Istio_inbound Istio_in_redirect Istio_output Istio_redirect iptables app1 envoy 15001 SO_ORIG INAL_DS T 路 由 prerouting input output postrouting Istio_inbound Istio_in_redirect Istio_output Istio_redirect postrouting Istio_inbound Istio_in_redirect Istio_output Istio_redirect iptables SO_ORIG INAL_DS T 路 由 上 游 连 接 池 12.localhost app2 15.lo 1 2 3.非本 POD、 非 Envoy 自身 4.DNAT 5 6 7. UID=1337 8 程 定时器事件 a d m i n 请 求 X D S 更 新 合 并 s t a t 刷 新 D N S 调度器 工作线程 网络事件 定时器事件 监 听 器 监 听 过 滤 器 释 放 内 存 记 录 s t a t 状 态 更 新 调度器 L 4 网 络 过 滤 L 7 H T T P 过 滤 路 由 处 理 上 游 连 接 池 • 分为Envoy主线程及worker线程：

signed by Kubernetes or Istiod, will be used to connect to Istiod over port 15012.” Documentation wasn’t discovered that described the intent of this message but if it does in fact provide network security attacker to produce two inputs which hash to the same value (called a collision). Hashes which don’t have this property are considered to be insecure. Hashes are often used to verify the integrity of since the last fetch sha = sha1.Sum(buf) if sha == h.latestSHA && h.list != nil { // the list hasn't changed since last time h.log.Infof("Fetched list is unchanged") h.resetPurgeTimer() return } • i

Istio Main drawback Services must know their dependencies, document and update them. If this wasn’t the case before, Istio may not feel welcoming to users. When a dependency is not in the allowed list Stabilizing Istio ● Kubernetes doesn’t handle sidecar containers well ○ Use postStart and preStop container hooks to gracefully handle the pod lifecycle ● Kubernetes doesn’t scale Istio-enabled pods well both Deployments 3. Create HPAs to target the new Deployment 4. Delete old Deployment Simple, isn’t it? Now, repeat for hundreds of services! Good luck :D 51 Label selector updates for app and version

Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load hard! ● Debugging EnvoyFilters is even harder!! Where It Isn’t a Good Fit? Where It Isn’t a Good Fit? ● Non Kubernetes Ecosystem ● You don’t want Sidecar Proxies ● Project is too small ● Need best tool

in social media posts for their contributions. Tier level Commitment Platinum Participants gifts (t-shirts) Gold Event fun (photo booth, graphic recordings, etc) Silver Event organization (joining a data collection, production and distribution is a responsibility of the sponsoring vendor. ● The t-shirt design should have the conference logo in the front, and the organizer’s logo in the back. Option the first 200 registered to the event will receive a t-shirt(*) $20-$25 per/u depending on producer. Total estimated cost: $5,000 usd Participant T-shirts [Unavailable] Available sponsorship: 2 ● The

https://github.com/istio/istio/blob/6 5478ea81272c0ceaab568974aff7 00aef907312/pkg/bootstrap/fuzz_t est.go#L26 2 FuzzRunTemplate istio.io/istio/pkg/kube/inje ct https://github.com/istio/istio/blob/6 https://github.com/is tio/istio/blob/69b1e0 f7bc04fcc6f32f0eab 8c796cfed78b4c02/ pkg/istio-agent/agen t.go#L704 if err != nil { return err } conn.Close() https://github.com/is tio/istio/blob/9b625f deae8e9a6176cab5 https://github.com/is tio/istio/blob/959887 237eee77be3e2715 2438c479aa4c4712 cc/operator/pkg/util/t gz/tgz.go#L110 outFile, err := os.Create(dest) if err != nil { return fmt.Errorf("create: %v", err)

Why don’t you ? ● Mock ? ● Contract testing ? #IstioCon Mock ? Contract testing ? At a scale of 800+ providers ? Mocks are like any other software: ● Bugs ● Maintenance Why don’t you ? 10 response = request_handle:httpCall(address,headers,..) 11 -- respond immediately and don’t proxy to original Foo 12 request_handle:respond(response) 13 end #IstioCon Ouch ! ● Your laptop

error page Happy Googlebot: I don’t have to crawl 2 URLs I don’t see an error page Happy SEO specialist: My new URLs get SEO popularity from the old ones and I don’t have to start from scratch New URLs

The Pull Request Process ● Viewing changes as if they were live ● Linter is pretty specific ● Don't forget to update/create a test if the page changed is tested! #IstioCon Run make lint locally to problems Click on the Netlify preview to view updates as if they were live #IstioCon Summary ● Don't be afraid to create issues, ask around, and share your ideas ● Join the Working Group ● Contributing

Each one workload in the Service group is named as an instance. Like pods in Kubernetes, it doesn't need to be a single process in OS. Also if you are using instrument agents, an instance is actually includes service, service_instance, endpoint, network_address. They are metadata for SkyWalking. Don’t delete these. INDICATOR All metric data belong to this. They are in min/ hour/day/hour time level