fully functional service mesh, managing both the HTTP and proprietary protocols 本场分享将介绍腾讯音乐使用 Istio + Aeraki 的服务网格落地实践,主要包含下述内容: 如何利用 Aeraki 来扩展 Istio 的协议扩展能力 Aeraki 和 MetaProtocol Proxy 的原理介绍 腾讯音乐如何使用 Istio + Aeraki 来构建一个管理 HTTP 和私有协议的全功能服务网格 References:

Flexible proxy configuration of service mesh under diverse workloads

by 阳 刘 & Lan Zhang

As the scale of the cluster managed by the service mesh grows and the needs of diverse business scenarios, the proxy configuration corresponding to each different workload will also be different. Although global configuration and Pod Annotation configuration can complete diversified settings, when the number of Pods increases, it becomes more difficult for user to manage the proxy configuration. In this topic, we propose a global, namespace-level, and workload-level approach to managing proxy configuration, compatible with Pod Annotation.

Use eBPF instead of iptables to accelerate the Istio dataplane(使用 eBPF 代替 iptables 加速 Istio 数据平面)

by Kebe Liu

Replacing iptables rules with eBPF to allow data being transported directly from inbound sockets to outbound sockets to shorten the datapath between sidecars and services.

Deep Dive TCP/IP Bypass with eBPF in Service Mesh

by Luyao Zhong

We have presented the basic idea of TCP/IP Bypass solution in IstioCon and IstioMeetup, currently we have our source code and image published. This topic is going to share the suitable scenarios, the performance data generated by different benchmarks and corresponding analysis, debug tools and the challenges of current solution.


Istio usage in 5G Core CNFs

by Faseela Kundattil & Ingo Meirick

In this talk we will discuss how Ericsson is using istio in its modernised 5G Cloud platform to onboard various Cloud Native Functions seamlessly and how our cloud native infrastructure evolution using istio is solving some of the problems in the areas of security, observability and traffic management. Integration of istio in an end to end 5G platform has come with its own challenges, and we would like to highlight the various conscious choices we had to opt in terms of tenant isolation, onboarding of legacy workloads, enhancing security, dual-stack enablement etc.

Istio: The Foundation for Zero Trust

by Varun Talwar

Join us for this message by Tetrate with an announcement of new tools available for the Istio Community as well as an overview of the Tetrate offering.

What to expect when you install multiple Istio revisions in different namespaces?

by Neeraj Poddar

Installing multiple Istio control plane revisions in different namespaces might be your first instinct to ensure better hygiene in production but you can run into unexpected challenges in doing so. In this lightning talk, Neeraj will explore some of the hidden land mines that you might run into with this setup and how to best install and manage multiple Istio revisions safely in production.

How I upgraded 3000 proxies in my sleep - and you can too!

by Mitch Connors

Keeping Istio up to date can be quite a chore. With monthly patch releases and quarterly minor releases, many users fall behind on upgrades, exposing their traffic to known CVEs and bugs. Upgrades can feel risky and unpredictable, with gateways acting as a single point of failure, and proxies upgrading unexpectedly. This talk will cover lessons learned at Google, where we have performed 1700 control plane upgrades and 3000 data plane upgrades on behalf of our users in the last year.

Istio Advanced Usecases

by Rama Chavali & Devesh Kandpal

Salesforce is onboarding several open source stacks onto Service Mesh. As part of that, we have been solving a lot of advanced usecases with the features supported by Istio. This presentation walks you through how we have used Istio features to onboard these open source stacks onto Mesh. This presentation specifically covers Hbase running in a Multicluster setup with Istio DNS Cassandra running in a Multicluster setup with Istio DNS Onboarding Trino RabbitMQ with K8s Peer discovery AWS services like Elastic Cache (with Auth support) and Postgres (with startTLS support)

Service Mesh Security Best Practices - From Implementation to Verification

by Anthony Roman & Lei Tang

In this session, we will start with an overview of service mesh security best practices, discussing the various aspects of security that must be considered when securing services with a mesh. Since the components of the mesh are also part of the environment, we will discuss methods to ensure the mesh itself is secure. Ultimately, we will zoom in on one aspect, considering the entire lifecycle of authoring, implementing, monitoring, and validating security policies at scale.

