Introducing wazero from Tetrate
Tetrate, Wasm, wazero

Introducing wazero from Tetrate

WebAssembly, also known as Wasm, is a way to compile code written in one programming language, such as C or Rust, and run it on a different runtime, such as in a web browser or microservice. This makes it a great choice for writing plug-ins, extensions and, in general, running user-defined arbitrary code in a safe, sandboxed environment.

WebAssembly is often mistaken for a technology that is only used in the browser when, really, Wasm is a cross-platform binary that can be executed by any WebAssembly runtime. Historically, there were not many good options for Go programmers, but this has changed.

This post introduces wazero, why it matters for infrastructure written in the Go programming language, and covers its most compelling features.

Read More
FIPS Certification, Istio, Tetrate, Zero Trust

How Tetrate Istio Distro Became the First FIPS-Compliant Istio Distribution

Federal information systems need FedRAMP approval for authority to operate.  To get that approval, they must comply with the Federal Information Processing Standards (FIPS). For cryptography, this means that if you’re a U.S. government agency or a vendor or contractor supplying the government, you must use FIPS 140-2 compliant modules wherever encryption is required. If you want to use Istio or Envoy in those systems, you can’t use the stock community builds of Istio and Envoy, since they don’t use FIPS-compliant cryptography modules and are thus not suitable for a FedRAMP environment.

Tetrate enables government organizations to meet this requirement by supplying Istio users with the first FIPS-verified open source distribution of Istio and Envoy as part of Tetrate’s hardened and performant Tetrate Istio Distro

In this article we will lay out the basics of FIPS compliance, what it means for Istio and Envoy, and the surest way to get to production with Istio in a FIPS-regulated environment.


  • Software used by federal information systems must be FIPS compliant.
  • Stock builds of Istio and Envoy are not FIPS compliant.
  • Tetrate offers the first FIPS-certified builds of Istio and Envoy with its open source Istio distribution, Tetrate Istio Distro, plus enterprise support with Tetrate Istio Subscription.

To find out more about FIPS and Istio, download our free Primer on Zero Trust and FIPS for Cloud Native Applications.

Read More

How Are Certificates Managed in Istio?

I mentioned in my last article on understanding mTLS traffic encryption in Istio that the key to traffic encryption is certificate management. We can use the built-in certificate authority (CA) in Istio or a custom CA to manage certificates within the mesh. This blog post will explain how Istio handles certificate management.

Read More

eBPF-Enhanced HTTP Observability: L7 Metrics and Tracing with SkyWalking


Apache SkyWalking is an open-source Application Performance Management system that helps users collect and aggregate logs, traces, metrics, and events for display on a UI. In a previous article, we introduced how to use Apache SkyWalking Rover to analyze lower-level (Layer 4) network performance issues in a service mesh environment. Since modern applications often use mature Layer 7 protocols, such as HTTP, for interactions between systems, it’s important to be able to quickly troubleshoot issues at Layer 7, as well. In this article, we will discuss how to use eBPF techniques to analyze performance bottlenecks of Layer 7 protocols and how to enhance the tracing system using network sampling.

This article will show how to use Apache SkyWalking with eBPF to enhance metrics and traces in HTTP observability.

Read More
Announcements, Service Mesh, Tetrate, Tetrate Service Bridge, Wasm

Scaling Service Mesh Efficiently for Enterprise Workloads, Environments, and Teams with Tetrate’s Brooklyn Release

Today, we are excited to announce the general availability of Tetrate’s Brooklyn release. This marks a major evolution of Tetrate Service Bridge (TSB), a service mesh powered application connectivity platform that enables global enterprises to modernize applications, migrate one or more clouds, achieve zero-trust security, and automate infrastructure resilience. New TSB capabilities will make deploying Istio and Envoy at scale even easier for platform teams, enforcing global policies effortless for security teams, and troubleshooting service mesh workloads self-service for application teams. We’ve also productized best practices and lessons learned from delivering production service mesh for global financial services and federal institutions, so every security-focused organization can benefit from a service mesh without the overhead. In this blog, I will introduce these new TSB capabilities as well as recap relevant recent innovations in Tetrate Istio Distro (TID) and our contributions to open source projects. 

