#IstioCon Performance tuning and best practices in a Knative based, large-scale serverless platform with Istio 张龚, Gong Zhang, IBM China Development Lab 庄宇, Yu Zhuang, IBM China Development Lab #IstioCon Cloud. #IstioCon ● Knative and Istio ● How Istio is leveraged in a Knative based platform ● Performance bottleneck analysis and tuning ○ Istio scalability optimization during Knative Service provisioning mesh enabled (based on https://github.com/knative/serving) #IstioCon Performance bottleneck analysis and tuning • Performance Criteria: the platform has multiple shard k8s clusters, each cluster should

The leader in digital services and sales New IT Platform Reliability 99.99% 0 loses, 0 downtime AI Platform launched and gives significant additional revenues and cost savings Corporate loans services Market shares in Russia, % 32.2 42.3 23.5 44.9 Unlimited throughput Improved performance because of elimination of integration intermediary Integration expenses reduction Cloud oriented

Label selector updates for app and version labels ● Istio default retry policy ● Istio proxy performance and load testing ● Abstracting the Istio features 44 Moving HTTP/2 load-balancing from client-side Istio proxy performance and capacity Adopting Istio ● Putting sidecars everywhere has a cost ○ Latency ○ Compute resources The Istio 1.9 community reference values for sidecar performance are: ● Latency: business ○ Reliable performance ○ Reasonable cost Istio proxy performance and capacity Adopting Istio ● Put in another way, know your tradeoffs: ○ How acceptable is the performance loss for the added

Gateway ■ Multiple networks ● all goes though the Gateway ● via L3 networking (if enhanced performance is desired) #IstioCon Demo #IstioCon Istio VM integration seems closer to be production ready isolation for multi-vendor services ○ End-to-end security! (not just between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra low latency ○ And of course, reduce 2 ● Dedicated Egress Gateway ○ Compatibility reasons ○ Performance & Security #IstioCon Legacy VNF  CNF: Option 3 ● Further performance concerns #IstioCon End-to-end Key Protection ● SDS (Secret

inconsistent ○ Release and Upgrade Notes ○ Release date slip ○ Release with known issues ○ Performance and resource usage ● Istio community didn’t have a process #IstioCon Led To ● Upgrade Working security, patch, major ● Where to post announcements ● What to look for when examining releases ○ Performance ○ Resource usage ○ Open issues ○ Features being promoted ○ Release notes and upgrade notes Open issues and priorities ● Issues being promoted ● Features awaiting documentation ● Weekly performance ● Open release blockers #IstioCon Thanks also to the efforts of: ● Mitch Connors ● Nathan

in service mesh ● Background knowledge of eBPF ● Independent solution to bypass TCP/IP stack ● Performance Comparision Istio Meetup China TCP/IP stack overhead ● All the application data goes via sidecar Envoy to Envoy Acceleration(same host) Istio Meetup China Deploy eBPF Istio Meetup China Performance Comparison Refactored istio benchmarking tool ◦ Two pods run on the same node Configurations

Control-plane scale testing ● Data-plane performance of Envoy is well documented ● Control-plane scale testing ○ Primary Goal ■ Understand Istio control-plane performance to support eBay scale ■ Proxy config

information about Pilot itself including detailed runtime information to allow for process debugging or performance analysis. This also includes potentially sensitive information that should not be accessible to Low Attackers can gain small amounts of unauthorized information or slightly degrade system performance. May have a negative public perception of security. Exploitability Exploitability reflects the

#IstioCon Outbound Acceleration #IstioCon Envoy to Envoy Acceleration(same host) #IstioCon Performance Comparison #IstioCon Thank you!

blast radius ● Discover Pods for controlled and predictable routing/load balancing ● Improve performance and resilience ● Stricter zonal routing ● Capability for service authentication and authorisation