A beginner’s guide to following Istio’s security best practices

by Jacob Delgado

Following the Istio Security Best Practices page is a daunting task for newcomers to Istio. Even experienced operators have difficulty discerning where to begin. In this talk I will present an easy way for beginners to adopt Istio and settings/configuration based on my years of experience setting up and deploying Istio. Attendees will gain peace of mind knowing they can implement Istio securely according to established best practices.

Istio-redirector: the way to go to manage thousands of HTTP redirections

by Etienne Fontaine

Let your SEO managers handles HTTP redirections at scale on your mesh. istio-redirector is an open-sourced service built at BlaBlaCar to let our SEO specialist manages HTTP redirections during our SOA migrations. More than 20k redirections are now managed by our product team. Istio offers a great way to handle redirections at scale, in a distributed and cloud agnostic way.

Improving Rate Limit Experience for Developers in Istio

by Zufar Dhiyaulhaq

Managing Rate limit configuration in Istio is a tedious task since currently, we are setting up the EnvoyFilter object to configure the rate limit function. There are some drawbacks with this approach, developers need to understand very complex configurations within EnvoyFilter. Maintenance also becomes a problem because every time the infrastructure team wants to upgrade the mesh, Developers need to check if the rate limit configuration is working on the newer version of the mesh.

Apache APISIX from Gateway to Full Traffic Proxy with Istio

by Jintao Zhang

Apache APISIX is the world’s most active open source cloud-native high-performance gateway. In this session I will share how Apache APISIX works with Istio to evolve from a north-south gateway to a full-traffic proxy.

Building simplified service mesh API for developers

by Lin Sun & Ying Zhu

One of the key goals of service mesh is to decouple developers and operators so that developers can continue to focus on writing code for their services, while operators adds security, resilience, and policies to these services they manage. In the Istio community over the past few years, we have observed that customers such as AirBnb, Salesforce, eBay etc building out abstractions over Istio for their developers. This talk will introduce these abstractions, compare them, along with the thought process behind the service mesh API for developers built at Solo and AirBnb.

Auth Patterns: What to Use and When

by Aaron Teague

One of the great things about Istio is that it provides a solid mechanism for service to service auth within a mesh using mTLS and AuthorizationPolicy But what if the thing accessing your services is not in the mesh. What if it’s a person and not a process? What if it’s a customer instead of an employee in your organization? Suddenly, the options and tools to fulfill them become overwhelming. Let’s break down our patterns and tools to determine which to use and when.

Workshop: Hands-on practices for Controlling Kubernetes Native Apps with Service Mesh

by Daniel Oh

This hands-on lab will showcase how the Istio Service Mesh allows developers and IT staff to gain a deep understanding of their Kubernetes native applications based on Quarkus and Spring Boot.


Istio roadmap update

by Louis Ryan & Eric Van Norman

Istio roadmap update.

Istio Today and Tomorrow - 5 Important Things (presented by

Join us for this short message where will share their perspective of where Istio is today and where it is headed.

Understanding the new Istio Telemetry API

by Neeraj Poddar & Douglas Reid

We have introduced the new Telemetry API in v1.11 which provides a flexible and uniform way for configuring how telemetry is generated in the mesh. Since the initial release, we have made continuous improvements in functionality by adding support for various telemetry types and expanding to more providers. In this session, we will go over the motivations and use cases that drove the design of the new API and deep dive into the following aspects:

On-demand Developer Environments in Mesh based Infrastructure

by Rajath Ramesh & Edward Samuel Pasaribu

In a micro-service architecture - development and testing changes, in a service or set of services involved in a feature, without affecting stability of shared environments like staging, pre-prod, etc. is challenging. We are excited to share an approach to tackle it by spinning up a developer/feature environment on demand, which only contains a subset of services that have code changes. Traffic to other services and datastores, which are not in the developer environment, is routed to a shared environment.

