#IstioCon Local Istio Development John Howard / @howardjohn / Google #IstioCon Fully Cloud docker push kubectl apply docker pull #IstioCon Fully Cloud docker push kubectl apply docker pull requests #IstioCon Thank you! For more information: ● https://github.com/howardjohn/local-istio-development

based, large-scale serverless platform with Istio 张龚, Gong Zhang, IBM China Development Lab 庄宇, Yu Zhuang, IBM China Development Lab #IstioCon Speakers Gong (Grace) Zhang, zhanggbj@cn.ibm.com, twitter Knative benchmark tool helps everyone to understand the issue and accelerate the whole debug and fix process: https://github.com/knative-sandbox/kperf ● Get Istio CPU/MEM stats: https://github.com/istio/i

runs go trace profiling tools5 on the pilot binary itself which contains stack, heap, and other process information about Pilot. This has a risk of containing certificates, keys, and secrets used by Pilot administrators debug information about Pilot itself including detailed runtime information to allow for process debugging or performance analysis. This also includes potentially sensitive information that should port. Additionally, even if this port were not granted a short-circuit, Istio’s sidecar Envoy proxy process exposes its administration interface on port 15000. This API exposes a POST /qui tquitquit route

tests to identify problems Iterate • Fix bugs • Repeat Testing starts late in the API development process. That’s not good!! | CONFIDENTIAL Start testing earlier Create and maintain a balanced Third-party apps Manual QA trace: r trace: r trace: r trace: r CI Pipeline | CONFIDENTIAL 9 Process flow using Istio Deploy Lua filters (kubectl apply -f ) Capture traces for E2E test

Istio PoC Sep 2019 First release in production Feb 2021 ~25% production services ~50% development services migrated to Istio End of 2021 100% services migrated to Istio 8 Features

implementorObserve on mesh Metric from Service Mesh by native supportedPower of out of process adaptor Bypass adpator Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP pods in Kubernetes, it doesn't need to be a single process in OS. Also if you are using instrument agents, an instance is actually a real process in OS. • Endpoint. It is a path in the certain service

○ Release with known issues ○ Performance and resource usage ● Istio community didn’t have a process #IstioCon Led To ● Upgrade Working Group ● Release Note Generation ● Definition of Done #IstioCon checklists and continuous feedback So Far… ● Release Notes tooling ● Feature Maturity Process ● Release Maturity Process #IstioCon Old System Expectation: Maintainers would populate a Google docs draft what’s being changed. ● Release notes and upgrade notes are no longer easily forgotten. ● The process has gone from weeks to hours for major releases and hours to minutes for patch releases. Better

the review by requesting internal documentation that had been produced as part of the mitigation process. We then looked for public documentation related to the issues in the audit report. Finally we evaluated all categories except for provenance. Only two items are le� marginally unsatisfied in the build process. The build is not fully satisfied because the build can access secrets from the build service, where intended to be reproducible. This is a so� requirement for fulfilling “Reproducible” of the build process compliance: “The user-provided build script SHOULD declare whether the build is intended to be reproducible

the Roadmap session. It is used to explain a process. ● Sponsored by Google (Example from Wikimedia movement 2030 strategy) Graphic recording Process and implementation Coordination and support

启动参数文档热重启envoy热重启涉及以下步骤 • Pilot-Agent只是负责启动S，其他步骤由envoy完成。 • 1. 启动另外一个S进程（Secondary process） • 2. S通知P（Primary process）关闭其管理的端口，由S接管 • 3. S加载配置，开始绑定listen sockets，在这期间使用UDS从P获取合适的listen sockets • 4.