The external control plane deployment model in Istio enabled some new use cases for mesh management. The ownership and the management of the control plane may belong to a completely different entity, other than the end-user.

Leveraging this new model, a cloud vendor can create a cost effective, managed, multi-tenant mesh control plane, safely isolated from the mesh clusters. Behind the scene, the vendor can manage/scale/update the service with or without the user’s intervention.

In this talk I will describe such a managed solution, focusing on the extra challenges that the basic Istio external control plane setup does not solve.

Agenda:

• the generic problem of running kubernetes operators and webhook services remotely to the managed cluster
• exposing control plane endpoints
• the problem domain of metrics collection
• how to hide/embed/manage and automate the control-plane parts from the user
• how and why multi-tenant control plane can be safely operated