ServiceMeshCon North America 2021

The Linux kernel is an ideal place to implement observation, networking, and security, and improvements in the eBPF space are making it more practical to leverage the Linux kernel for these use-cases. Given that both eBPF and service mesh essentially allows users to program policies to connect, secure, and observe; you may be wondering how service mesh and eBPF intersect? This talk will explore different approaches to supercharge your service mesh with eBPF to make service mesh more secure and efficient.

Infrastructure diversity is a reality for many organizations. It’s predicted that by 2022, 90% of all apps will feature microservices architectures. A huge range of microservice patterns drives a world of multiple service meshes. As various service meshes have proliferated infrastructures, service mesh patterns and abstractions have emerged. We will break down 60 service mesh patterns into different categories of use, demonstrating and examining a select few using Meshery for deeper review of their problems they solve, discussing caveats, and highlighting anti-patterns. The patterns discussed are being published in Service Mesh Patterns (O’Reilly) by Lee Calcote and Nic Jackson.

Service mesh is an infrastructure layer for micro services. It provides functions like: service discovery, traffic routing/shifting, security, observability etc. Multi-tenant is very common in kubernetes clusters. So how to better utilize service mesh capabilities while providing enterprise multi-tenant support in kubernetes clusters? In this talk we will walk you through below items and show you some tradeoffs for different service mesh options. 1. What challenges does multi-tenant bring to Service Mesh? 2. What service mesh options are applicable for multi-tenant support? 3. What does single mesh and multi mesh mean for multi-tenant and what are their Cons & Pros? 4. Performance comparison for different service mesh topology on multi-tenant clusters.

A service mesh is a critical piece of application infrastructure that lives on the request path between your services. Once you get past the “hello world” for your particular mesh, you are left having to plan out your production deployment and more importantly, future upgrades. The architecture and patterns for deployment are as important (if not more?) as the specific mesh capabilities you choose. For example, patterns like separating ingress, running canaries, and focusing on limited configuration blast radius are foundational to enable zero-downtime upgrades of your mesh. In this talk, we discuss the vital patterns and practices cultivated working with mesh adopters around the world. The audience should come away with a core set of practices to enable successful lifecycle management of their service mesh.

This workshop is based on Istio and Gloo Mesh (https://github.com/solo-io/gloo-mesh). It's a hands-on workshop where each participant has a dedicated VM. In the VM, you deploy 3 Kubernetes clusters using Kind. One cluster is a management plane where Gloo Mesh is deployed, while Istio is deployed in the 2 other clusters. Then, you federate the identity of the Istio clusters, configure cross cluster communications, failover, learn about Web Assembly, ... And before each lab, we go through some slides. For example, before the identity federation, we explain you what is SPIFFE, how it's used in Istio, ... The labs are publicly available: https://github.com/solo-io/workshops/tree/master/gloo-mesh

Confidential computing (CC) is a new and emerging security paradigm. It enables the always encrypted and verifiable processing of data on potentially untrusted hosts, e.g., the cloud or maybe even your local cluster. Do you wanna add an extra layer of data protection to your Kubernetes workloads? In this talk, we introduce the open-source project Marblerun and discuss the challenges that arise when you deploy CC-enabled workloads on K8s. Marblerun is the control plane for confidential computing, designed to run on Kubernetes. It is an open-source solution that extends the confidentiality, integrity, and verifiability properties of a single enclave to a Kubernetes cluster. Marblerun does not replace your service mesh; it is built to run alongside your existing cloud-native tooling. In essence, Marblerun simplifies deploying, scaling, and verifying end-to-end encrypted apps on vanilla K8s. We will demo how to CC-fy a cloud-native app and run it with K8s+Linkerd+Marblerun.