the service mesh @ Medium ● Reference implementation and run-it-yourself-demo at github.com/omio-labs/devro ute

presenting Google and IBM Aspen Mesh & independent contributor Solo.io Intuit RedHat Descartes Labs # live viewers 1108 1192 1080 955 807 677 #IstioCon Most popular sessions in Chinese Session

plane can obtain unauthenticated access to this information. Description The Golang trace profiling library used by Pilot provides administrators debug information about Pilot itself including detailed runtime Reference Cluster The assessment was performed using a variety of types environments including GCP, AWS, minikube, and GKE but for reference, each of the findings can be found within the reference cluster

Deploy Debug Debug in Production Cluster 1 Acco unt User Cluster 2 Istiod Order s User AWS EKS Istiod Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane SRE

Egress Mesh include VMs Before using service mesh: 100+ Kubernetes cluster ● VM integration ● On-prem, AWS, Azure, GCP, OpenShift ● 10000+ core business apps ● Plan to move to public cloud in 18 months ●

proxy svc proxy svc Logging Backend Quota Backend Auth Backend Metric Backend Prometheus AWS New Relic Huawei-APM apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestduration

proxy svc proxy svc Logging Backend Quota Backend Auth Backend Metric Backend Prometheus AWS New Relic Huawei-APM apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestduration

Kubernetes is pretty bad at load-balancing it ● So we solved it by using a client-side load-balancing library + Headless Services Headless services are to us what ClusterIP services are to common people! However Calling authn/z service on each call? Depending on the answers, the application RPS measured in library may vary between 2 and n times when using Istio. 61 Istio proxy performance and capacity Adopting requests: 10000 RPS at library level Istio RPS: 20000 RPS Service with 5 requests: 10000 RPS at library level Istio RPS: 50000 RPS 63 Istio proxy performance and

file close ● 1 certificate skipping ● 1 case unhandled errors ● 1 case of using a deprecated library ● 1 race condition 2 Istio Security Audit, 2023 Notable findings Issue 10 - “H2c handlers are verification Low High Yes 7 Unhandled errors Informational n/a Yes 8 Use of deprecated 3rd party library Low High Yes 9 TOCTOU race conditions in file utils Medium High Yes 10 H2c handlers are uncapped 1024*1024*10), f.destDirRoot) } 40 Istio Security Audit, 2023 8: Use of deprecated 3rd party library Severity: Low Difficulty: High Fixed: Yes Affected components: ● pkg/model Vectors: ● CWE-1104:

Proxy侧的配置 9 OCI Registry As Storage ● OCI Artifacts项目的参考实现, 可显著简化OCI注册库中任意内容的存储; ● 可以使用ORAS API/SDK Library来构建自定义工具， ○ 将WebAssembly模块推入到OCI注册库中; ○ 或者从OCI注册库中拉取WebAssembly模块; ● oras cli类似于docker cli 10