istio/istio Istio Source code in the master branch up to July 15th, 2020. Commit: 7353c84b560fd469123611476314e4aee553611d istio/proxy Istio Envoy Proxy code in the master branch up to July 15th, 2020. Commit: c51fe751a17441b5ab3f5487c37e129e44eec823 istio/istio.io Istio documentation and security guidelines from the master branch up to July 15th, 2020. Commit: 26dacdde40968a37ba9eaa864d40e45051ec5448 Finding Breakdown security controls that, if an Istio service is compromised, may allow an attacker to compromise a Node or Cluster. Description The default configuration provided by istioctl does not enable seccomp or

com/istio/istio/blob/master/operator/pkg/util/tgz/tgz.go#L70 ) // This creates a malicious Gzip file that will result in // arbitrary file write when extracted by https://github.com/istio/istio/blob/master/operator/pkg/util/tgz/tgz := createMaliciousGzip() // Below is a minimized version of https://github.com/istio/istio/blob/master/operator/pkg/util/tgz/tgz.go#L70 (Extract()) uncompressedStream, err := gzip.NewReader(maliciousGzip) %v", err) } // The target file name for Wasm binary. // https://github.com/solo-io/wasm/blob/master/spec/spec-compat.md#specificati on const wasmPluginFileName = "plugin.wasm" // Search for the file

ü一个小型的非持久性key/value数据库 ü借助k8s.io/client-go建立缓存 ü缓存Istio：route-rule，virtual-service，gateway等 ü缓存k8s：node，Service，Endpoints等触发配置生效方式 V2通过GRPC双向流，主动推送配置给envoy： ü事件触发 • 当配置有增/删/改事件 ü定时触发 • 可配置环境变量 V2_R string Platform-specific unique identifier for the source workload instance. kubernetes://redis- master-2353460263- 1ecey.my-namespace source.ip ip_address Source workload instance IP address. 10.0

transportation providers across Europe and North America #IstioCon Our developer flow Develop -> PR -> master -> deploy QA -> deploy Production #IstioCon Our clusters #IstioCon The problem Running end-to-end is both not efficient and cost-effective #IstioCon How tests are run ● On QA (dev -> PR -> master -> deploy QA …. ) ● On standalone VMs running all services needed for the test #IstioCon Define Define efficient and cost-effective #IstioCon 1. Minimize time to bug detection Dev -> PR -> master -> QA -> prod 3 steps away to find a problem #IstioCon 2. Allow simultaneous tests Only one commit

Networking and CNI Race Condition issues in istio CNI during Node bootstrap Community Solutions to istio CNI CNI Basics Kube Proxy: exists in each node and manage iptable IPTables: Responsible for translating container (faster startup speed) Taint Node when istio CNI did not get installed, and unTaint node when they are ready Inspired by kubernetes planned extension (Node Readiness Gate) Useful links CNI beta beta RFC Istio CNI Race Condition Mitigation CNI beta Graduation Kubernets Node Readiness Gates Q&A @tetrateio Tetrate https://tetrate.io THANK YOU For any further queries, feel free to contact us at

to connect, manage, and secure microservices. Istio项目 微服务角度看Istio: 治理形态的演变 Node 1 svc1 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK Sidecar 服务治理 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 应用侵入--； 治理位置--； } 微服务角度看Istio: 服务网格 服务网格控制面 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.ns svcc.ns svcb svcd svce svce.ns svcd.ns svcd.ns Kube-proxy Kube-APIServer ServiceIp Backend Istio & Kubernetes：架构结合 Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints, Pod) 用户 Istio & Kubernetes：统一服务发现

connect, manage, and secure microservices.4 Istio项目5 微服务角度看Istio: 治理形态的演变 Node 1 svc1 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK Sidecar 服务治理 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 应用侵入--； 治理位置--； }6 微服务角度看Istio: 服务网格 服务网格控制面7 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.n s svcc.ns svcb svcd svce svce.n s svcd.n s svcd.n s Kube-proxy Kube-APIServer ServiceIp Istio & Kubernetes：架构结合 Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints, Pod) 用户13 Istio & Kubernetes：统一服务发现

Leverage eBPF ● Target Pod/VMs on the same node ● Use case: edge computing ○ Limited number of nodes ○ More traffic across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol IO ● Application advantage ○ Low latency ○ High bandwidth ○ Low CPU consumption ● Istio: cross-node Proxy to Proxy kernel bypass w/ HW acceleration #IstioCon Quick Summary, Today Istio is ready-to-go

verify-install upgrade Istio simplify install helm3 #IstioCon Pilot Mixer Citadel Node Agent Injector Galley istio-system Node Pod Sidecar Pilot Agent Ingress Egress Istio Single Cluster Simplified #IstioCon

Meetup China Performance Comparison Refactored istio benchmarking tool ◦ Two pods run on the same node Configurations ◦ mTLS enabled ◦ Number of Envoy workers: 2 ◦ Response payload size: 1KB Latency address and back (inbound) ○ eBPF program also tracks connections from Envoy to Envoy(in the same node) and back (envoy to envoy) ● Works with Istio >= 1.10 ● CNI agnostic and should work with all CNIs