gRPC ● RPC：HTTP, gRPC, Thrift, Dubbo, Proprietary RPC Protocol … ● Messaging: Kafka, RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: an Istio service mesh, but the inter-services communication are done by AwesomePRC, our own RPC protocol, instead of HTTP. So, how could we achieve layer-7 traffic management for AwesomeRPC in Istio breaker ● Fault injection ● Stats ● ... Pros: ● It’s relatively easy to add support for a new protocol to the control plane, given than envoy filter is already there Cons: ● You have to maintain

Breaker – 基于四层的路由（IP + Port） – 基于四层的 Metrics（TCP收发包数量等） IP Header TCP Header Layer 7 Protocol Header Layer 7 Protocol Data Istio 支持的七层协议非常有限：HTTP 1.1、 HTTP2、 gRPC 其余协议只能在四层进行处理（Thrift、Redis 等其他七层协议的控制面支持非常有限） 目前缺少一个良好的协议扩展机制 • Pilot 需要理解 Envoy filter 中协议特定的知识 • Pilot 代码中维护众多七层协议的代价较大 12 Istio 协议扩展：常见七层协议的路由 Protocol Destination service Parameters could be used for routing HTTP 1.1 host host, path，method headers ServantName, FuncName, Context Dubbo service name service name, service version, service method Any RPC Protocol service name in message header some key:value pairs in message header 13 Istio 协议扩展：协议无关的通用路由框架

the mesh ● Traffic flow (Container -> VM) 1. Manual registration istioctl -n onprem register mysql 1.2.3.4 3306 #IstioCon V1.1 Introducing Service Entry Service Entry v.s. Service v.s. Endpoints number of nodes ○ More traffic across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol ● A little like TCP + TLS, but build on top of UDP ○ Uses UDP like TCP uses IP ○ Adds connections Http3 Full Stack Fest, Daniel Stenberg #IstioCon HTTP/3 ● HTTP/3 = HTTP over QUIC ● Application protocol over QUIC ● HTTP – same but different ○ HTTP/1 in ASCII over TCP ○ HTTP/2 – binary multiplexed

Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning the infrastructure - ○ Functions: TLS Termination, Traffic Management, Tracing, Rate Limiting, Protocol Adapter, Circuit breaker, Caching, etc. #IstioCon Service Mesh Journey ● Capture application

transparent mode, two connections  L4 • Add IP in TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING kernel #IstioCon Proxy Protocol  Proxy Protocol v1 PROXY Protocol prepends every connection with a header reporting the client IP address and port. A PROXY Protocol plain-text header has the  Proxy Protocol v2 #IstioCon Proxy Protocol client Server Establish TCP connection Proxy Protocol binary header Application data - The client and server side must support proxy protocol simultaneously

监听过滤器（Network::ListenerFilter） • onAccept接收新连接，判断协议类型，TLS握手，HTTP协议自动识别、提取连接地址信息 • L4 网络过滤器 • HTTP、Mysql、Dubbo协议处理、元数据交换，四层限流，开发调试支持等。 • onNewConnection新连接建立，可以决定是否拒绝 • onData处理连接数据到达 • onWrite处理连接数据发送

ingressgateway # use istio default controller servers: - port: number: 443 name: https protocol: HTTPs tls: mode: SIMPLE credentialName: productpage-credential hosts: - without jwt token ○ request with invalid jwt token Redeploy bookinfo sample services with http protocol and with sidecar injected 1) Apply deny-all authorization policy 2) Apply prouctpage-viewer policy reviews-viewer policy 5) Apply ratings-viewer policy Redeploy bookinfo sample services with http protocol and with sidecar injected 1) Apply deny-all authorization policy 2) Apply prouctpage-viewer policy

Sidecar ● Use protocol specific traffic sniffing (i.e. gRPC call discovery) to find out dependencies ● eBPF magic to get service calls? We use the first approach currently as it is protocol-agnostic and

Istio simplify VM onboarding #IstioCon Istio Standardize APIs Adopt Kubernetes service API Protocol declaration in Kubernetes service descriptor Transform informal API to formal API External authz

uniform way • Envoy WASM filters opens the gates for a whole array of useful features such as Kafka protocol level metrics, extended client throttling, audit logs to name a few Takeaway 13 Q&A Thank you