If you are already familiar with TSB and want to dive into the technical details, jump straight into the release notes

If you are new to Tetrate, read on for a comprehensive introduction, and register for the demo webinar to get a closer look.

Read More
Top 10 Blog Post
API Gateway, Envoy Proxy & GetEnvoy, Istio, Kubernetes, Service Mesh, Tetrate, Wasm

Top 10 Blog Posts of 2022

The Tetrate blog highlights best practices and educational content on service mesh, open source, and related technologies. Our team is dedicated to providing quality how-tos, thought leadership pieces, and market developments with our commentary to help our readers stay informed and up-to-date on the latest developments in the industry. It is great to see that our readers appreciate these posts. Without further ado, here are the top 10 blog posts our readers scoured this year. 

Read More
ABAC, Istio, Security, Service Mesh, Tetrate, Zero Trust

Top 5 Kubernetes Security Best Practices for Authentication and Authorization


As we’ve written here before, there’s increasing urgency for organizations—especially those operating in a regulatory environment—to adopt a zero trust network architecture. Just what that means and how to do it may not be immediately clear. When it comes to microservices applications, the National Institute of Standards and Technology (NIST) offers guidance for microservices security in the SP 800-204 series, co-written by Tetrate co-founder Zack Butcher (which we’ve also covered on this blog).

NIST’s reference architecture for microservices security is Kubernetes and the Istio service mesh. In this article, we’ll look at NIST’s recommendations for using a service mesh for authentication and authorization in microservices applications.

At the heart of a zero trust posture is the assumption that an attacker is already in your network. All of these policy recommendations will help prevent potential attackers from pivoting to other resources should they breach your network perimeter. If you use a service mesh as described in the NIST reference platform, all of these capabilities are built into a dedicated infrastructure layer that acts as a security kernel for microservices applications. This means security policy can be applied consistently (and provably) across all your apps—and so your product development teams don’t have to be security experts for your apps to run safely.Service mesh allows fine-grained access control to be layered on top of traditional security measures as part of a defense-in-depth strategy. The mesh sits as a powerful middle layer in the infrastructure: above the physical network and L3/L4 controls you implement, but under the application. This allows more brittle and slower-to-change lower layers to be configured more loosely—allowing more agility up the stack—because controls are accounted for at higher layers.

Read More
Tetrate - A year in review
Announcements, Tetrate

2022: A Year in Review

2022 has been a busy and exciting year for the Service Mesh industry, and, likewise, for us here at Tetrate. In this post, we’ll take you through what we Tetrands have been up to, what that’s meant for our product, and what we’ve seen in the wider community.

Leading enterprises have traffic security and observability at the top of their app-modernization strategies. 2022 was the year when the value of Service Meshes began to be understood – as the best way to achieve these needs, even in complex and regulated environments.

But adoption is just the start; folks need to be empowered to be successful. When we talk about user success, we often talk about the “three Ps” – Product, People, and Partnerships. These are all vital, and with open-source projects like Istio, Envoy, and more, we’ll add a C: Community.

Read More

How Istio’s “Ambient Mode” Transparent Proxy—tproxy—Works Under the Hood

Istio’s new “ambient mode” is an experimental, “sidecar-less” deployment model for Istio. Instead of a sidecar proxy in front of every workload, ambient mode uses tproxy and HTTP Based Overlay Network Environment (HBONE) as key technologies for transparent traffic intercepting and routing that we covered in our recent article on transparent traffic intercepting and routing in the L4 network of Istio Ambient Mesh. In this article, we’ll take a closer look at tproxy and how it’s used.

Read More