reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) ○ Business reasons ■ Legacy applications ■ Deterministic workloads service owners sometimes #IstioCon Legacy VNF  CNF: Option 2 ● Dedicated Egress Gateway ○ Compatibility reasons ○ Performance & Security #IstioCon Legacy VNF  CNF: Option 3 ● Further performance number of nodes ○ More traffic across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol ● A little like TCP + TLS, but build on top of UDP ○ Uses UDP like TCP uses IP ○ Adds connections

gRPC ● RPC：HTTP, gRPC, Thrift, Dubbo, Proprietary RPC Protocol … ● Messaging: Kafka, RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: an Istio service mesh, but the inter-services communication are done by AwesomePRC, our own RPC protocol, instead of HTTP. So, how could we achieve layer-7 traffic management for AwesomeRPC in Istio breaker ● Fault injection ● Stats ● ... Pros: ● It’s relatively easy to add support for a new protocol to the control plane, given than envoy filter is already there Cons: ● You have to maintain

transparent mode, two connections  L4 • Add IP in TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING kernel #IstioCon Proxy Protocol  Proxy Protocol v1 PROXY Protocol prepends every connection with a header reporting the client IP address and port. A PROXY Protocol plain-text header has the  Proxy Protocol v2 #IstioCon Proxy Protocol client Server Establish TCP connection Proxy Protocol binary header Application data - The client and server side must support proxy protocol simultaneously

Breaker – 基于四层的路由（IP + Port） – 基于四层的 Metrics（TCP收发包数量等） IP Header TCP Header Layer 7 Protocol Header Layer 7 Protocol Data Istio 支持的七层协议非常有限：HTTP 1.1、 HTTP2、 gRPC 其余协议只能在四层进行处理（Thrift、Redis 等其他七层协议的控制面支持非常有限） 目前缺少一个良好的协议扩展机制 • Pilot 需要理解 Envoy filter 中协议特定的知识 • Pilot 代码中维护众多七层协议的代价较大 12 Istio 协议扩展：常见七层协议的路由 Protocol Destination service Parameters could be used for routing HTTP 1.1 host host, path，method headers ServantName, FuncName, Context Dubbo service name service name, service version, service method Any RPC Protocol service name in message header some key:value pairs in message header 13 Istio 协议扩展：协议无关的通用路由框架

ingressgateway # use istio default controller servers: - port: number: 443 name: https protocol: HTTPs tls: mode: SIMPLE credentialName: productpage-credential hosts: - without jwt token ○ request with invalid jwt token Redeploy bookinfo sample services with http protocol and with sidecar injected 1) Apply deny-all authorization policy 2) Apply prouctpage-viewer policy reviews-viewer policy 5) Apply ratings-viewer policy Redeploy bookinfo sample services with http protocol and with sidecar injected 1) Apply deny-all authorization policy 2) Apply prouctpage-viewer policy

Sidecar ● Use protocol specific traffic sniffing (i.e. gRPC call discovery) to find out dependencies ● eBPF magic to get service calls? We use the first approach currently as it is protocol-agnostic and

Istio simplify VM onboarding #IstioCon Istio Standardize APIs Adopt Kubernetes service API Protocol declaration in Kubernetes service descriptor Transform informal API to formal API External authz

uniform way • Envoy WASM filters opens the gates for a whole array of useful features such as Kafka protocol level metrics, extended client throttling, audit logs to name a few Takeaway 13 Q&A Thank you

use-cases and features say mTLS, Outlier detection etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection and TCP settings ● Handle signals gracefully (SIGINT, SIGTERM)

• 增加运维复杂度 • 延时 • 需要更多技术栈6/23 探索 Istio 技术点 /02 了解 Istio 技术点7/23 MCP MCP（Mesh Configuration Protocol）提供了一套用于订阅、推送的 API。 分为 Source 和 Sink： • Source 是资源提供方（server），资源变化了推送给订阅者（Pilot），Istio 1.5 之前这个