#IstioCon Istio-redirector: the way to go to manage thousands of HTTP redirections Etienne Fontaine (@etifontaine) #IstioCon Istio-redirector 301-redirection from /bus/routes/bruxelles/lille [...] spec: gateways: - istio-system/istio-ingressgateway hosts: - www.blablacar.fr http: - match: - uri: exact: /co2 redirect: uri: /blablalife/lp/zeroemptyseats running in production without any impact on performances! #IstioCon Check it out on Github https://github.com/blablacar/istio-redirector And leave a star ? #IstioCon How can we use istio-redirector

NewHandler in an http.MaxBytesHandler.” John found that when the recommended MaxBytesHandler was used, the request body was not fully consumed, meaning that when a server attempts to read HTTP2 frames from from the connection it will instead be reading the body. As such, the MaxBytesHandler introduces an http request smuggling attack vector. The issue was disclosed to the Golang security team who fixed the repository Repository https://github.com/istio/istio Language Golang Istio API definitions Repository https://github.com/istio/api Language Golang Istio documentation Repository https://github.com/istio/istio

Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup.com/feedback/67b627f7-a0a2-43b7-ad68-af515a9ed2e0 Executive Summary Synopsis In the Deploy the customized default policy • Start a Pod in a namespace that is not managed by Istio 1https://istio.io/latest/news/releases/1.5.x/announcing-1.5/upgrade-notes/#control-plane-security 5 | Google Exploitability: Medium Identifier NCC-GOIST2005-016 Category Configuration Component Istio Location https://istio.io/latest/docs/ Impact WIthout clear documentation, administrators cannot make accurate security

erd、Traefic。Envoy由于高性能和扩展能力前在数据面遥 遥领先。 • Iptables使Pod间出入应用的流量均由Envoy代理，对应用来说完全透明。支持主要常用网路协议 Http1/Http2/Tls/gRPC/Tcp等。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 6 Envoy原理及总体架构-启动 用于原始目标服务，并找到后端处理器处理新连接。 • 后端处理器在配置中指定处理协议，根据协议相关的网络过滤器处理读取到的数据。 • 如果为http协议，再经过请求过滤器处理http协议头部，如路由选择等功能并创建上游连接池 • 将修改及编码后的http消息通过网络发送到对端Envoy的容器网络。 • Iptables识别为入流量则进入virtualInbound端口。 • ORIGINA 之后Connection对象再次向libevent注册Read/Write回 调onFileEvent，并作为L4层过滤管理器处理 onNewConnection，onData数据接收。 • 对于HTTP协议，将继续经过L7层编解码处理后向上游发 送请求。 • 当请求处理完毕后，将调用deferredDelete删除请求对象 并记录统计观测数据。 • 使用异步I/O方式发送网络数据，降低对线程内其他操作

istio sidecar （ kubectl label namespace default istio-injection=disabled/enabled ） http http http http http http http Result: can access reviews-v1, reviews-v2 and reviews-v3 Access productpage peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on mTLS http http http http mTLS http #IstioCon Auto-mTLS in Istio ● Decide what type of traffic the client sidecar to productpage 1) Apply destination rule enable client side mTLS mTLS in Istio - Destination rule http http http http mTLS mTLS #IstioCon mTLS in Istio - DestinationRule Defines what type of traffic the

Istio 流量管理原理与协议扩展 赵化冰 赵化冰 腾讯云 服务网格团队 https://zhaohuabing.com Service Mesh Service Mesh Layer 处理服务间通信（主要是七层通信）的云原生基础设施层： Service Mesh 将各个服务中原来使用 SDK 实现的七层通信相关功能抽象 出来，使用一个专用层次来实现，Service Mesh 对应用透明，因此应用 服务数据（Mesh 中有哪些服务？缺省路由） v Service Registry § Kubernetes：原生支持 § Consul、Eureka 等其他服务注册表：MCP over xDS （https://github.com/istio-ecosystem/consul-mcp） v 通过CRD定义的服务数据 q 自定义流量规则（如何将请求路由到这些服务？） v 通过CRD定义的流量规则 服务数据 内部注册表中 • WorkloadEntry：单独添加 Workload，对于虚机支持更友好 • MCP 适配器： 将第三方注册表中的服务加入到 Pilot 中 Consul MCP Adapter https://github.com/istio-ecosystem/consul-mcp 欢迎大家试用、共建！ 4 Istio 流量管理 – 控制面 – 流量管理模型 Gateway Virtual

Filter Filter Cluster Upstrea m Filter Chain 扩展自定义Filter, 并通过xDS API动态配置 L4 Network Filters L7 Http Filters 3 Listener & Filters before outbound services Listener Downst ream Filter Filter Filter Filter Chain 4 实际示例中用到的Envoy Filters 端口9080 监听 envoy.filte rs.network .metadata _exchange envoy.http _connectio n_manage r Cluster Productp age服务 Filter Chain envoy.filters.ht tp.wasm/envo y.wasm [productpage-xxx] -c istio-proxy curl localhost:15000/config_dump envoy.filters .http.cors envoy.filters .http.fault envoy.filters .http.router envoy.filters.ht tp.wasm/envo y.wasm.stats envoy.filters.ht tp

Aeraki 助你在 Istio 服务网格中管理任何七层流量 赵化冰@腾讯云 #IstioCon Huabing Zhao Software Engineer @ Tencent Cloud https://zhaohuabing.com @zhaohuabing @zhaohuabing @zhaohuabing @zhaohuabing #IstioCon Agenda ❏ Service NoSQL We need to manage multiple types of layer-7 traffic in a service mesh, not just HTTP and gRPC ● RPC：HTTP, gRPC, Thrift, Dubbo, Proprietary RPC Protocol … ● Messaging: Kafka, RabbitMQ … ● Cache: requet level ○ HTTP host/header/url/method, ○ Thrift service name/method name ○ Dubbo Interface/method/attachment ○ ... ● Fault Injection with application layer error codes ○ HTTP status code ○

@hzxuzhonghu #IstioCon About me Zhonghu Xu：an open source engineer from Huawei Cloud. - Github：https://github.com/hzxuzhonghu - Istio steering committee member - Istio Core Maintainer & Contributor Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon Content 1. TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon What is transparent mode, two connections  L4 • Add IP in TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING

Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP Analysis Core Query CoreIstio telemetry Attribute Vocabulary https://istio.io/docs/reference/config/policy-and- telemetry/attrib process in OS. • Endpoint. It is a path in the certain service for incoming requests, such as HTTP URI path or gRPC service class + method signature. Core ConceptsIstio telemetry formatSkyWalking ServiceInstance • Endpoint • ServiceRelation • ServiceInstanceRelation • EndpointRelation • etc. https://github.com/apache/incubator-skywalking/blob/master/docs/en/ concepts-and-designs/oal.md • Extendable