503 UF问题分析 现象 日志报错503 UF，等待8S后建立连接失败。 日志如下： [2021-02-09T06:29:10.489Z] "GET /v1/xx/xx/xx/xx HTTP/1.1" 503 UF "-" "-" 0 91 288 - "100.95.165.3" “xx-xx" "513cca39-1ea7-47db- 8c04-a5827464ce22" "100.85.225 src1:sport1,tcp, pod2ip:15006 现象 日志报错503 UO 日志如下： [2021-03-31T11:16:55.538Z] "GET /aaabbbcccddd HTTP/1.1" 503 UO"-" "-" 0 81 5 - "-" "-" "3c2a392c-56fc-9d8c-9895-f657a4444679" "test-503-svc:8080" "-" - - UC错误，请求时延很短，但会断开连接。 日志如下： [2021-03-03T10:32:47.139Z] "POST /v1/xx/xx/xx/xx/xx/983980038/stopxx HTTP/1.1" 503UC"-" "-" 0 95 1 - "10.13.22.7" "Apache- HttpClient/4.5.12 (Java/1.8.0_232)" "U4REJ819523DU961535U8316KUUG2G3X"

Plateau of Productivity Istio 1.1 Don’t Forget about HA & DR Tracing Store Logging Store Event Hub DBs Istio Egress Other External Services Istio Ingress OCP 4.1 Istio 1.1 Istio Egress Istio Ingress

(Container -> VM) 1. Manual registration istioctl -n onprem register mysql 1.2.3.4 3306 #IstioCon V1.1 Introducing Service Entry Service Entry v.s. Service v.s. Endpoints ● Service Entry ○ An entry that Usually for internal traffic ○ ExternalName ■ Service <-> DNS name ○ External IPs #IstioCon V1.1 ServiceEntry #IstioCon V1.6-1.8 Better VM Workload Abstraction A K8s Service and Pods Two separate

Metrics（TCP收发包数量等） IP Header TCP Header Layer 7 Protocol Header Layer 7 Protocol Data Istio 支持的七层协议非常有限：HTTP 1.1、 HTTP2、 gRPC 其余协议只能在四层进行处理（Thrift、Redis 等其他七层协议的控制面支持非常有限） 11 Istio 协议扩展：控制面和数据面需要进行的改动 apiVersion: 12 Istio 协议扩展：常见七层协议的路由 Protocol Destination service Parameters could be used for routing HTTP 1.1 host host, path，method headers HTTP 2 pseudo header: authority pseudo header: authority, path，method，

Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup hardened, Istio environment should be. • /docs/tasks/security/: When comparing latest with the older v1.1 documentation, there currently are 3 security “tasks” versus 12 in the previous versions. This is in-part

features say mTLS, Outlier detection etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection and TCP settings ● Handle signals gracefully (SIGINT, SIGTERM) ● Automate for

envoy_on_response(request_handle) #IstioCon Who and where to reroute ? #IstioCon The contract GET / HTTP/1.1 Host: example.com User-Agent: curl/7.64.1 X-devroute: { “foo”:”192.168.1.12:8001” } Accept: */*

https://istio.io/latest/blog/2021/ncc-security-assessment/NCC_Group_Google_GOIST2005 _Report_2020-08-06_v1.1.pdf. These issues were found in an audit performed in 2020 that found a total of 18 issues: 4 High