Sidecarless with eBPF or sidecar with Envoy proxy?

by Idit Levine

eBPF and service mesh both optimize the functionality around networking, observability, and security. Are they competing? Or complementary to each other? To what extent can eBPF play a role in a service mesh? How does the role of the service proxy change? In this talk, we will dig into the role of eBPF for a service mesh data plane and what are some of the tradeoffs in terms of features, resource overhead, feature isolation, security granularity and upgrade impact for various data-plane architectures: shared proxy vs shared proxy per node vs sidecar proxy vs shared proxy per service account etc.

How WP Engine uses Istio to Accelerate Building Products

by Rahul Dhir

WP Engine has adopted Istio as a core technology for its internal microservices platform over the past 2 years, enabling internal engineers to ship products and features quickly and reliably. The platform has a multi-tenant architecture and uses various technologies such as containerized builds, GitOps deployments, and automated policy enforcement all in conjunction with Istio to meet our business and technical goals. The decision to implement an internal platform with Istio has revolutionized the way WP Engine ships software by minimizing the common cross-cutting concerns engineers have to consider in building their applications.

TLS Origination Best Practices

by Kenan O'Neal

Quick dive for beginners on TLS origination to improve security. This talk will focus on settings that may not be expected for new users with a focus on validating settings. I will touch on what settings Istio uses by default and how to configure Destination Rules to correctly check certificates.

Automate Istio Best security practice

by Jianfei Hu

Istio offers best security practice in its own blog. In this talk, we will show how a tool can make configuration scanning, offering suggestion to enhance the your configuration security. We believe such config analysis tool can make the best practice easier to consume and adopt for Istio users.

Testing Istio’s Virtual Machine integration locally with Calico

by Nina Polshakova

Istio provides native Virtual Machine integration for legacy applications which requires IP connectivity to the East/West gateway deployed in the mesh, and optionally connectivity to the pod networking for enhanced performance. In production deployments, the communication between Kubernetes nodes and non-Kubernetes nodes are often handled with sophisticated techniques like VPC or VPN, but on a developer machine your Kubernetes nodes may be running in a simulated environment such as minikube, k3s or kind.

API runtime Orchestration with Istio and OpenAPI 3

by Anil Attuluri & Siva Thiru

API-as-a-Product is an emerging concept in software development. Open API 3 enables faster and collaborative API development and its custom extensions can be leveraged to augment API contracts with additional functionality. Here at Intuit we built a system that uses Open API spec, Istio Service Mesh and other extensions to generate capability/orchestration APIs and dynamically generate the runtime for them. It includes K8s resource manifests and Istio VirtualServices for routing rules to enable faster API delivery.

Virtualizing the Istio Sidecar

by Christian Posta

Istio derives a bulk of its power from Envoy proxy which gets deployed as a sidecar to a running application. However, sidecar deployments are not the only way to achieve service-mesh capabilities. In this talk we discuss the work we’ve been doing to “virtualize” the Istio sidecar for our users by giving options for sidecar, service-account, shared-node, and even remote proxies and micro proxies.

Workshop: Manage and Secure Distributed Services with Anthos Service Mesh

by Christine Kim, Mike Coleman, Mathieu Benoit & Nim Jayawardena

Learn how to run distributed services on multiple Google Kubernetes Engine (GKE) clusters in Google Cloud Platform (GCP) using Anthos Service Mesh (ASM).


