com/istio/api Language Golang Istio documentation Repository https://github.com/istio/istio.io Language n/a; documentation only 6 Istio Security Audit, 2023 Overall assessment Our evaluation is that Istio Low Medium Yes 6 Istio skips certificate verification Low High Yes 7 Unhandled errors Informational n/a Yes 8 Use of deprecated 3rd party library Low High Yes 9 TOCTOU race conditions in file utils Medium if err = srv.ListenAndServe(); err != nil && err != http.ErrServerClosed { log.Fatalf("listen:%+s\n", err) } }() log.Printf("server started") d, err := time.ParseDuration("20s") if err != nil { 31

5 | Google Istio Security Assessment Google / NCC Group Confidential kubectl exec -it {YOURPOD} -n {YOURNS} -- curl istiod.istio-system.svc.clus ter.local:15014/debug • This will return the plaintext following command (run with administrative access) and use it below in place of $GATEWAY kubectl -n istio-system get service istio-ingressgateway \ -o jsonpath='{.status.loadBalancer.ingress[0].ip}' to kubectl -n test apply -f the samples/bookinfo/platform/kube/b ookinfo.yaml and samples/bookinfo/networking/bookinfo-gateway.yaml configu- rations 4. Using the restricted user, kubectl -n restrict-test

微服务角度看Istio: 服务网格 服务网格控制面7 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.n s svcc.ns svcb svcd svce svce.n s svcd.n s svcd.n s Kube-proxy Kube-APIServer ServiceIp Backend Pod1 Labels:app=svcb Port:9379 Istio在华为云：华为云容器应用29 Istio在华为云：服务网格 只需在创建集群时选 择“启用服务网格” 即可使用Istio服务治 理功能30 Istio在华为云： 灰度发布流程 Y N Y N31 Istio在华为云： 灰度发布32 Istio & Kubernetes 在Google Cloud Services Platform: bringing the best of the

globe peering with the Internet closer to the customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters run all applications from a single region or AZ in a worst-case scenario Region R1 AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster Load-balancers, etc. ■ Full isolation by confining service failures to AZ boundary AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster

performance and capacity Adopting Istio Fact: If Istio is enabled in all pods in a cluster, for n pods, there are n sidecars ● Case 1: One size fits all (need to fit the biggest workload) + Easy to set, one each call? Depending on the answers, the application RPS measured in library may vary between 2 and n times when using Istio. 61 Istio proxy performance and capacity Adopting Istio Client Pod

A PROXY Protocol plain-text header has the format: PROXY TCP4 192.0.2.0 192.0.2.255 42300 443\r\n  Proxy Protocol v2 #IstioCon Proxy Protocol client Server Establish TCP connection Proxy Protocol xff_num_trusted_hops : If use_remote_address is true and xff_num_trusted_hops is set to a value N that is greater than zero, the trusted client address is the Nth address from the right end of XFF

Mesh Istio在华为云：华为云容器应用 Istio在华为云：服务网格 只需在创建集群时选 择“启用服务网格” 即可使用Istio服务治 理功能 Istio在华为云： 灰度发布流程 Y N Y N Istio在华为云： 灰度发布 Istio & Kubernetes 在Google Cloud Services Platform: bringing the best of the cloud

实际示例中用到的Envoy Filters 端口9080 监听 envoy.filte rs.network .metadata _exchange envoy.http _connectio n_manage r Cluster Productp age服务 Filter Chain envoy.filters.ht tp.wasm/envo y.wasm.metad ata_exchange 15 创建私钥仓库登录Secret ● 获取私有仓库登录信息之后, 按照如下命令创建Secret ○ kubectl create secret generic asmwasm-cache -n istio-system --from- file=.dockerconfigjson=myconfig.json --type=kubernetes.io/dockerconfigjson 16

Envoy网络及线程模型 主线程 初始化 日 志 线 程 读 取 配 置 x D S 监 听 网络事件 启 动 工 作 线 程 定时器事件 a d m i n 请 求 X D S 更 新 合 并 s t a t 刷 新 D N S 调度器 工作线程 网络事件 定时器事件 监 听 器 监 听 过 滤 器 释 放 内 存 记 录 s t a t 状 态 更 新 调度器 L

Chinese language documentation? Join the Cloud Native Community(China). Istio Trends ιστίο • (istío) n (plural ιστία) 1. sail What about the rest of the boat? Upcoming Talks: Aperture - Load Management