error codes ○ HTTP status code ○ Redis Get error ○ ... ● Observability with application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer security ○ HTTP JWT Auth Routing based on headers under layer-7 ○ IP address ○ TCP Port ○ SNI ● Observability - only TCP metrics ○ TCP sent/received bytes ○ TCP opened/closed connections ● Security ○ Connection level authentication: proxy in the outbound listener Replace TCP proxy in the inbound listener client Server v1 30% 70% Server v2 9090 9090 #IstioCon EnvoyFilter is Powerful, But ... It’s very difficult if

Mesh? ○ More services = more complexity ○ Need consistent policy enforcement ○ Need consistent metrics aggregation ● Traffic management ○ Load balancing for VMs, failover, A/B testing, modern rollouts Enforce the same policies in the same way, across compute environments ● Observability ○ See VM metrics alongside containers ● Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical Istio control plane services (Pilot, Mixer, CA) accessible from the VMs ○ (optional) Kubernetes DNS server accessible from the VMs ● Onboard steps ○ Setup Internal Load Balancers (ILBs) for Kube DNS,

CLB 对外请求 对外请求（Passthrough/ServiceEntry） 缺省路由 （服务名） 5 Istio 流量管理 – 数据面 – Envoy配置模型和xDS协议 ADS Server LDS RDS CDS EDS Envoy 配置模型的主要概念： • Downstream：连接到 Envoy 的下游 Host，发送请求并接收响应。 • Upstream： 上游 Host 接收来自 ：集群中的服务实例发现服务。 • Secret Discovery Service (SDS) ：证书发现服务。 • Aggregated Discovery Service(ADS): 通过一个Aggregated Server提供所有xDS服务，以解 决各个不同xDS服务的顺序导致的数据一致性问题。 gRPC/REST: update config on the fly 6 Istio 流量管理 – 数据面 – header 进行路由，请求原始目的 IP 不应影响路由结果 入向请求配置 出向请求配置 0.0.0.0_9080 0.0.0.0_15001 0.0.0.0_15006 Pilot (ADS Server) LDS RDS CDS EDS Services Traffic Rules 7 Istio 流量管理 – 数据面 – Envoy Sidecar Inbound 配置 入向请求配

Stabilizing Istio CPU: 1 Pod App container Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Utilization App container Sidecar container CPU: 100m Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Utilization App container Sidecar container CPU: 100m Container resources HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Utilization

through the Envoy proxies first. • When mTLS is enabled between two services, the client side and server side’s “envoy proxies” verify each other’s identities before sending requests. • If the verification is successful, then the client-side proxy encrypts the traffic, and sends it to the server- side proxy. • The server-side proxy decrypts the traffic and forwards it locally to the actual destination service monitored services are interacting, both with other services and with the Istio components themselves. Metrics Distributed Traces Access Logs #IstioCon Excellent Observability Istio(envoy) can generate

com/. Recommendation Within the Webhook.admitPilot() method in istio/pkg/webhooks/validation/server/ server.go, modify the call to Schema.ValidateProto() — and the definition of the method itself — to NCC-GOIST2005-007 Category Access Controls Component Istio Location • istio/istio/security/pkg/nodeagent/sds/server.go#276 • istio/istio/security/pkg/nodeagent/util/util.go#71,#76,#81 • istio/istio/operator/pkg/helm/urlfetcher the codebase where files are being written insecurely: • istio/istio/security/pkg/nodeagent/sds/server.go (line 276) // Update SDS UDS file permission so that istio- proxy has permission to access it

require client application restarts Challenges – Client certificates 7 • mTLS provided by Istio • Server certificate provided by Istio Proxy sidecar container • Each Kafka client request gets a client WASM filters opens the gates for a whole array of useful features such as Kafka protocol level metrics, extended client throttling, audit logs to name a few Takeaway 13 Q&A Thank you

services deployed across clusters #IstioCon Rollout - Istio setup and Microservices ● Export metrics to central prometheus ● Outlier detection for better reliability ● Enable Zonal routing, zonal

Service SERVICE MESH Proxy Proxy sidecar sidecar Configuration for proxy Certs, ACLs… Raw metrics HTTP/1 HTTP/2 gRPC Why? Innovation trigger Peak of inflated Expectations Though of Disillusionment

#IstioCon IstioCon 2021 Report By María Cruz and Aizhamal Nurmamat kyzy #IstioCon Key metrics 4,021 Registrants 84 Countries 4.4/5 Satisfaction score 2,836 Unique livestream viewers