将无法区分两个连接的流量。因此当第一个连接建立成 功后，第二个连接的SYNC包将被当作重复包丢弃，导致第二个连接建立失败。 解决 方案 1、与客户沟通拆分两个微服务到不同的POD（符合微服务拆分原则） 2、如果无法拆分微服务，则需要解决源端口重用的问题，目前没有采用此种方法。 TCP五元组:(不能重复，否则conntrack无法区分) srcip:srcport,prot,dstip:dstport /logging?connection=trace #Cxxx • 抓包 • 进入pod容器网络空间执行 tcpdump -i any 'port (15001 or 8080)' -w fortio.cap • 压测工具 • fortio load -qps 3000 -c 128 -t 60s --keepalive=false http://backend-welink:8123 #http1

Mesh架构共建高级架构能力，为不同模块、不同产品线、甚至整个公司内提供 各项服务治理能力的通用化、中台化能力，从而加速服务治理技术的研发和迭代，提升架构 能力可移植性。 #IstioCon 技术方案 l 核心原则 Ø 务实、高稳定性、低迁移成本。 l 核心思路 Ø 先单跳，后双跳。 Ø 服务发现下沉到Envoy。 Ø 基于 RPC + 服务发现实现透明流量劫持。 Ø 自建配置中心，产品化封装。

container has the CAP_SETUID, a default capability, any processes with the capa- bility can change their UID to 1337, enabling the bypass described above. – When a container has CAP_NET_ADMIN granted granted, it can rewrite its own iptables rules and bypass the Envoy proxy. – When a container has CAP_NET_RAW granted, it can listen for packets received by the Envoy proxy or inject raw packets that bypass into the appropriate interfaces of the sidecar proxy. However, this operation requires the CAP_NET_ADMIN and CAP_NET_RAW capabilities,18 which are enabled in the injected init container spec. However, this

install isidecar network routing rule to workload iptable Benefits of Istio CNI No need for CAP_NET_ADMIN and CAP_NET_RAW permission No need for istio-init container means faster startup speed （need validation

itself. The finding was reported by the auditing team to the Istio maintainers, because Istio does not cap the size of requests made on an h2c connection, which could lead to a denial of service scenario if