Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP Analysis Core Query CoreIstio telemetry Attribute Vocabulary https://istio.io/docs/reference/config/policy-and- formatTelemetry to Analysis scope • After you received the telemetry, either from Istio or Any other mesh data/control panel • Format the telemetry toObservability Analysis Language • A compile endpoint, network_address. They are metadata for SkyWalking. Don’t delete these. INDICATOR All metric data belong to this. They are in min/ hour/day/hour time level. They are named by Rule: scopename_funcName_timeLevel

Knative and Istio ● How Istio is leveraged in a Knative based platform ● Performance bottleneck analysis and tuning ○ Istio scalability optimization during Knative Service provisioning ○ Unleash maximum with mesh enabled (based on https://github.com/knative/serving) #IstioCon Performance bottleneck analysis and tuning • Performance Criteria: the platform has multiple shard k8s clusters, each cluster should Knative which can generate specific Knative Service provisioning workload and provides aggregated data of Knative Service ready duration. o Knative Performance Testing Framework 2 Design #IstioCon o

(Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift services in the cluster ○ DNS name resolved ■ gets routed through the gateway to the service ● The data plane traffic ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple for sensitive data ○ Strong isolation for multi-vendor services ○ End-to-end security! (not just between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra

usage of the language. Istio consists of two components: The controlplane and the dataplane. The data plane handles the connection between services and forms a series of proxies deployed as sidecars. err := url.Parse(srcURL) if err != nil { return "", fmt.Errorf("invalid chart URL: %s", srcURL) } data, err := httprequest.Get(u.String()) if err != nil { return "", err } name := filepath.Base(u.Path) err := os.Mkdir(dir, 0o755) if err != nil { return "", err } } if err := os.WriteFile(destFile, data, 0o644); err != nil { return destFile, err } return destFile, nil } Exploitation To exploit this

Google Istio Security Assessment Google / NCC Group Confidential Dashboard Target Metadata Engagement Data Name Istio Type Architecture Review and Code-Assisted Security Assessment Type Kubernetes Service Total issues 18 Category Breakdown Access Controls 7 Configuration 5 Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical Communications Risk High Impact: High, Exploitability: Medium Identifier NCC-GOIST2005-004 Category Data Exposure Component Istio Location Istio Control Plane: • controlPlaneSecurityEnabled istioctl configuration

SkyWalking is an observability power tool that provides distributed tracing, service mesh telemetry analysis, metric aggregation and visualization for cloud-native workloads in a single platform. Leading Could happen in suddenly increased nodes and premptable nodes Bypassing all iptable rules set by data plane proxies Troubleshooting Istio CNI Check the istio proxy container through nsenter Check CNI

logfile Kubernetes console APP logfile APP logfile APP logfile Kubernetes console search &analysis Prometheus TSDB基于请求和日志的关联性改进架构 A Agent B Agent C Agent Request(Transaction ID) A(application)

tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits (#releases, #rollbacks, MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) A Proxy Proxy Service B Service C Proxy Mesh Dynamics Data Store Deploy: kubectl apply -f Capture using Lua filter All API data + TraceIDs | CONFIDENTIAL 11 Assemble API request traces

from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Platforms - Tensorflow GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters

○ ... IP Data IP Header TCP Data TCP Header Layer-7 Header Data #IstioCon What Do We Get From Istio? IP Data IP Header TCP Data TCP Header Layer-7 Header Data Traffic Management