Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy itself was not part of the assessment) did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty configuration directive or other means. This left all default services exposed within the cluster. • The default Istio sidecar and would allow a malicious workload to override or compromise their own Istio configuration. Strategic Recommendations • Build opinionated profiles for security: Istio allows a variety

in Go #IstioCon Architecture Overview - Discovery and Routing ● Service Discovery and Configuration using Consul ● HTTP/TCP traffic via HAProxy ● gRPC traffic via Envoy ● Internet egress (HAProxy/Envoy) ● More control over load balancing ● Offload application services from networking and configuration ● Avoid other sources of failures (Consul etc) ● Possible benefits on Observability #IstioCon etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection and TCP settings ● Handle signals gracefully (SIGINT, SIGTERM) ● Automate for easy management of setup across environments

manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio Security circumvent the configured policies. It is Istioʼs assumption that default settings are secure, and insecure default settings would be considered a security issue. Policy enforcement points must securely

multi-containers pods Stabilizing Istio CPU: 1 Pod App container Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container resources HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type:

filter. LDS with AwesomeRPC filter EnvoyFilter is an Istio configuration CRD, by which we can apply a “patch” to the Envoy configuration generated by Pilot. #IstioCon EnvoyFilter Example - Dubbo Traffic HTTP and gRPC. You can think of Aeraki as the “Controller" to automate the creation of envoy configuration for layer-7 protocols #IstioCon Aeraki: Manage any layer-7 traffic in an Istio service mesh Provides an abstract layer with Aeraki CRDs, hiding the trivial details of the low-level envoy configuration from operation ● Protocol-related envoy configurations are now generated by Aeraki, significantly

Request Traffic Response Traffic Specs synced from Federated Access Point L4 Configuration L7 Route Configuration watch Client Traffic tunneled to Ingress Gateways One Istio Deployment per service mesh span all clusters in an AZ - ○ Re-deployed Istio to AZ cluster ○ In Primary-Remote configuration within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway watch EDS, LDS, RDS push times) ■ Resource usage (CPU, memory, etc.) ○ Secondary Goal ■ Fine-tune configuration params - debounce interval, push concurrency, etc. #IstioCon Control-plane Scale Testing:

duration from Knative Ingress and istio VirtualService are created to Knative probe thinks the configuration works. o [Istio 1.5.4] Istio is picking up new VirtualService slowly 30s #IstioCon Istio x] Support for backpressure on XDS pushes to avoid overloading Envoy during periods of high configuration churn. This is disabled by default and can be enabled by setting the PILOT_ENABLE_FLOW_CONTROL • support for backpressure on XDS pushes to avoid overloading Envoy during periods of high configuration churn 30s #IstioCon Unleash maximum scalability by fully leveraging Istio features in Knative

of our SEO Specialist #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 ? SEO specialist creates the file manually Matching old URLs file Generating the Istio configuration Deploy to production 1 3 4 2 How does it work ? #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 repo How does it work ? #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 The files are reviewed, merged and deployed! How does it work

Failure Adoption Challenges ● Multi-region deployments ● Non-flat networks ● Multi-tenant configuration ● Management of Istio installation ● Self-service mesh enablement for service owners Demo k8s Istio Istio Validation Webhooks ● Allow configuration only related to owned namespace ○ Only allow configuration for a “service’s” hostname ● Validated ○ Deployments ○ Virtual

添加新Filter的方式 ● Built-in Filter & Community Provided: ○ https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/http_fi lters ○ …. ● 自定义开发： ○ 静态预编译： ■ 将其他过滤器集成到Envoy的源代码中，并编译新的Envoy版本。 runtime ○ ~20MB for WAVM ○ ~10MB for V8 ● 事件驱动模型 ● 兼容native filter调用 方式 8 Example Wasm filter configuration ● 下发到Envoy Proxy侧的配置 9 OCI Registry As Storage ● OCI Artifacts项目的参考实现, 可显著简化OCI注册库中任意内容的存储;