CNCF-hosted Co-located Events North America 2024

Ambient mesh introduces a new service mesh architecture without sidecars, but more than that, it gives us a way of thinking about the mesh as a set of API-driven network capabilities, distinct from the infrastructure used as an implementation. What if your mesh was truly ambient - if it was available and functional anywhere you have a network? This talk will show the state of the art of making Istio’s implementation details - the ztunnel L4 secure overlay and the L7 waypoint proxy - vanish into the cloud infrastructure. We’ll cover our efforts to standardize Istio’s Ambient Mesh interfaces to allow alternative implementations that can leverage existing infrastructure, requiring fewer components, and less management overhead. We’ll imagine alternative waypoint proxy implementations, such as managed load balancers, and non-Envoy proxies, and we’ll discuss how adjacent projects like Cilium CNI are vanishing into the infrastructure, and how these parallel efforts align with one another.

Confluent Cloud leverages Istio service mesh in its control plane to secure, observe and route traffic between microservices at scale processing millions of requests per second. In this case study we will explore how Istio service mesh was incrementally adopted at Confluent providing a uniform identity model using SPIRE and advanced observability using OpenTelemetry. We will go over our Istio adoption journey - from securing traffic using mTLS to advanced multi cluster routing and share our experiences running Istio at scale in production along with learnings to operationalize Istio for Day 2 operations.

Istio provides critical capabilities for managing microservices in Kubernetes, making application upgrades safer and easier with its traffic management features. However, upgrading the Istio control plane, especially with the safer blue-green deployment model, requires substantial manual effort. We started the sail-operator project to close that gap. Building on our product operator experience, we aim to create a community-first Istio operator. While installation is the core feature, we want to explore new ways of providing value, in ways that are unique to the operator concept. And our first focus is on improving usability around control plane upgrades. The presentation will include a live demo showcasing the 2 upgrade strategies supported: InPlace and RevisionBased. Whether managing a small cluster or a large-scale deployment, attendees will learn how sail-operator helps maintain stability and continuity in their service mesh, making Istio upgrades more manageable and less risky

Do you use JSON Web Tokens in your Istio system? Do you like how you can't revoke any of the JWTs that you use? Wish you could make a more secure system that allows you revoke a token across all your clusters within seconds without compromising all that you love about JWTs? Join my talk to learn about how to build an event based system that uses native Istio functionality to build a zero trust layer on top of Istio that enables token revocation when: - a user account is disabled - a user account logs off - (insert your use case) We will walk through all the pieces needed accomplish this, and of course a live demo.

This talk dives into how microservices architectures and Istio service mesh in Kubernetes empower developers to build scalable, resilient, and future-proof GenAI applications. We'll explore the challenges of running GenAI Application such as selecting the most suitable Large Language Model (LLM), leveraging effective embedding models, and deploying a robust vector database (DB), etc. We'll demonstrate how to overcome them using advanced Kubernetes strategies.

Key topics include:
• Discover how breaking down GenAI Application into microservices enhances flexibility, scalability, and maintainability.
• Learn how service mesh facilitates dynamic updates and changes to GenAI components without impacting user traffic.
• Showcase practical strategies for integrating these technologies in Kubernetes, supported by real-world examples like how to dynamically compose a GenAI application using different microservices, and how to change models or pipelines dynamically on Kubernetes.

Istio excels with microservices but implementing it as a service mesh for a newly containerized legacy monolith application comes with its own set of challenges. In this session, we will take you through our journey of migrating a monolithic application to Kubernetes, where Istio plays a crucial role as the service mesh. We'll delve into the intricacies of this migration, sharing the challenges we faced and the lessons we learned along the way. You'll gain insights into how we operate Istio service mesh in Adobe's Document Cloud and discover common yet critical pitfalls. Our discussion will cover issues ranging from scalability to upgrades, providing you with valuable knowledge to navigate similar migrations in your projects. By the end of this talk, you will have a clear understanding of the complexities involved and be better equipped to handle the transition of monolithic applications to Kubernetes using Istio.

In the most recent Gartner hype cycle for API reports, service mesh has been placed in the "trough of disillusionment", signaling that that the hype for the technology is not where it once was. Come hear from members of the Istio Technical Oversight Committee discuss their perspective on this classification and why the best days of service mesh are still ahead of us.

Running a multicluster Service Mesh with 1000s of microservices has several challenges. One is to keep the Istio sidecar configuration minimal and thereby improve pod density.Istio has several knobs to fine-tune this and& many of those are unexplored & underutilized. Another challenge,sharded apps,where every shard needs tuning or it gets a bloated superset of configurations.In this talk,we will share the insights & technical breakthroughs from Intuit’s Service Mesh journey.We'll dive into how the `exportTo` configuration, in conjunction with Admiral's advanced identity management,enabled us to efficiently manage Istio resources across 300 clusters with remarkable cost savings. We will discuss strategic use of identity sharding & discovery selectors in multi-tenant API GW,highlighting resource management & optimized sidecar configuration.If you want to run a resource & cost-effective multicluster multitenant Istio deployment, this session provides practical guidance & valuable lessons.