Toader & Zsolt Varga 2021-Feb-26 Apache Kafka with Istio on K8s 2 • Scalability • Resiliency • Security • Observability • Disaster recovery Production grade Apache Kafka on Kubernetes 3 • Secure certificate provided by Istio Proxy sidecar container • Each Kafka client request gets a client certificate attached automatically by Istio Proxy sidecar container • Client certificate includes the K8s

Observability And Istio Telemetry 吴 晟 Apache SkyWalking Creator Apache ShardingSphere Co-founder Microsoft MVP Tetrate founding Engineer Bitmain tech expert Service Mesh Meetup #4 上海海站 • ServiceRelation • ServiceInstanceRelation • EndpointRelation • etc. https://github.com/apache/incubator-skywalking/blob/master/docs/en/ concepts-and-designs/oal.md • Extendable Aggregation Five types query • Metadata • Metric • Aggregation • Trace • Alarm https://github.com/apache/incubator- skywalking-query-protocolEcosystem powered by GraphQL and SkyWalking core • Open source

Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow, PyTorch, Jupyter Notebook, etc. ○

Guardrails for Istio 11 Istio sidecar proxy specifications Stabilizing Istio Pod App container Sidecar container All incoming traffic must flow through the sidecar first when entering the pod All outgoing before leaving the pod 12 What happens when the sidecar container is not ready? Stabilizing Istio Pod App container Sidecar container (not running) The incoming traffic is sank into the void void The outgoing traffic cannot leave the pod 13 What happens when the sidecar container is not ready? Stabilizing Istio ● 2 cases where it happens frequently: ○ During pod creation ○ During pod deletion

Default Injected Init Container Requires Sensitive Capabilities 021 Low Execution of System Commands without Validation 008 Informational Weak Trust Boundary Between Workload Container and Proxy Sidecar security related configuration options but the only options included are how to “Harden Docker Container Images” and “Extending Self-Signed Certificate Lifetime”. There’s an op- portunity to highlight provided by istioctl does not enable seccomp or Apparmor by default which increases the chances of a container breakout affecting the host or the cluster. These security controls are also currently disabled

zero trust multi-cloud conference Best in Class Team ● Creators of the service mesh Istio, gRPC, Apache SkyWalking, Zipkin from Google, Twitter, & VMWare ● Top contributors to Envoy and Istio ● Wrote

(Istio Init) Start istio init container in workload Istiod watch updates & start networking sidecar proxy init container update iptable rule for proxy terminate init container Start workload with updated Benefits of Istio CNI No need for CAP_NET_ADMIN and CAP_NET_RAW permission No need for istio-init container means faster startup speed （need validation instead) Issue in Istio CNI Kubelet Start a pausing Bypassing all iptable rules set by data plane proxies Troubleshooting Istio CNI Check the istio proxy container through nsenter Check CNI logs in kubelet (journalctl) Will do: grafana board istio CNI logging

[2021-03-03T10:32:47.139Z] "POST /v1/xx/xx/xx/xx/xx/983980038/stopxx HTTP/1.1" 503UC"-" "-" 0 95 1 - "10.13.22.7" "Apache- HttpClient/4.5.12 (Java/1.8.0_232)" "U4REJ819523DU961535U8316KUUG2G3X" "10.18.8.13:28443" "10.19

的排水流程两个实例并存的阶段 • 能够对整个热升级流程中的镜像替换进行控制 • 更强大的生命周期管理组件 • 对需要热升级的Pod注入两个Container，Sidecar & Empty • 支持对热升级过程中Sidecar Container生命周期进行管理 实现热升级 Implement Hot-Upgrade 8 • Envoy热重启参数的协商 • PilotAgent需要 iner替换为新Sidecar镜像，新Sidecar镜像启动 • 新Envoy进程与老Envoy交互，开始进行热重启流程 • 最大排水时间到达，SidecarSet Controller将老Container替换为Empty镜像 • 热升级结束 10 • 为什么需要服务网格数据面热升级 • 实现热升级 • 实践热升级 目录 Catalog 11 实践热升级 Practice ASM Hot-Upgrade

mesh enabled • Enable Istio mesh on Knative – Data flow with Istio mesh/mTLS #IstioCon o Init-container added which cost ~5 seconds for Knative application pod code start. o Every sidecar needs full iptables configuration parts to CNI. But another init- container, the istio-validation is introduced. o We can remove the istio-validation container by modifying the injection template. Mitigations: o