#IstioCon Performance tuning and best practices in a Knative based, large-scale serverless platform with Istio 张龚, Gong Zhang, IBM China Development Lab 庄宇, Yu Zhuang, IBM China Development Lab #IstioCon in a Knative based platform ● Performance bottleneck analysis and tuning ○ Istio scalability optimization during Knative Service provisioning ○ Unleash maximum scalability by fully leveraging Istio features capabilities for Kubernetes clusters for deploying, running, and managing serverless, cloud- native applications. It provides benefits: Focus on code Scale to zero Quick entry to serverless computing

Sebastian Toader & Zsolt Varga 2021-Feb-26 Apache Kafka with Istio on K8s 2 • Scalability • Resiliency • Security • Observability • Disaster recovery Production grade Apache Kafka on Kubernetes

Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction #IstioCon Introduction: Number of Sellers worldwide 1.7B Number of Live Listings $26.6B GMV in Q4 2020 #IstioCon eBay Applications eBay is powered by ● More than 5,000 Microservices ranging from ○ API services, Search Engine including prod, pre-prod, staging, etc. ● Applications deployment for HA ○ In all regions ○ In multiple AZs in each region ○ Capability to run all applications from a single region or AZ in a worst-case

for accounts with access to only specific namespaces to surreptitiously intercept the traffic of applications from other namespaces that they do not otherwise have any access to. Reproduction Steps 1. Configure it exposes. One of which is the “/debug” API hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication to anything that is able to access it’s network Pilot. This has a risk of containing certificates, keys, and secrets used by Pilot at runtime. This web interface also allows unauthenticated users to force force all Istio objects to sync their current

resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) ○ Business reasons ■ Legacy applications ■ Deterministic workloads with strong requirements ● For Istio ○ What is Istio? A service Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift and shift ● Packaged software Gateway ■ Multiple networks ● all goes though the Gateway ● via L3 networking (if enhanced performance is desired) #IstioCon Demo #IstioCon Istio VM integration seems closer to be production ready

in service mesh ● Background knowledge of eBPF ● Independent solution to bypass TCP/IP stack ● Performance Comparision Istio Meetup China TCP/IP stack overhead ● All the application data goes via sidecar Knowledge map ● Share collected information ● Accessed from eBPF programs as well as from applications in user space ● Map type o HASHMAP o SOCKHASH: Hold socket as value Istio Meetup China ebpf Envoy to Envoy Acceleration(same host) Istio Meetup China Deploy eBPF Istio Meetup China Performance Comparison Refactored istio benchmarking tool ◦ Two pods run on the same node Configurations

Mercari What Is Mercari? ● Service start: July 2013 ● OS: Android, iOS *Can also be accessed by web browsers ● Usage fee: Free *Commission fee for sold items: 10% of the sales price ● Regions/languages Label selector updates for app and version labels ● Istio default retry policy ● Istio proxy performance and load testing ● Abstracting the Istio features 44 Moving HTTP/2 load-balancing from client-side Istio proxy performance and capacity Adopting Istio ● Putting sidecars everywhere has a cost ○ Latency ○ Compute resources The Istio 1.9 community reference values for sidecar performance are: ● Latency:

Share collected information and to store state ● Accessed from eBPF programs as well as from applications in user space #IstioCon Work Flow of Acceleration ● Attach SOCK_OPS program to global cgroup #IstioCon Outbound Acceleration #IstioCon Envoy to Envoy Acceleration(same host) #IstioCon Performance Comparison #IstioCon Thank you!

Copyright © 2020 Portable Secure Fast Any Language Outside the Web Web Assembly 7 | Copyright © 2020 Extend Envoy Proxy with Web Assembly (Wasm) Polyglot: Envoy Filters are written in C++ and Wasm dynamically update w/o Envoy restarts, no hard dependencies or cascading failures Speed: Near native performance Sustainable: Eliminates need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE Copyright © 2020 SECURITY Technology User Experience 11 | Copyright © 2020 11 | Copyright © 2020 Web Assembly lifecycle 12 | Copyright © 2020 Build > meshctl wasm init addheader-filter --language

inconsistent ○ Release and Upgrade Notes ○ Release date slip ○ Release with known issues ○ Performance and resource usage ● Istio community didn’t have a process #IstioCon Led To ● Upgrade Working security, patch, major ● Where to post announcements ● What to look for when examining releases ○ Performance ○ Resource usage ○ Open issues ○ Features being promoted ○ Release notes and upgrade notes Open issues and priorities ● Issues being promoted ● Features awaiting documentation ● Weekly performance ● Open release blockers #IstioCon Thanks also to the efforts of: ● Mitch Connors ● Nathan