 Morning! It's great to be here. My name is Spike Curtis and I am a software engineer at TIGERA. TIGERA is a contributor to Istio and to Kubernetes. We're maintainers of Flannel and the C&I and our flagship, as Kelsey said, is Project Calico. And all your favorite hosted Kubernetes services have chosen Project Calico as the implementation for network policy. And we build these technologies because our mission is to provide secure application connectivity for the cloud native world. And secure application connectivity is becoming increasingly important for two reasons. Firstly, our applications are becoming much more distributed, many more components and attack vectors. And secondly, attacks have become much more sophisticated, especially over the last few years. Our security planning has to answer the question, what happens if a workload is compromised? If we don't have a plan, then one tiny toehold will allow attackers to completely own us. So to deal with this problem, we invented network segmentation. And then micro segmentation, and of course the logical conclusion of this, the current best practice, is to enforce access control around each and every workload. Now, unfortunately our security planning has to answer the question, what happens if the network itself is compromised? What happens if attackers can intercept our data or smooth traffic? Now we all know this is possible on the public internet, but it's simply no longer a safe assumption that our data centers, our private clouds, our virtual private clouds have not been breached. We have a ton of evidence that criminal organizations routinely penetrate the network itself. So to deal with this, we can use end-to-end encryption and authorization and authentication. Now, I know what you're thinking. This seems really hard, really complicated. How are we going to get there? Well, Tigera and the rest of the community have been working on these problems for some time, and we have many of the building blocks that we need for secure application connectivity. Kubernetes network policy is a great way to enforce access control around each and every workload. And I'm sure that you've heard a bunch about service meshes in the Istio project at this KubeCon. The feature that I'm most excited about in Istio is the ability to set up mutually authenticated TLS connections. Istio will authenticate both ends of the connection and encrypt your data, and the best part is no application code changes. You don't even need to add HTTPS to your URLs. Istio handles this all transparently. So we have these great building blocks, but how do you deploy them together? Well, today you would configure network policy, and then you would configure Istio with any application layer rules. But there's a gap, because it's really painful to keep things in sync, and you might leave the door ajar for attackers or cause production outages. So today we're announcing Calico support for application layer policy, seamlessly combining Kubernetes network policy and Istio security features into a unified policy for secure application connectivity. Let's take a look at an example. So if this looks familiar, it's because we specifically chose idioms from Kubernetes network policy. So just like in Kubernetes network policy, label selectors give us an easy but powerful mechanism to scope policies and build them up out of layers. And this is probably my favorite part. In Istio, each workload is issued an identity and the means to prove it cryptographically. In Kubernetes, that identity is the service account. So we can be extremely confident about who's on the other end of a connection. And in Calico policy, we enforce this at multiple layers. We have the cryptographic identity, but we also use the network information. It's like two-factor auth, but for pods. And working with Istio means that we now have access to request attributes from the application layer, so we can really scope down policy and bring it down to least privilege. So when we put this together, we can build applications that are resilient to attacks like never before. And this design of planning for reaches to our workloads and reaches to our networks by reducing trust in the network is called the zero trust network model. Now historically, it was really hard to build zero trust designs because you had to write a bunch of custom code. It was really hard to authenticate and authorize every flow. It was really hard to calculate policy from multiple data sources. Calico application layer policy is a huge step forward because it gives us both of these capabilities right out of the box. So these new features of Calico are available in tech preview. Check it out on GitHub that will show you how to set up a test cluster, kick the tires and tell us what you think. I'm also giving a talk with Dan Berg of IBM where we'll be doing a deep dive on Istio security, including a demonstration of Calico application layer policy. That's tomorrow at 11.55 and I hope you'll join us. And one more thing before I go, Tigera is announcing CNX, which is an enterprise offering for secure application connectivity built from Calico and Istio. It has enhanced controls and visibility tools specifically designed for enterprise processes and compliance requirements. And of course enterprise grade support. So check it out. Thank you.