9080 - match: - uri: exact: /login redirect: uri: / authority: www.nccgroup.com 6. Save the result of the following 7. Run the following command and observe that a normal HTML page is returned curl istio-ingressgateway, in the istio-sys tem namespace to handle requests for all namespaces. As a result of this, it is possible for Gateways in different namespaces to declare servers lists with colliding // do not expect an error here _, _ = buf.WriteTo(hasher) pool.PutBuffer(buf) result := hasher.Sum(nil) return string(result) Recommendation Use a cryptographically secure hash, such as: • a SHA2-family

istiod Pilot-agent Pilot-agent apiServer iptables iptables Envoy client backend 8123 Virtual outbound -15001 Envoy backend:8123 127.0.0.1:8123 zipkin Pod1 Pod2 业务容器 业务容器 Istio-proxy容器 Istio-proxy容器 制，并且最大上游连接及最大挂起等待 请求数请求数默认值不做限制。 APP iptables iptables outbound envoy backend iptables iptables inbound envoy POD1 POD2 APP envoy backend iptables iptables inbound envoy ingressgateway POD2 APP 网格内 tls_ins pector http_in spector http_connecti on_manager … router upstream conn pool codec codec backend http/1.x h2c iptables metadata_ex change 监听过滤 L7过滤 L4过滤 下游 连接 上游 连接 cluster inbound •

svcd svce svce.ns svcd.ns svcd.ns Kube-proxy Kube-APIServer ServiceIp Backend Pod1 Labels:app=svcb Port:9379 Backend Pod2 Labels:app=svcb Port:9379 svca 基础设施(Kubernetes)看Istio: 能力增强 服务部署运 维 Istio & Kubernetes：Mixer attribute Mixer proxy svc proxy svc Logging Backend Quota Backend Auth Backend Metric Backend Prometheus AWS New Relic Huawei-APM apiVersion: "config.istio.io/v1alpha2"

svcd svce svce.n s svcd.n s svcd.n s Kube-proxy Kube-APIServer ServiceIp Backend Pod1 Labels:app=svcb Port:9379 Backend Pod2 Labels:app=svcb Port:9379 svca8 基础设施(Kubernetes)看Istio: 能力增强 服务部署运 维 Istio & Kubernetes：Mixer attribute Mixer proxy svc proxy svc Logging Backend Quota Backend Auth Backend Metric Backend Prometheus AWS New Relic Huawei-APM apiVersion: "config.istio.io/v1alpha2"

supportedPower of out of process adaptor Bypass adpator Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP Analysis Core Query CoreIstio telemetry Attribute Vocabulary

address 1. Sticky Session: based on ip hash, traffic from same client is forwarded to the same backend 2. Security Policy: set white/black list 3. Access log & Stats 4. Specific scenarios like SIP

orchestration & UI tools to use Access Point specs ● Standardization provides flexibility to switch backend implementations to software Region R1 AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster

into memory before the Handler is called. To limit the memory consumed by this request, wrap the result of NewHandler in an http.MaxBytesHandler.” John found that when the recommended MaxBytesHandler com/istio/istio/blob/master/operator/pkg/util/tgz/tgz.go#L70 ) // This creates a malicious Gzip file that will result in // arbitrary file write when extracted by https://github.com/istio/istio/blob/master/operator/pkg/util/tgz/tgz 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 // Get sends an HTTP GET request and returns the result. func Get(url string) ([]byte, error) { resp, err := http.Get(url) if err != nil { return nil,

label namespace default istio-injection=disabled/enabled ） http http http http http http http Result: can access reviews-v1, reviews-v2 and reviews-v3 Access productpage #IstioCon Istio Identity istio-proxy curl localhost:15000/config_dump #IstioCon Istio identity – check configuration result ● Result: cert generated automatically with Istio identity 1) Apply peer-authentication to enable server

testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved API tests • Istio benefits – Venky / Prasad – point here • Demo • Questions 2 Structure independently - Updates to an API require updating corresponding Service and Component tests - As a result, teams would go for just E2E tests | CONFIDENTIAL 6 Teams often focus on End-to-End tests (besides