首页 文库资料 文章资讯  上传文档  发布文章  登录账户

分类

全部云计算&大数据(11)Istio(11)

语言

全部英语(6)中文(简体)(3)英语(2)

格式

全部PDF文档 PDF(11)
 
本次搜索耗时 0.024 秒,为您找到相关结果约 11 个.

  • pdf文档 Istio Meetup China 服务网格安全 理解 Istio CNI

    Networking lifecycle (Istio Init) Start istio init container in workload Istiod watch updates & start networking sidecar proxy init container update iptable rule for proxy terminate init container Start workload iptable Benefits of Istio CNI No need for CAP_NET_ADMIN and CAP_NET_RAW permission No need for istio-init container means faster startup speed (need validation instead) Issue in Istio CNI Kubelet Start CNI Repair controller Valid through istio-init (iptable) Detect crashloop init container Kill and Restart them Taint controller No need for istio init container (faster startup speed) Taint Node when
    0 码力 | 19 页 | 3.17 MB | 1 年前
    3

  • pdf文档 Istio Security Assessment

    DestinationRules Without CA Certificates Field Do Not Validate Certificates 019 Low Default Injected Init Container Requires Sensitive Capabilities 021 Low Execution of System Commands without Validation 31 | Google Istio Security Assessment Google / NCC Group Confidential Finding Default Injected Init Container Requires Sensitive Capabilities Risk Low Impact: Medium, Exploitability: Low Identifier Identifier NCC-GOIST2005-021 Category Access Controls Component Istio Sidecar Location The istio-init init container defined within istio/manifests/charts/istio-control/ istio-discovery/files/injection-template
    0 码力 | 51 页 | 849.66 KB | 1 年前
    3

  • pdf文档 Envoy原理介绍及线上问题踩坑

    backend:8123 127.0.0.1:8123 zipkin Pod1 Pod2 业务容器 业务容器 Istio-proxy容器 Istio-proxy容器 Istio-init 容器 Istio-init 容器 Pod内共享网络 Pod内共享网络 Virtual inbound -15006 kubelet 拦截指定命名空间 Pod创建请求 xDS Iptables 规则 istiod拦截pod创建请求,识别为指定namepsace则根据configmap配置生成带有Envoy两个容器的创建POD请求,修改过的创建请求被 kubelet接收,并在节点创建POD。 • istio-init容器添加用于配置容器网络内iptables规则 • istio-proxy容器启动pilot-agent进程,使用UID=1337 GID=1337创建Envoy启动命令行与配置文件 • 可以 xDS Envoy与上层控制面如istiod使用的基于gRPC的应用层协议,用于传输配置变更。 自动注入及流量拦截 POD创建时,由istiod进行自动修改deployment并将istio-init, istio-proxy容器注入到 新创建POD内;当发生调用时,iptables规则将自动拦截出入流量进入Envoy代理。 线程模型 Envoy采用每个工作线程独立处理网络及定时器事件,线程间无数据共享,提升性
    0 码力 | 30 页 | 2.67 MB | 1 年前
    3

  • pdf文档 SberBank story: moving Istio from PoC to production

    Istio 1.6 Service Mesh Operator Lessons Learned 1. Init containers maybe not the best option • NET_RAW and NET_ADMIN • Traffic failures due to init restarts (#16768) 2. Be careful with secrets rotation
    0 码力 | 14 页 | 1.68 MB | 1 年前
    3

  • pdf文档 Performance tuning and best practices in a Knative based, large-scale serverless platform with Istio

    service mesh enabled • Enable Istio mesh on Knative – Data flow with Istio mesh/mTLS #IstioCon o Init-container added which cost ~5 seconds for Knative application pod code start. o Every sidecar needs #IstioCon o With istio CNI plugin, we can move the iptables configuration parts to CNI. But another init- container, the istio-validation is introduced. o We can remove the istio-validation container by
    0 码力 | 23 页 | 2.51 MB | 1 年前
    3

  • pdf文档 Istio audit report - ADA Logics - 2023-01-30 - v1.0

    cb0b2f7c46d5ca9f4 b51dedd0c9e4389b 0/istioctl/cmd/revisio n.go#L396 tw := new(tabwriter.Writer).Init(w, 0, 0, 1, ' ', 0) tw.Write([]byte("WEBHOOK\tTAG\n")) for _, wh := range desc.Webhooks { tw.Write([]byte(fmt cb0b2f7c46d5ca9f4 b51dedd0c9e4389b 0/istioctl/cmd/revisio n.go#L768 tw := new(tabwriter.Writer).Init(writer, 0, 8, 1, ' ', 0) if verbose { tw.Write([]byte("REVISION\tTAG\tISTIO-OPERATOR-CR\tPROFILE\
    0 码力 | 55 页 | 703.94 KB | 1 年前
    3

  • pdf文档 Accelerate Istio-CNI with ebpf

    pods into the Istio mesh. ● The Istio CNI plugin replaces the functionality provided by the istio-init container. #IstioCon Tcp/ip stack overhead between sidecar and service Overhead sidecar traffic
    0 码力 | 15 页 | 658.90 KB | 1 年前
    3

  • pdf文档 Istio Service Mesh at Enterprise Scale

    Multi-cluster Identity ○ Multi-region Endpoint ○ Istio config integrated with gitops deployment ○ Init modifications to prevent proxy startup race conditions Thank You Admiral Istio Ecosystem Project
    0 码力 | 12 页 | 1.23 MB | 1 年前
    3

  • pdf文档 Developing & Debugging WebAssembly Filters

    2020 11 | Copyright © 2020 Web Assembly lifecycle 12 | Copyright © 2020 Build > meshctl wasm init addheader-filter --language rust > meshctl wasm build rust -t webassemblyhub.io/yuval/addheader-rust:v1
    0 码力 | 22 页 | 2.22 MB | 1 年前
    3

  • pdf文档 生产环境 istio

    svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a init-container pod apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels:
    0 码力 | 42 页 | 3.45 MB | 1 年前
    3
共 11 条
  • 1
  • 2
前往
相关搜索词
IstioMeetupChina服务网格安全理解CNISecurityAssessmentEnvoy原理介绍及线问题SberBankstorymovingfromPoCtoproductionauditreportADALogics20230130v1e7pAccelerateIstioCNIwithebpfXuYizhouGuoRuijingServiceMeshatEnterpriseScaleDevelopingDebuggingWebAssemblyFilters生产环境istio