请求路径 LDS 监听器配置 POST /envoy.service.listener.v3.ListenerDiscoveryService/StreamListeners RDS 路由配置 POST /envoy.service.route.v3.RouteDiscoveryService/StreamRoutes CDS 上游cluster配置 POST /envoy.service.cluster ClusterDiscoveryService/StreamClusters EDS 上游cluster endpoint配置 POST /envoy.service.endpoint.v3.EndpointDiscoveryService/StreamEndpoints SDS 安全及证书配置 POST /envoy.service.secret.v3.SecretDiscoveryService/StreamSecrets 12 Envoy网络及线程模型-共享数据同步 • 1. 调度器通过epoll监控文件事件(网络）及定时器事件进行排队任务处理 • 2. 线程间通信通过post接口发送任务，此任务通过定时器事件激活 • 3. 线程间数据交换通过post更新TLS，这样每个线程内代码都不需要加锁处理 • 4. 每个线程的TLS对象本身只保存真实对象的共享指针进行读操作，减少内存消耗。 • 5. 全局对象更

Debugf("Received STS request: %s", string(reqDump)) } if req.Method != "POST" { return reqParam, fmt.Errorf("request method is invalid, should be POST but get %s", req.Method) } if req.Header.Get("Content-Type") MultiReader(readers...) fmt.Println("len of combined in millions: ", totalLen/1000000) req, err := http.NewRequest("POST", "", combined) if err != nil { panic(err) } reqDump, err := httputil.DumpRequest(req, true) if the Istio team who then triaged and mitigated the fixes. The entire audit was finalised with a blog post which can be found here: https://istio.io/latest/blog/2021/ncc-security-assessment/ Ada Logics reviewed

sidecar Envoy proxy process exposes its administration interface on port 15000. This API exposes a POST /qui tquitquit route that will cause Envoy to exit, enabling the workload container to claim its ports this interface does not provide many direct means for performing dangerous actions — for example, the POST /tap end- point for intercepting traffic requires a non-default extension to be loaded — it still In the case of the latter, this could enable a denial of service vector by sending a request to the POST /qui tquitquit endpoint10 that causes the process to exit. "admin": { "access_log_path": "/dev/null"

command: ["/bin/sh", "-c", "sleep 30; wget -qO- --post-data '' localhost:15000/healthcheck/fail; sleep 45; wget -qO- --post-data '' localhost:15000/healthcheck/ok;"] This preStop hook will

Upgrade Working Group ○ Promoting revision based upgrades ○ Support skip-level upgrades ○ Pre & Post Upgrade checks ○ Better testing mirroring production use cases ● Enhanced troubleshooting ● Aligning

Provide a consistent list of requirements for each type of release: security, patch, major ● Where to post announcements ● What to look for when examining releases ○ Performance ○ Resource usage ○ Open

[Unavailable] Available sponsorship: 1 ● Attendees can take selfies with IstioCon logo in frame, post on social media, and add conference hashtags ● A slack channel will be dedicated to the photo booth

wasm能力 确认Workload部 署变更生效 1.可以登录到proxy container进行查看 wasm filter是否挂载成功 2.调整wasm log level： curl -X POST http://localhost:15000/logging?wasm=debug #IstioCon Thank you!