I wish there were some code examples to back it up. But at least we have a solid theory now, all is left is to go through the doc and apply it. Thanks man you saved my weeks of kubernetes documentation ❤

Very nicely done. Good structure, good understanding. As a former maintainer and workgroup lead, this video explains Istio in 60 minutes, and that is no easy feat!

The tool mentioned in 23:22 called ioa3ctl to do the transformation/translation from OpenAPI spec files to Kubernetes/istio yaml definitions will be really useful. The only one similar is kusk-gen but it's deprecated and not supported anymore.

Hello i have 1 scenario in that i have 1 k8s cluster in that i have 1 service mesh and also i configure kiali using addons and i deploy my application in default namesapce in that istio injection is enabled i see the traffic flow till workload but need to see my pod also in this traffic flow graph so it it possible to do that and id yes then how

Brilliant and entertaining! Nice job. I thought all the while I was the only one going mad with an overused/overloaded term. Thanks! Appreciate you sharing this.

Thanks for doing the math and other inspirational ideas, but the title is not so exact for the presentation, I was expecting sth more focused on Istio and how it contributes to the problem with a minimal demo.

As a gateway, it should have lots of features, however, this videos only show how to put cert into sidecar. It is good, but not enough.

Thank a lot

Loved the content . Tx

I have deployed istio on to my EKS cluster. It created an internal load balancer. For now, I have managed to create an external load balancer by specifying the right annotations and replaced the running service that came with boiler plate. In future, how to create an external load balancer while I istioctl install command itself?

This was quite informative, thanks a lot.

Just looking for the open source project related to this. Is this documented somewhere?

ready for prod? 🤩

This is a great presentation! What are the CPU and Memory request/limit settings on the Sidecar and ingressgateway pod for each stage of test? Would like to understand more about the impact to system resource utilizations after all those tunings... And it would be great if more elaboration could be added on which system metrics we should note in order to justify which tuning options we should take. Thanks

informative video.

Is that a config error at 9:21 showing ServiceEntry for Mongo that is outside the mesh using `location: MESH_INTERNAL`? Should it not be MESH_EXTERNAL?

An FYI for others "Istio does not provide service discovery , although most services are automatically added to the registry by Pilot adapters that reflect the discovered services of the underlying platform (Kubernetes, Consul, plain DNS)" It is quite possible that the statement has been modified since this talk.

Thanks you for this video. Where can I find your presentation slides ?

I more or less have documented how to do upgrades over the 15 minor version upgrades we've done. We don't really look at documentation anymore. However, some general thoughts on the initial discussion based on what we did in the past. - We're 100% gitops so we summon 3 different helm charts via kustomize currently. Various components are kustomize Components like "install istiod-x-x-x revision" and each gateway is a separate component. We use 4 revision tags (ingress, infra, canary, stable in that order.) - I've used istioctl to render out some new feature in order to get an idea of how to configure my helm values. I can't say for sure about install, but anyone using istio needs istioctl for the proxy-config command so maybe that's why people are more comfortable using it? - +12 to more production documentation. Explaining when and how to setup Sidecar CRs would have been useful and figuring out istiod HPA and resource numbers would be helpful beyond the existing documentation. Really anything scale related or reliability related would be stellar. - If you have an "unsafe" profile and don't want someone to accidentally install it via istioctl you could add an additional flag akin to somethng like "--enable-alpha-features" or --enable-unsafe-profiles" kind of flag. Even as you fail the install telling the user to add a flag you could link to some sort of "demo vs production" explanation. - In the past, I more or less had to paste together like 3 different pages to figure out how to do upgrades. Essentially combine istioctl upgrade instructions, revision based upgrade instructions and helm canary sections of a page (I might not have the specific ones correct, but demonstrating the point.) - We use argocd and before we switched to kustomize we would have a root app with leaf apps under it. So the one called istio would contain 3 argocd Application CRs for each helm chart.

please provide github link

Great!!!!

@CloudNativeIndonesia okay so the rate limit seems to apply per IP. Is there a way to use more complex rules like using the "sub" field from a JWT of an Authorization header? Just thinking about limiting per user / not per IP as a use case.

Is there a doc which lists high-level milestones or roadmap for this project that is publicly available for RO access?

Super ilustrative!!! Thanks!!!

did Anil Attuluri & Siva Thiru ever open source the code to generate istio virtual services, etc based on a the openapi spec of a webservice? Else I'll have to code it myself, thanks!

This video is a must-watch for anyone working with Istio! The breakdown of security practices and the clear explanations helped me strengthen the security of my Istio service mesh. Keep up the good work!

Any chance to get English captions?

A very good example of how not to present a topic even though you might be knowledgeable ! This guys seems like reading straight from his notes or some other screen.

Great talk!

Agreed it's nice to see someone who can talk about the why / establish background contextual information / big picture what's happening. Before diving into the how and everything going over my head. Wish more people would say why a tool makes sense/when to use it, vs use this popular shiny tool.

Can have the sample git repo on that custom wasm filter?

讲得太好了

Excellent presentation Harshad & Rajath.

For people watching, JWT = JSON Web Token, not Java web token

muito bom

please provide github repo

nothing happen here? where installation process and solution to 2 kind clusters in different machines? I think istio not work in multicluster mode, I tried many ways, cloud kubernetes, home made kubernetes, kind clusters and definitively does not work. Linkerd is so much easy and really work

Thank you that's very helpful. Can we make different stages using Istio as in API gateway, as we did in the case of AWS API Gateway?

great presentation

Looks like to correctly configure strict mtls isn't easy and comes with problems. Thanks for you experience sharing on this

Yeah the documentation for the Istio is good, but quite a lot to go through honestly. This helped quite a bit.

awesome!

Great talk, even more accessible than the medium article. Thought provoking indeed. Thank you.

I'm getting a 504 gateway timeout when did curl -v external ip

Love the topic but too much jumping around. It winds up being difficult to follow what exactly is being shown and how its applicable.

this is excellent preso. one question mostly i have seen istio as sidecar but in the gateway capacity will it also be a separate pod service running just containing its gateway capabilities? where will the load balance be in such configurations?

Impressive! Nice feature! Today, we always need the envoy access log from L7, besides the transparent mTLS. So I guess that means we always need to install the waypoint pod, right?

Some key timestamps from this video: 0:00 What is Ambient Mesh? 2:32 Install Istio with the "ambient" Profile 3:44 Add default Namespace into Ambient Mesh 7:02 Enable Layer 7 Features with Ambient Mesh's "Waypoint Proxy" Thank you, Christian and Istio, for this video!

Some key timestamps: - 0:14 Pre-setup ("ambient" Profile, BookInfo, sleep, and notsleep) - 1:02 Add Namespace to Ambient Mesh - 1:17 Confirm mTLS Traffic (ztunnel) - 1:46 Ambient Mesh Certificates (managed by ztunnel) - 2:39 Layer 7 Features with Waypoint Proxy - 3:56 Remove Namespace from Ambient Mesh Thank you, Lin Sun and Istio, for this video!

We have quite similar idea, now I’m also building quite similar platform. But I use argocd for infra management and tenant provisioning.