Sidecar Proxy • 集群外部流量入口：Ingress Gateway • 集群外部流量出口：Egress Gateway（可选,在一个集中点对外部访问进行控制） • Service discovery • Load balancing • Time out • Retries • Circuit breaker • Routing • Auth • Telemetry collecting Listener Discovery Service (LDS) : 监听器发现服务。 • Route Discovery Service(RDS) : 路由发现服务。 • Cluster Discovery Service (CDS)： 集群发现服务。 • Endpoint Discovery Service (EDS) ：集群中的服务实例发现服务。 • Secret Discovery Service Service (SDS) ：证书发现服务。 • Aggregated Discovery Service(ADS): 通过一个Aggregated Server提供所有xDS服务，以解 决各个不同xDS服务的顺序导致的数据一致性问题。 gRPC/REST: update config on the fly 6 Istio 流量管理 – 数据面 – Istio 中的 Envoy Sidecar 配置

Kubernetes clusters. • Istio Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound and outbound access of Istio services test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts. Istio does not currently have Identifier NCC-GOIST2005-002 Category Data Exposure Component Pilot Location pilot/cmd/pilot-discovery/main.go Impact The debug interface provides unauthenticated users with a wide range of information

#IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent #IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent + Fast! Bottleneck Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery #IstioCon Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery + All of the benefits of running Istiod locally + Can

microservices ● Majority of services written in Go #IstioCon Architecture Overview - Discovery and Routing ● Service Discovery and Configuration using Consul ● HTTP/TCP traffic via HAProxy ● gRPC traffic helps reduce Istio proxy resources #IstioCon Next Steps ● Move stateful components in to mesh discovery and routing ● Expose gateway services via Istio Gateway ● Towards RESTRICTED network policy ●

secrets rotation 1. Hot restarts for TCP-traffic 2. Root certificate reissue (#14516) 3. Istio Discovery overload (#25495) 3. Sidecar & ExportTo tuning is required 1. Resource consumption 2. Resource production-size environment aren’t a waste of time 1. Istio Discovery Restarts (#25495) 2. Proxy Probes (#26792) Further Steps • Multi-cluster Discovery for OCP & Kubernetes • Multi-cluster Service Topology

telemetry ● New extension capabilities ○ WebAssembly (Wasm) support ● Secure by default ○ Secret Discovery Service (SDS) ○ Auto mTLS ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine (Wasm) enhancements ○ APIs for adding custom Wasm extensions ○ Focus on Developer workflow ○ Discovery of Wasm extensions ● External AuthZ extensions ● Telemetry provider extension APIs https://istio

security policies & access control ● Unified telemetry and availability reporting ● Service discovery across multiple clusters ● Fine-grained ingress & egress controls ● API GW is part of the mesh cluster. Two-tier Gateway Traffic Flow Cloud Vendor Gateway Consolidation TSB allows service discovery and communication via the NodePort service type instead of a LoadBalancer Architecture ● Multi

Basic schedule unit Pod WorkloadEntry Component Deployment WorkloadGroup Service registry and discovery Service ServiceEntry K8s Pods labels: app: foo class: pod ServiceEntry selector: app: foo Istio CNF: Option 3 ● Further performance concerns #IstioCon End-to-end Key Protection ● SDS (Secret Discovery Service) ● A stricter security model ○ Protections for inline components & workflows ○ Trust

manually create and maintain these EnvoyFilters, especially in a large service mesh: ● It exposes low-level Envoy configurations to operation ● It depends on the structure/name convention of the generated stand-alone component ● Provides an abstract layer with Aeraki CRDs, hiding the trivial details of the low-level envoy configuration from operation ● Protocol-related envoy configurations are now generated by

Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication ● Traffic Splitting ● Canary Deployment ● Traffic Mirroring ● Rate Limiting