The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio Security Audit, 2023 Trust boundaries We identify

Release or Deployment? • A canary deployment, or canary release, is a deployment pattern that allows you to roll out new code/features to a subset of users as an initial test. Deployment Canary Releases Using Kubernetes Deployment POD POD POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% Deployment Canary Releases Using Kubernetes Deployment POD POD POD S 50% 50% Deployment Canary Releases Using Kubernetes Deployment POD S E R V I C E (Load balancer) www.my-application.com External Traffic POD POD 0% 100% Deployment Deployment Deployment Canary

Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction #IstioCon Introduction: eBay at ● Running on variety of Hardware ○ General-purpose x86 servers ○ GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters in an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes ○ Upto

security-related topics to a single page. Right now there are “Security” topics included within Deployment, Configuration, Best Practices, and Common Problems but there are also topics that are security in a DoS attack if a large request is made repeatedly. Description Pilot, runs in the “istiod” Deployment within the Istio control plane along with a set of TCP services that it exposes. One of which is of extra features • empty: provides a template • minimal: minimal config to get an operational deployment • preview: enables experimental features The “default” profile (used to generate the Kubernetes

灰度发布：灰度版本存在形式 kind: Deployment metadata: name: rating-v1 spec: replicas: 2 template: metadata: labels: app: rating version: v1 spec: containers: - image: rating-v1 ... --- kind: Deployment metadata: spec: containers: - image: rating-v2 ... Kubernetes Service Version Version Service Deployment Deployment Label selector Istio Istio几种重要资源对象 • 入口资源对象 • VirtualService • DestinationRule • 重要属性

灰度发布：灰度版本存在形式 kind: Deployment metadata: name: rating-v1 spec: replicas: 2 template: metadata: labels: app: rating version: v1 spec: containers: - image: rating- v1 kind: Deployment metadata: name: spec: containers: - image: rating- v2 Kubernet es Service Version Version Service Deployment Deployment Label selector Istio25 Istio几种重要资源对象 • 入口资源对象 – VirtualService – DestinationRule •

istio-init容器添加用于配置容器网络内iptables规则 • istio-proxy容器启动pilot-agent进程，使用UID=1337 GID=1337创建Envoy启动命令行与配置文件 • 可以通过自定义deployment内istio注解sidecar.istio.io/inject: “false”跳过自动注入过程，或修改部分启动参数。 • 2. 控制面通信 • Pilot-agent进程本身创建UDS envoy二进制后替换现有envoy镜像并配置到自定义deployment的image中， • Dockerfile: • From istio/proxyv2:1.9.0 COPY envoy /usr/local/bin/envoy COPY pilot-agent /usr/local/bin/pilot-agent • 可以通过自定义deployment内istio注解修改部分启动参数。 • proxy 14的高性能服务网格数据面代理 xDS Envoy与上层控制面如istiod使用的基于gRPC的应用层协议，用于传输配置变更。 自动注入及流量拦截 POD创建时，由istiod进行自动修改deployment并将istio-init, istio-proxy容器注入到 新创建POD内；当发生调用时，iptables规则将自动拦截出入流量进入Envoy代理。 线程模型 Envoy采用每个工作线程

inbound: - name: consumer-a nais.yaml cluster kubectl apply -f nais.yaml application deployment service virtualservice autoscaler networkpolicy servicerole servicerolebinding serviceentry local secrets: true accessPolicy: inbound: - name: consumer-a deployment service autoscaler deployment service virtualservice autoscaler networkpolicy servicerole servicerolebinding

dockerconfigjson=myconfig.json --type=kubernetes.io/dockerconfigjson 16 ��������� ������������� ASMFilter Deployment 资源对象 Controller (Watch & Reconcile) Istio EnvoyFilter CR wasm filter二进 制文件 服务网格ASM Pod K8s集群 workloadSelector: labels: app: productpage version: v1 20 更新后的Deployment - 以hostpath方式挂载wasm filter文件到Proxy容器 apiVersion: extensions/v1beta1 kind: Deployment metadata: .… spec: …. template: metadata: annotations:

用户请求和批处理任务隔离(Dubbo) 1. 在 dubbo: application 配置中为 Provider 增加 service_group 自定义属性 2. 通过 Provider 的 deployment 设置 SERVICE_GROUP 环境变量 3. 在 consumer 发起调用时设置 batchJob header 4. 设置相应的 DR 和 VS 流量规则 https://docs application 配置中为 Provider 增加 aeraki_meata_locality 自定义属性 2. 在 provider 的 deployment 中通过环境变量设置其所属地域 3. 在 consumer 的 deployment 中通过 label 声明其所处的 region 和 zone 4. 通过 dr 规则启用 locality load balancing https://docs