The document discusses Cilium and Istio with Gloo Mesh. It provides an overview of Gloo Mesh, an enterprise service mesh for multi-cluster, cross-cluster and hybrid environments based on upstream Istio. Gloo Mesh focuses on ease of use, powerful best practices built in, security, and extensibility. It allows for consistent API for multi-cluster north-south and east-west policy, team tenancy with service mesh as a service, and driving everything through GitOps.

1. Cilium and Istio with Gloo Mesh

2. 2 | Copyright © 2020
CHRISTIAN POSTA
VP, Global Field CTO, Solo.io
@christianposta
christian@solo.io
https://blog.christianposta.com
https://slideshare.net/ceposta
Istio in Action (March 2022)
https://www.manning.com/books/istio-in-action
Discount Code: SOLOIO41
Shortlink: mng.bz/06Wl

3. 3 | Copyright © 2020
Idit Levine
Founding API gateway WG-Istio
Christian Posta
Founding community member,
Istio Steering Committee,
author Istio in Action
Lin Sun
Founding Istio project maintainer,
Technical Oversight Committee
(TOC), Steering Committee
Neeraj Poddar
Istio Steering and TOC member.
Co-founded Istio Product
Security Working Group
Yuval Kohavi
Renowned security researcher,
Founding API Gateway WG-Istio,
Contributor Envoy
Ram Vennam
Founding Istio Steering
Committee member
Nick Nellis
First to run Istio in production,
current contributor and maintainer
Solo Istio/Envoy Community Leadership
Founded in 2017 by Idit Levine
Based in Cambridge, MA
with multiple locations around the globe
The industry’s leading Cloud-native Application
Networking company.
Open-Core, “Enterprise” Subscription model
Growing fast
with happy customers
Well Funded
500+%
bookings
growth y/y
98%+
renewal
rate
$171.5M
venture financing
$1 Billion
valuation
Company Overview
Gloo Application Networking Platform
Simplify your application networking with unified control,
reliability, observability, extensibility, and security
3 | Copyright © 2022
Greg Hanson
Founding Istio Maintainer,
Product Security WG Lead,
Istio Release Manager

4. 4 | Copyright © 2020
Gloo Application Networking Platform
Manage
APIs
Data
Access
Gloo Gateway
API Gateway
Gloo Mesh
Microservices, Security, Observability
Gloo Network
Kubernetes CNI, Network Policy

5. 5 | Copyright © 2020

6. 6 | Copyright © 2020
6 | Copyright © 2020
Problem

7. 7 | Copyright © 2020
What is application networking?
Challenges
● Service discovery
● Load balancing
● Timeouts
● Retry / Budgets
● Circuit breaking
● Tracing, observability
● Secure transport
● Extension

8. 8 | Copyright © 2020
What is application networking?

9. 9 | Copyright © 2020
Previous solutions to these problems

10. 10 | Copyright © 2020
Previous solutions to these problems

11. 11 | Copyright © 2020
11 | Copyright © 2020
Push enforcement points
down to application

12. 12 | Copyright © 2020
What is application networking?

13. 13 | Copyright © 2020
What is application networking?

14. 14 | Copyright © 2020
Service Mesh Technologies Provide the
Following
L4 & L7 Observability
Traffic Encryption / L7 Identity
L4 & L7 Policies [Canary, RBAC, ….]

15. 15 | Copyright © 2020
15 | Copyright © 2020
Demo

16. 16 | Copyright © 2020
What you must build to run service mesh in production?
Istio Service Mesh
Security
|
Compliance
FIPS-140
Authentication
Cert-Mgmt
Rate-Limiting
API Gateway
Failover Routing
Global Service
Discovery
Integrate
Observability
Routing
|
Traffic
Mgmt
Topologies | API | UI | Extensibility
Multi-Cluster Multi-Tenant Web Assembly
UI / Higher-level API

17. 17 | Copyright © 2020
https://www.solo.io/products/gloo-mesh/
Enterprise Service Mesh for
multi-cluster, cross-cluster and
hybrid environments based on
upstream Istio

