RPC RPC RPC Message Message Message Cache RDB NoSQL We need to manage multiple types of layer-7 traffic in a service mesh, not just HTTP and gRPC ● RPC：HTTP, gRPC, Thrift, Dubbo, Proprietary Kafka, RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 理能力： ● Routing based on layer-7 header ○ Load balancing at requet level ○ HTTP host/header/url/method, ○ Thrift service name/method

Istio 流量管理原理与协议扩展 赵化冰 赵化冰 腾讯云 服务网格团队 https://zhaohuabing.com Service Mesh Service Mesh Layer 处理服务间通信（主要是七层通信）的云原生基础设施层： Service Mesh 将各个服务中原来使用 SDK 实现的七层通信相关功能抽象 出来，使用一个专用层次来实现，Service Mesh 对应用透明，因此应用 流量控制：服务发现、请求路由、负载均衡、灰度发布、错误重试、 断路器、故障注入 可观察性：遥测数据、调用跟踪、服务拓扑 通信安全： 服务身份认证、访问鉴权、通信加密 Proxy Application Layer Service 1 Istio 流量管理 – 概览 • 控制面下发流量规则： Pilot • 数据面标准协议：xDS • 集群内Pod流量出入： Sidecar Proxy • 集群外部流量入口：Ingress Circuit Breaker – 基于四层的路由（IP + Port） – 基于四层的 Metrics（TCP收发包数量等） IP Header TCP Header Layer 7 Protocol Header Layer 7 Protocol Data Istio 支持的七层协议非常有限：HTTP 1.1、 HTTP2、 gRPC 其余协议只能在四层进行处理（Thrift、Redis 等其他七层协议的控制面支持非常有限）

fly certificate renewal • Kafka listeners configured in PLAINTEXT mode Security layer provided by Istio 8 Security layer provided by Istio 9 • Kafka does not process client certificate in PLAINTEXT authentication with Istio 11 Kafka client authentication with Istio 12 • Istio provides a security layer for workloads in a uniform way • Envoy WASM filters opens the gates for a whole array of useful

control on top ○ Provides independent streams ■ Extremely similar to HTTP/2, but in transport layer ● Improvements ○ TCP head of line blocking ○ Faster handshakes ○ Earlier data ○ Connection-ID ● CapEx, OpEx #IstioCon RDMA (Remote Direct Memory Access) ● Advance transport protocol (same layer as TCP and UDP) ● Main features ○ Remote memory r/w semantics in addition to send/receive ○ Kernel

10 Istio Security Audit, 2023 Threat model Istio is a service mesh which is an infrastructure layer applicable to so�ware applications. Istio is platform and language agnostic, but is o�en used on top 273 274 275 gr, err := gzip.NewReader(r) if err != nil { return nil, fmt.Errorf("failed to parse layer as tar.gz: %v", err) } // The target file name for Wasm binary. // https://github.com/solo-io

Envoy ● Internet egress using NAT gateway #IstioCon Motivation ● Reliability of central proxy layer (HAProxy/Envoy) ● More control over load balancing ● Offload application services from networking

Chinese 51 sessions presented in English 3 Workshops covering the topics “Using Istio” (by Layer5), “Istio multiclusters” (by Solo.io), and “Istio cookbook using Kiali” (by RedHat). Office

certificate lifecycle management at scale What Do You Get From Istio? Traffic Management Powerful Layer 7 (HTTP/2) routing 8 ©2021 Aspen Mesh. All rights reserved. Architecture Options 9 ©2021 Aspen

Verify Security Lifecycle Concepts Secure Monitor Enforce Verify Deploy comprehensive multi-layer security mechanisms. Enforce that the security mechanisms are not tampered. Verify that the security

json:application/vnd.module.wasm.config.v1+json example- filter.wasm:application/vnd.module.wasm.content.layer.v1+wasm ○ Wasm Artifact镜像规范参考 ■ https://github.com/solo-io/wasm/blob/master/spec/README.md ■ https://istio