Our Way Improving Service Mesh Scalability

by Zhonghu Xu & Xue Leng

In this session Zhonghu and Leng Xue will share how their they improved istio scalability to 10 Million sidecars. They introduced an intelligent way to make istio aware of service connectivity, so istio and envoy can achieve lazy xds pushing, which saves more than 99% memory cost of sidecars. This solution is quite different from others and is more efficient and light-weighted, they have made it production-ready in Huawei Application Service Mesh.


by Yonka Fang

介绍istio中的服务/配置数据流转和推送的流程,分析该过程中的性能点和可能的性能瓶颈。 结合实际生产落地中的各场景,尤其是大规模服务数据/接入负载场景 遇到的性能问题来讲解解决思路,分享相关优化经验。

Istio multi-cluster traffic management speed up automobile company new business dev,deploy and ops

by Chaomeng Zhang & Liu Kexing

smart, a brand to fully transform from fuel vehicles to electric vehicles, is committed to exploring the best solutions for future urban transportation. On its IT infrastructure, cloud-native technologies such as Kubernetes and service mesh help simplify the technology stack, accelerate business innovation, and greatly improve the efficiency of new business development, deployment, operation and maintenance. In this meeting, Kexing and Chaomeng will share their multi-cluster practice in production environment. That is how Istio provides distributed traffic management across 10+ clusters in smart’s production and testing environments.


by 远科 韦

背景 蚂蚁集团运行着全球最大的 kubernetes集群之一。kubernetes 社区官方以 5K node 作为 kubernetes 规模化的事实标准,而蚂蚁集团在 2019 年的时候,就已经维护着单集群规模超过 10K node 的 kubernetes 集群,现如今规模更是远超10K,集群数量也持续增长; 蚂蚁集群采用KOK(Kubernetes On Kubernetes)的方式来管理内部的众多集群。 面临的问题 集群数量多,单集群规模大,这给日常运维和稳定性保障带来了很大的挑战: apiserver流量均衡的问题,http2的连接复用导致实例间流量差别巨大, webhook/controller无法做到精细化的灰度发布; 原生k8s无体系化的精细限流能力,导致apiserver很容易被流量打死; apiserver/webhook等组件的发布无损问题; 缺乏全链路追踪能力; 我们的方案 为体系化解决以上问题,我们引入了Istio。 在KOK架构中,增加了ServiceMesh层来管理管控组件(apiserver/webhook/controller)之间的流量; 调整之后,架构就变成了kubernetes on Istio on Kubernetes,简称KOI架构(kubernetes On Istio); 本次分享的内容 蚂蚁当前情况介绍,包括k8s集群的规模、当前的KOK架构及面临的问题; 蚂蚁KOI架构详细介绍; 如何利用istio来有效提升k8s管控面的稳定性、优化系统架构、提升流量调度能力及增强链路的安全性; istio落地中碰到的问题:主要包括envoy参数的调优、http2 flood check问题、k8s认证的适配等; 通过落地istio拿到的收益;主要包括: kubernetes webhook/apiserver/controller的精细化灰度能力,支持namespace粒度;apiserver/webhook的流量均衡及无损发布能力;kubernetes大版本的无损升级能力;基于真实流量镜像实现了etcd新版本的测试仿真; 关键链路(ingress/apiserver/webhook/etcd)的全链路追踪能力; 后续计划和展望;

Introducing TLS Bumping for Integrating SASE functions with Service Mesh

by Lei A Zhang & Luyao Zhong

Enterprise would like to apply SASE functions to their Service Mesh cluster. TLS bumping is fundamental because SASE functions need to inspect the encrypted content of the traffic. TLS bumping provides functionalities for certificates auto-generation and management in Service Mesh, which avoids certificates pre-generation and update from control plane. In this topic we will present TLS bumping concepts and how to integrate Service Mesh with SASE functions.


