 Hey guys. My name is Kush. I work at a company called Speed Scale. We do a bunch of Kubernetes things, as everyone probably does. But yeah, we work on the network level, and I am heavily involved with Istio and level 4 stuff. So yeah, without further ado, I don't have any slides. I'm just going to be demoing something, and hopefully it goes well. So we've been promised the land of containers. Everything is very isolated. We have all these security mechanisms that totally work and make sure that we don't get hacked. So given that promise, I want to run arbitrary code in my production cluster, along with everything else I have in there, which sounds like a good idea, right? And this is actually a pretty reasonable use case, especially because most of what we do now is kind of plumbing code where things call out to other things, and I may be running something like a synthetic website, right, where I want to be able to run user-submitted code, and that code needs to actually reach out to the network. So this is something I actually want to do. So using Istio, I'm going to make this possible. So I've got two things going on here. I've got this very simple demo script that I've run six times, and it worked those times. And I've got some YAMLs, and I've got a little terminal window with, I'll make this a little bigger, too, with K9s running in it. So this is a realistic cluster. I'll show you real quick. There's a bunch of stuff in here, right? Argo is running in here. There's this, like, decoy payment service. This is a demo cluster for us, but it is realistic. So I am going to run my script and change it over to that cluster. It created a namespace with my name in it, and it created a deployment. Yeah. Okay. That messed up. So looking at this deployment, very standard. I have a deployment with one replica. It has some labels. I chose the Golang container because it already has curl on it, and it just sleeps for a million seconds, and I'm a good person, so I put resource limits in there. So I now have my namespace. I go into this container, and I can hit this internal payment service I was talking about that's in a different namespace. Okay, yeah. But I can hit there, you know, the ping, there's the pong. So I can do this. I can also hit our website. Yeah. Nice JavaScript over there. So now I'm going to continue by uncommenting this line, which is going to imply this side car config. So what this does is this magic incantation. I'm saying so I could do a star star, which says allow egress to all hosts. So this is in the form of namespace and service. I am making this a tilde, which is don't allow any outbound traffic. So I'm going to apply this. It does the same things plus the side car. So now while I'm in here, I'm going to try that. Didn't work. That also didn't work. So that's good, but my goal was to be able to hit the internet, but not hit things within my cluster. So now I'm going to uncomment this little patch. And what this patch does is it includes this outbound IP range. And what it's saying is don't include or only include these IPs for routing through the on voice side car. Don't include other IPs. So these magic ciders, these depend cluster to cluster. These are pretty standard for GKE where my cluster is running. There's a bunch of AWS commands or Google cloud commands that you can run to get these IPs. It's pretty easy. They're actually on the Istio docs. But yeah, I'm going to apply this. Make sure I uncommented. Yep. So now I'm going to apply that. I'm going to get out of this because this is going to create a new pod. It's coming up. Now that payment service that's in my cluster does not work, but I can still get out to the internet. So that's it. It took me two little things. And honestly, the hardest part was figuring out that IP list. Obviously, if you're going to actually do this in real life, I would totally build a whole new cluster and say we're only running customer-submitted stuff in there. But this is a path. And this is delivering on the promise of our network rules. So yeah, like I said, my name is Kush. I work at speed scale. We have a booth. If you want to come talk, I'll be there pretty much all day tomorrow and the day after. Yeah. So thank you and open to questions. All right. Easy enough. All right, everybody. Thanks. We're going to come back in an hour, I believe, after lunch, and we'll have a great talk on identity. So it'll be great. Look forward to seeing more folks.