return）实现，有效减 少了网络转发的跳数，极大提升了 nodePort的转发性能，降低访问延时。 相关测试表明： • kube proxy iptables模式下，请求完 成时间 1.6ms ，connect 时间 0.9 ms • Cilium DSR模式下，请求完成时间 1ms，connect时间0.4ms node2 pod2 process kernel network stack nodePort extracted from the IP header eBPF 加速本地通信 本地应用间的通信，需要经历冗长的内 核协议栈处理。尤其在 serviceMesh 流行趋 势下，sideCar 的重定向加速，成为重要话题。 cilium 利用 socket eBPF 程序，实现了对本 地应用通信间的加速转发。 相关测试表明： 在部分测试场景下，本地应用间的通信 TPS 性能，提升约

• 欧拉 DevKit：支持操作系统迁移、兼容性评估、简化安全配置 secPaver 等更多开发工具。 系统框架 openEuler 社区与上下游生态建立连接，构建多样性的社区合作伙伴和协作模式，共同推进版本演进。 平台框架 国际开源社区 处理器 行业 ISV 厂商 更广泛的 社区合作伙伴 操作系统厂商 共同参与 多样算力厂商 政府 运营商 安平 金融 电力 其他上游社区 坚持 混合关键性部署框架当前能力： • 支持裸金属模式下 openEuler Embedded Linux 和 RTOS（Zephyr/UniProton）的生命周期管理、跨 OS 通信。 • 支持分区虚拟化模式下 openEuler Embedded Linux 和 RTOS（FreeRTOS）的生命周期管理、跨 OS 通信。 • 支持裸金属模式下在 openEuler Embedded Linux Cortex-M、ARM64、X86_64 架构，支持 M4、RK3568、X86_64、Hi3093、树莓派 4B 芯片和单板。 • 支持树莓派 4B、Hi3093、X86_64 设备上通过裸金属模式和 openEuler Embedded Linux 混合部署。 • 支持通过 gdb 在 openEuler Embedded Linux 侧远程调试。 • 支持 360+ POSIX 接口，支持文件系统、设备管理、shell

components Handles Custom Resources Handles actual traffic Can be standalone or sidecar Other Container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd Istio Operator istio-operator Example ● Data Plane with 5 proxies ● Each pod knows endpoint details of other pods ● Can be Sidecar or Gateway component #IstioCon Brush up on Istio resources (cont’d) Target Audience What to expect About GitOps Second Demo What’s next? Control Plane Data Plane istiod Some container Istio Sidecar Proxy Istio Ingress Gateway Istio Egress Gateway @rytswd DestinationRule ServiceEntry Gateway

Software Factory Reference DesignSoftware Factory using Cloud DevSecOps Services Sidecar Container Security Stack Sidecar Container Security Stack enables: correlated and centralized logs, container security runtime behavior analysis, and container policy enforcement.The security stack in the security sidecar container will include: 1. A logging agent to push logs to a platform centralized logging service using certificates, and whitelisting rather than blacklisting. Services that support the security sidecar include: 1. Program-specific Log Storage and Retrieval Service 2. Service Mesh 3. Program-specific

their actions from the sidecar. The first benefit of a sidecar model is, because it is injected alongside and not inside a container, you can independently update the sidecar or the container. The second that even if your software team does not know about sidecars, they are still going to utilize the sidecar and its benefits. This is what baked-in security looks like in practice. 3. Enforce zero-trust

the Cilium-specific variant of Pilot to inject the Cilium network policy filters into each Is�o sidecar proxy: $ curl -s https://raw.githubusercontent.com/cilium/cilium/v1.5/examples/ku $ awk -f cilium-pilot plates/ > istio-cilium-helm/charts/pilot/templates/deployment.yaml Configure the Is�o’s sidecar injec�on to setup the transparent proxy mode (TPROXY) as required by Cilium’s proxy filters: $ sed nfigmap.yaml Modify the Is�o sidecar injec�on template to add an init container that waits un�l DNS works and to mount Cilium’s API Unix domain sockets into each sidecar to allow Cilium’s Envoy filters

integration allows Cilium to enforce HTTP L7 network policies for mTLS protected traffic within the Istio sidecar proxies. Note that Istio can also be deployed without Cilium integration by running a standard version version of istioctl. In that case Cilium will enforce HTTP L7 policies outside of the Istio sidecar proxy, but that will only work if mTLS is not used. If you haven’t read the Introduction to Cilium & Helm. Without this option, when Cilium does service resolution via socket load balancing, Istio sidecar will be bypassed, resulting in loss of Istio features including encryption and telemetry. Step 2:

integration allows Cilium to enforce HTTP L7 network policies for mTLS protected traffic within the Istio sidecar proxies. Note that Istio can also be deployed without Cilium integration by running a standard version version of istioctl. In that case Cilium will enforce HTTP L7 policies outside of the Istio sidecar proxy, but that will only work if mTLS is not used. If you haven’t read the Introduction to Cilium & /cilium-istioctl install -y Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later: kubectl label namespace default istio-injection=enabled

integration allows Cilium to enforce HTTP L7 network policies for mTLS protected traffic within the Istio sidecar proxies. Note that Istio can also be deployed without Cilium integration by running a standard version version of istioctl. In that case Cilium will enforce HTTP L7 policies outside of the Istio sidecar proxy, but that will only work if mTLS is not used. If you haven’t read the Introduction to Cilium & Helm. Without this option, when Cilium does service resolution via socket load balancing, Istio sidecar will be bypassed, resulting in loss of Istio features including encryption and telemetry. Step 2:

/cilium-istioctl manifest apply -y Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later: kubectl label namespace default istio-injection=enabled traffic to the microservice, specific to each service version. To deploy the application with manual sidecar injection, run: for service in productpage-service productpage-v1 details-v1 reviews-v1; do possible, from previous daemon (default true) --sidecar-istio-proxy-image string Regular expression matching compatible Istio sidecar istio-proxy container image names (default "