Create resilient multi-cluster, multi-regional and multi-tenant architectures with Istio and K8s

by Ameer Abbas

Building distributed applications is hard! Building globally scalable distributed applications is harder! Maintaining and growing these services as your business grows is even harder! This session takes an opinionated approach on how to create globally scalable platforms on multi-cluster, multi-regional and multi-tenant Kubernetes cluster architectures using Istio. The session covers (design opinions and reasonings for) the following concepts. Designing multi-cluster Kubernetes platforms Application multi-tenancy Global networking, ingress, multi-cluster load balancing, locality considerations Security - AuthN, AuthZ, NetPol Ops - Observability, dashboards Application and cluster life-cycle management Demo (on GCP)

Scaling to 1M RPS with multi cluster Istio

by Devarajan Ramaswamy & Nizam Uddin

Scaling systems to handle high throughput is an art and a journey fraught with several hurdles and blockers. We shall demonstrate how every little configuration can cause a huge impact at very high RPS, how we managed to beat 500K RPS with minimum latency and how we geared the system to be capable of handling upto 1M RPS. We shall show using the example deployment topology of Istio Service Mesh, how we addressed the issues of connection handling, load balancing shortcomings, cross cluster pitfalls, side effects of HPA, uneven resource utilization, etc.

Gateway API Status Update

by John Howard

In this talk, we will discuss the status of adoption of The Gateway API within Istio. Topics will include: Gateway auto provisioning Using Gateway API for mesh Gateway API path to beta and future plans Using Gateway API to integrate with cloud load balancers

API Gateway on Service Mesh - Complete Zero Trust

by Anil Attuluri & Shriram Sharma

Securing services behind a Gateway (also called API Gateway) is a common pattern in the industry. With proliferation of microservices architecture and increased communication between them it’s natural for these services to be on Service Mesh. By moving the API Gateway to Service Mesh, microservices that have external clients can continue to take traffic from API Gateway while converging their ingress onto a single path over Istio Service Mesh. At Intuit, this approach resulted in a complete zero trust model architecture and greatly simplified the networking and traffic management for the applications.

Red Hat loves Istio!

by Simon Seagrave

Join us for this short message from Red Hat for the Istio community.

Accelerating ZOZOTOWN Modernization with Istio

by Yoichi Kawasaki

ZOZOTOWN was launched in Dec 2004 and currently is one of the biggest fashion E-commerce company in Japan run by ZOZO ( It was implimented as monoliths, and became a big fat monolith application built upon onprem as it grew. In last 3 years they have worked on ZOZOTOWN modernization project that they call ‘ZOZOTOWN replace’ where they achived gradual migration to kubernetes-based microservice architecture and adopted istio / service mesh as a key enabler for our new ZOZOTOWN platform.

Perfectly (Load) Balanced, as all requests should be

by Christine Kim & Nim Jayawardena

Have you read about Load Balancing while onboarding to Istio, but never tried it out? Or maybe you just want to learn more about how Istio uses its Envoy sidecar proxies to support Load Balancing. This talk will discuss why we need Load Balancing, its benefits, and how you can stress test your service mesh so you don’t risk your own traffic. We’ll demo a simple multi-cluster setup of an online store sample app – Online Boutique – to showcase some Load Balancing capabilities.

Egress Woes: Debugging external service traffic in Istio

by Gregory Hanson

You have successfully deployed Istio, there are sidecars injected in all your services and pods can talk to each other. Now it’s time to start looking outside your service mesh and getting your pods talking to services outside of your cluster. It’s time to introduce ServiceEntries. Defining traffic routing behavior in Istio for external services does not happen automatically. Users need to often create four separate CRD’s to define external traffic routing behavior and that introduces four potential avenues for bugs to get introduced.

Dual Stack Cluster Setup

by Josh Tischer

Dual Stack support is very limited in today’s cloud ecosystem. Learn how to run/test Istio on a Dual Stack cluster in AWS on both Openshift 4.8+ and KubeAdmin. OpenShift 4.7+ is one of the few options that officially supports Dual Stack mode for bare metal clusters and Azure. We are excited to share our experience and empower your team with another option for Dual Stack support.

