traffic splitting • 后续规划： • 其他协议支持：Thrift，Redis ，TARS … • 在 TCM 中提供托管的 Aeraki，为客户提供第三方协议支 持 16 Aeraki 项目后续计划 Dubbo [Done] Default routing [Done] Version-based routing [Done] Traffic splitting [Todo] routing [Todo] RDS 需数据面配合 Thrift [Done] Default routing [Done] Version-based routing [Done] Traffic splitting [Todo] Header based routing [Todo] Rate limit [Todo] RDS 需数据面配合 Redis [Todo] Sharding [Todo] Traffic

Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication ● Traffic Splitting ● Canary Deployment ● Traffic Mirroring ● Rate Limiting ● TLS Termination ● Logging, Monitoring

underlying service. Knative Activator or Application Front door design #IstioCon - Traffic Splitting, blue/green deployment How Istio is leveraged in a Knative based platform 90% 10% apiVersion:

to the Envoy configuration generated by Pilot. #IstioCon EnvoyFilter Example - Dubbo Traffic Splitting Replace TCP proxy in the outbound listener Replace TCP proxy in the inbound listener client

with notes that it should be replaced by a DNS-based secure signing method. So the updated change log notes: “Despite the naming, in Istio 1.5 when controlPlaneSecurityEnabled is set to false, communication sha1.Sum(buf) if sha == h.latestSHA && h.list != nil { // the list hasn't changed since last time h.log.Infof("Fetched list is unchanged") h.resetPurgeTimer() return } • istio/istio/mixer/pkg/runtime/handler/signature bytes.TrimSpace(chunk) if len(chunk) == 0 { continue } r, err := ParseChunk(chunk) if err != nil { log.Errorf("Error processing %s[%d]: %v", path, i, err) continue } if r == nil { continue } resources

36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 import ( "bytes" "context" "crypto/tls" "fmt" "io" "log" "net/http" "os" "os/signal" "time" byteSize "github.com/inhies/go-bytesize" "istio.io/istio/pkg/backoff" if err = srv.ListenAndServe(); err != nil && err != http.ErrServerClosed { log.Fatalf("listen:%+s\n", err) } }() log.Printf("server started") d, err := time.ParseDuration("20s") if err != nil { fmt.Println("Fetching") f.Fetch(context.Background(), "http://localhost:6969", true) <-ctx.Done() log.Printf("server stopped") ctxShutDown, cancel := context.WithTimeout(context.Background(), 5*time

00 4000.00 6000.00 8000.00 10000.00 12000.00 14000.00 16000.00 1 2 3 4 5 6 7 8 9 10 QPS LOG(连接数)2 默认连接策略与增强连接策略平均 QPS对比 默认连接策略平均qps 增强连接策略平均qps 1.01 1.31 1.99 3.70 5.22 8.57 17.82 28 00 20.00 30.00 40.00 50.00 60.00 70.00 80.00 90.00 100.00 1 2 3 4 5 6 7 8 9 10 平均时延(MS) LOG(连接数)2 默认连接策略与增强连接策略平均时延 对比 默认连接策略平均时延(ms) 增强连接策略平均时延(ms) 提升30% 降低23% 默认连接策略 增强连接策略 QPS变化不均匀， 0.000 0.010 0.020 0.030 0.040 0.050 0.060 0.070 0.080 1 2 3 4 5 6 7 8 9 10 平均TP50(S) LOG(连接数)2 默认连接策略与增强连接策略平均 TP50对比 默认连接策略平均tp50(s) 增强连接策略平均tp50(s) 0.002 0.002 0.003 0.004 0.010 0

in a configurable set of formats #IstioCon Excellent Observability - Access logs Log Files Parse Istio-proxy Log • Each API Access Count • Each API Fail Rate • Each API Latency Easy to debug Easy report Easy to alert Elastalert #IstioCon Excellent Observability - Access logs Istio-proxy log showed in kibana after parse #IstioCon Excellent Observability - Access logs API Error In last

manage source of truth for mesh policies. Audit log Cluster security Edge security Workload security Operation security 3. Monitor audit log. 3 Lifecycle of service mesh security and demo Lifecycle of service mesh security Edge Cluster Workload Operation GitOps Gatekeeper RBAC Audit log Metrics Security testing tools Security dashboard Prometheus Kiali Security Lifecycle Concepts

same client is forwarded to the same backend 2. Security Policy: set white/black list 3. Access log & Stats 4. Specific scenarios like SIP Trunking #IstioCon Common Ways to Preserve Original Src Addr