Welcome back to all things Istio after the summer break! Istio is 1.0, and we're ready to go.
For those of you who are new, a big welcome to the burgeoning Istio community in London. For those who have been before, we've some great new content for you. In keeping with the theme of production-ready Istio, we've got a pair of great practical talks lined up. We'll kick off with network security from an Istio point-of-view. We'll then look at the dirty details of cross-cluster networking done properly.
Talks will start at 18:30.
Talk 1: Service Mesh Network Security - Andrew Martin (Control Plane)
Microservice security is too hard. We must issue and rotate TLS certificates, deploy identity providers, and embed auth logic in applications. These all require secure deployment, test, and maintenance effort. Istio (a Google, IBM, and Lyft project) offers a new way: by providing a service mesh and a unified identity, it offers all these things with zero application changes. In this talk we detail:
- What a service mesh is, and why Istio could revolutionise microservices
- Increasing application security and availability using network RBAC and circuit breakers.
- Why all applications should use encryption by default
- "Free" mutual TLS between all services and certificates that rotate every hour
- Preventing token replay attacks that plague JWT
- Securely delegating requests between microservices
Talk 2: Observability tools and patterns with Istio - Nick Joyce (Realkinetic)
Microservices can present a lot of challenges when it comes to understanding exactly what is happening to your application especially when there is a customer impacted production issue. We step through an example microservice based application that demonstrates the capabilities that Istio provides including:
- Telemetry with Prometheus and Grafana
- Tracing with Jaeger
Finally, we talk through some resiliency patterns that Istio provides out of the box, including:
- circuit breakers
- health checks
- rate limiting
Talk 3: Mutli-cluster routing: a mutli-mesh approach - Matt Turner (Tetrate)
Cross-cluster / VPC / Data Center connectivity is a huge problem. Current solutions are clunky and unreliable, using VPNs, DirectConnects, or sending everything out to the internet and back through the ingress layer. Some solutions have been attempted with Service Meshes, but these all involve a shared control plane, causing bit problems for latency, security, and reliability.
In this talk, Matt will describe and demonstrate what he believes to be the correct approach; separate Service Meshes, with their own blast radii, sending traffic between each other as and when necessary. The configuration needed for this approach isn't free yet, but you'll be given a step-by-step guide to it, and shown tools that automate the pain away.
Never fear; pizza and beer will be provided. We're lining sponsorship up right now.