Gateway, gateway, or gateway?

by Rob Salmond

The Istio and Kubernetes landscapes are rife with jargon, and high on the list of overloaded terms is the word “gateway”. This term has multiple specific meanings that are both distinct and related to each other. In this talk we will quickly run through the different uses of the word Gateway, what they mean, how they’re related, and how to pick them out when you see them used in context.

Gatekeeper + Istio, FTW

by Mathieu Benoit & Ernest Wong

This session will demonstrate how Gatekeeper policies could help you make sure your Kubernetes cluster and your Istio mesh are secure and compliant with common and your own best practices. We’ll see in action how to guarantee that the deployed resources like Namespace, Service, AuthorizationPolicy, Sidecar, etc. are properly written. And because shifting left security guardrails is important, we’ll also illustrate how you could catch such policy violations in your Continuous Integration (CI) system, before actually applying these resources in your Kubernetes clusters.

A Field Guide for Safe Istio Upgrades

by Ram Vennam

As a Field Engineer at, the speaker helps organizations of all sizes install and upgrade Istio in production every day. What we already know is that there is no one-size-fits-all approach to perform upgrades. Enterprise platform owners and service owners maintain distinctive environments and Istio deployment models depending on their tenancy, security, and cost requirements. The varying risk tolerance for a potential downtime during an upgrade is another factor to consider.

Workshop: Multi-tenant Istio Service Mesh with Gloo Mesh

by Adam Sayah

We will explore many Istio concepts (multi-cluster topologies, identity federation, authorization, and more) and demonstrate how Gloo Mesh can simplify the management of a complex heterogeneous service mesh with a particular focus on multi-tenancy.


Lessons Learned: Developing WASM filter for logging use-case

by Amey Bhide & Takeshi Yoneda

WebAssembly (WASM) filters enable users to extend Envoy functionality. In this talk, we will discuss Proxy-WASM, Go SDK, our experience writing a Go-based WASM filter, problems we encountered writing a WASM filter at Splunk and a way to build a singleton WASM filter.

Why did we build Anthos?

Anthos is Google’s fully managed Istio-compliant service mesh. In this short message we explain the main problems that Anthos seeks to solve.

Getting started in the Istio Community

by Mariam John

Are you interested in contributing to Istio and wondering how to get started or would you like to learn more about our community? Istio is an open source project with a very diverse and active community of users, vendors and contributors. Since its launch in 2017, Istio has seen exponential growth and adoption, with more companies starting to use Istio in production. One of the key contributing factors to this growth is the great community of contributors who have been actively contributing to the project.

Safeguard Istio Service Mesh via Confidential computing

by Iris Ding & Srinivasa Addepalli

Security is a key feature for Isito service mesh. Service-to-service communication can be secured automatically without application code change. In the mesh edge side, the ingress and egress gateway can help you do TLS termination or origination as well. Private keys are important parts to fullfill all these functions and currently they are all exposed in clear text. This exposes rich attack surface for your service mesh. In this talk you will learn about confidential computing and how you can leverage it to improve the overall security level for Istio service mesh.

Istio and Supply Chain Security

by Faseela Kundattil & Adolfo García Veytia

Over the last decade, the use of open source by organizations has increased drastically and is considered as a catalyst for innovation.However, opensource is seen as inherently insecure due to various reasons such as insecure development practices, lack of required infrastructure and awareness. The Cloud Native ecosystem is one of the exemplary communities which could make a great impact on improving the security posture of open source software while allowing organisations to consume open source in a fast, secure & sustainable manner.

Join locally, learn globally

by Nick Nellis

Did you ever want to better understand how Istio enables some of its features such as mTLS, route manipulation or multi-cluster communication? With the help of istioctl you can look at how Istio configures Envoy and use that information to build your own local istio-proxy. Learning how Istio configures Envoy is not only good for debugging, but also enables you do more complex routing like secure multi-cluster communication. In this session, Nick will explain how you can configure a local istio-proxy to connect securely to a cloud based service mesh all the while explaining concepts like PKI, mTLS, east/west routing, and request/response transformations.