Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 理能力： ● Routing based on layer-7 header ○ Load balancing at requet level ○ HTTP host/header/url/method, ○ Thrift service name/method name ○ Dubbo Interface/method/attachment ... IP Data IP Header TCP Data TCP Header Layer-7 Header Data #IstioCon What Do We Get From Istio? IP Data IP Header TCP Data TCP Header Layer-7 Header Data Traffic Management Application - AwesomeRPC ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header: user = Jason) AwesomeRPC (header: user = XXX) Reviews v2 Let’s say that we’re running

Destination Rule 外部请求 内部客户端 Service2 Service1 网格内部 定义网格入口 • 服务端口 • Host • TLS 配置 • 路由配置 • 根据 Host 路由 • 根据 Header • 根据 URI 路由 目的地流量策略配置 • LB 策略 • 连接池配置 • 断路器配置 • TLS 配置 Gateway External Service 统一网格出口 • 出口地址（Gateway 的处理进行聚合，而不是为每一个服务创建一个 Listener？ • 降低 Listener 数量和配置大小，减少资源占用 • 兼容 headless 和虚机服务，避免 Listener 配置频繁更新 • 采用七层 header 进行路由，请求原始目的 IP 不应影响路由结果 入向请求配置 出向请求配置 0.0.0.0_9080 0.0.0.0_15001 0.0.0.0_15006 Pilot (ADS Server) LB、基于四层链接错误的 Retries 和 Circuit Breaker – 基于四层的路由（IP + Port） – 基于四层的 Metrics（TCP收发包数量等） IP Header TCP Header Layer 7 Protocol Header Layer 7 Protocol Data Istio 支持的七层协议非常有限：HTTP 1.1、 HTTP2、 gRPC 其余协议只能在四层进行处理（Thrift、Redis

tgz.Extract() does not sanitise file paths which may lead to writing to arbitrary file paths. A header.Name containing patterns such as .. could traverse the file system and perform out of bounds file Errorf("create gzip reader: %v", err) } tarReader := tar.NewReader(uncompressedStream) for { header, err := tarReader.Next() if err == io.EOF { break } if err != nil { 20 Istio Security Audit, 114 115 116 return fmt.Errorf("next: %v", err) } dest := filepath.Join(destination, header.Name) switch header.Typeflag { case tar.TypeDir: if _, err := os.Stat(dest); err != nil { if err := os.Mkdir(dest

Instance V1 SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance Instance V1 SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Instance Destination Rules ISTIO VIRTUAL SERVICE + Destination Rules Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Destination Rule:

transparent mode, two connections  L4 • Add IP in TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING chain Protocol v1 PROXY Protocol prepends every connection with a header reporting the client IP address and port. A PROXY Protocol plain-text header has the format: PROXY TCP4 192.0.2.0 192.0.2.255 42300 Protocol v2 #IstioCon Proxy Protocol client Server Establish TCP connection Proxy Protocol binary header Application data - The client and server side must support proxy protocol simultaneously - The

apply when a host is addressed. They support matching on various criteria including URI paths and header values and support sending traffic to a specific in-cluster destination or returning a redirect. ingress_http server_header_transformation: APPEND_IF_ABSENT route_config: virtual_hosts: - name: luatest domains: ["*"] routes: - match: { prefix: "/" } route: { cluster_header: "backend", cluster

the mesh club #IstioCon A dummy proxy for the mesh ● Called by Lua code ● Parses the contract header and makes http call #IstioCon #IstioCon Wait … What about VirtualService ? More work for developers 2. Allow simultaneous tests: yes 3. Reuse infrastructure: yes #IstioCon Drawbacks Contract header needs to be preserved all the way through the call chain #IstioCon Demo time #IstioCon Thank

在FreeWheel，我们已经有一套复杂的自定义认证、授权机制，为了 充分利用Istio，我们通过扩展Istio来整合这些系统，涉及两方面： • 扩展Sidecar：加入认证支持，提供了对业务系统的认证支持，将用 户相关信息以header的形式传入mesh，后续的授权、监控、限流 都可以用Istio原生的机制来完成 • 扩展Mixer：选择一部分流量来应用对应的授权逻辑 FreeWheel的Istio实践 • 右图为接入FreeWheel自定义认证和 维中 这是很重要的能力，只要是不修改请求、响应的功能都可以采用扩展 Mixer来实现 • Sidecar里接入额外的反向代理其实提供了一个修改请求、响应的接口 ，如认证之后需要将用户信息通过header传给下游服务 扩展Mixer接入授权 • 这里实现的例子mymock会完全拒绝所有 被匹配到的流量，右图是mymock Handler的基本原理 • mymock handler 是 mymock

L4层http_connection_manager网络过滤器。 • http_connection_manager使用http codec解码http协议header/body/tailer等并触发回调函数。 • http header/body处理回调中将调用L7层HTTP过滤器处理（可修改http原始请求等）最后调用Router过滤器。 • Router过滤器负责根据配置中路由部分及请

Deploy > meshctl wasm deploy istio --mgmt-kubecontext kind-mgmt-cluster --deployment-name ratings-add-header --namespace bookinfo --image webassemblyhub.io/yuval/addheader-rust:v1 --cluster mgmt-cluster --labels