18. 18 | Copyright © 2020
https://www.solo.io/products/gloo-mesh/
Gloo Mesh Enterprise
• Enterprise Istio for single cluster, multi-cluster and multi-platform configuration.
• Focus on ease of us, powerful best practices built in, security, and extensibility.
Installation, upgrade,
takeover and hybrid
lifecycle
Production and long-terms
support (LTS, N-4) with
patches and hotfixes for
validated upstream Istio
Delegate ownership of
configuration and policy
by persona, including:
developers, SREs,
and admins
Discovery services
running across multiple
clusters, clouds, VMs
Operational visibility with a
single pane of glass across
multiple service mesh clusters
Cross-cluster failover and
locality aware routing
Support multiple teams
owning their own resources
across multiple clusters
End to end security across
clusters and meshes for zero
trust networks, integrate with
PKI, CA/RA, etc
Istio
Support
Istio Lifecycle
(2.1)
Global Failover
Routing
Multi
Tenancy
API Gateway Global Service
Discovery
Unified
Observability
Zero-Trust
Security

19. 19 | Copyright © 2020
User Clusters Public cloud
Compliance / DMZ

20. 20 | Copyright © 2020
Consistent API for multi-cluster N/S and E/W Policy

21. 21 | Copyright © 2020
Gloo API Gateway

22. 22 | Copyright © 2020
Team Tenancy (Service Mesh as a Service)
● Tenancy
● Dependency
● More flexible API
● Hierarchy
● Unified NS/EW

23. 23 | Copyright © 2020
Drive everything through GitOps!

24. 24 | Copyright © 2020
24 | Copyright © 2020
Demo

25. 25 | Copyright © 2020
Gloo Application Networking Platform
Manage
APIs
Data
Access
Gloo Gateway
API Gateway
Gloo Mesh
Microservices, Security, Observability
Gloo Network
Kubernetes CNI, Network Policy

26. 26 | Copyright © 2020
Kernel-level observability
Security controls
Advanced L3/L4/L7 Network Policy
Container networking / CNI / Overlay built on eBPF!

27. 27 | Copyright © 2020
Cilium: Cloud Networking Overlay

28. 28 | Copyright © 2020
Flexible: Executes custom logic in the Linux kernel.
Safe: BPF code is verified to not crash/hang kernel.
Fast: JIT-compiled to run at native speed.
Humble origins:
BPF
Berkeley Packet Filter
$ tcpdump -n dst host 192.168.1.1
What is eBPF?

29. 29 | Copyright © 2020
with strong safety guarantees and
native kernel performance
“Function-as-a-Service” for kernel events
Execution Stack in the Kernel
submit_bio submit_bh()
journal_submit_commit_record()
jbd2_journal_commit_transaction()
mb_cache_list()
BPF
Hook
BPF Program Source Code
bpf() syscall
llvm / clang
Verifier +
JIT compiler
What is eBPF?

30. 30 | Copyright © 2020
30 | Copyright © 2020
What about conflicting policy at different layers?
(demo maybe?)

31. 31 | Copyright © 2020
Consistent Networking Policies

32. 32 | Copyright © 2020

33. 33 | Copyright © 2020
33 | Copyright © 2020
Demo

34. 34 | Copyright © 2020
34 | Copyright © 2020
Recap

35. 35 | Copyright © 2020

36. 36 | Copyright © 2020
Cloud Native Stack
ANY KUBERNETES (CLUSTERS) VMs
eBPF
WASM
GLOO NETWORKING | CILIUM
ENVOY PROXY
ISTIO
GLOO MESH GLOO GATEWAY
GLOO PORTAL
EXT.
AUTH
RATE
LIMITING
GRAPHQL
XSLT
(SOAP-REST)
ANY CLOUD
Gloo Application Networking Platform

37. 37 | Copyright © 2020
Learn More!!
Free Workshops and
Certifications
● Envoy Proxy
● Istio
● Cilium
● eBPF
● On demand
● Instructor led
● Service mesh
● Modern API gateway
● eBPF
Solo Academy
1 2
https://www.solo.io/events/upcoming
/
https://www.solo.io/solo-academy/

38. 38 | Copyright © 2020
We are hiring!
https://www.solo.io/company/careers/

39. 39 | Copyright © 2020
Solo.io global presence

40. 40 | Copyright © 2020
• https://solo.io
• https://solo.io/blog
• https://slack.solo.io
• https://gloo.solo.io
• https://envoyproxy.io
• https://istio.io
• https://webassemblyhub.io