#IstioCon Service Mesh in China 宋净超（Jimmy Song） Tetrate #IstioCon Agenda Developer Advocate at Tetrate 前蚂蚁集团云原生布道师 CNCF Ambassador ServiceMesher 及云原生社区创始人 https://jimmysong.io • ServiceMesher #IstioCon ServiceMesher 是在中国推广 Service Mesh 技术的核心力量。 Istio 是中国最流行的 Service Mesh 实现。 2018 年 5 月至今 #IstioCon ServiceMesher 大事记 • 2017 年 12 月，由数人云发起的 meetup，下一代微服务： Service Mesh is Coming • 2018 年 5 月，servicemesher Istio 官网翻译活动 • 2019 年 3 月，社区发起了《Istio Handbook》共创活动 翻译 -> 线下交流（经验分享）->原创、实践与上游贡献 #IstioCon Service Mesh Meetup • 九届线下 meetup • 走过北京、上海、广州、深圳、杭州、成都 • 38 位讲师 • 共发表 41 场演讲 Meetup PPT 下载： https://github

#IstioCon Your laptop as part of the service mesh by Lorenzo Fundaró SRE @ Omio #IstioCon What’s on the menu today ● EnvoyFilter in practice ● Demo ● Inspiration #IstioCon Questions #istiocon request_handle:respond(response) 13 end #IstioCon Ouch ! ● Your laptop is not part of the mesh club #IstioCon A dummy proxy for the mesh ● Called by Lua code ● Parses the contract header and makes http call #IstioCon the call chain #IstioCon Demo time #IstioCon Thank you ! ● Your laptop as part of the service mesh @ Medium ● Reference implementation and run-it-yourself-demo at github.com/omio-labs/devro

Joshi Istio Service Mesh at Enterprise Scale Feb, 2021 Who are we? Founded 5,000 Developers 50M Customers 1993 IPO $6.8B FY19 Revenue 20 Locations 1983 Why Service Mesh? Microservices Microservices Kubernetes Service Mesh Istio Monolith Era Intuit Statistics ● 900+ Teams ● 5000+ Developers ● 200+ Clusters ● 7000+ Namespaces ● ~9200 Nodes varies with autoscaling Hub and Spoke API Product Info ✓ Security ✓ Visibility ✓ Traffic Shaping ✘ Latency ✘ Single Point of Failure Service Mesh API Gateway Book Info Payments Product Info Proxy Proxy Proxy Proxy +

Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio Session agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture architecture ● Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster

#IstioCon Extending service mesh capabilities using a streamlined way based on WASM and ORAS 王夕宁 | 阿里云服务网格ASM 2 Envoy’s Filter Chain Listener Downstre am Filter Filter Filter Cluster Upstrea Controller (Watch & Reconcile) Istio EnvoyFilter CR wasm filter二进 制文件 服务网格ASM Pod K8s集群 Proxy Service A Volume 挂载 Envoy配置 17 ASMFilterDeployment CR示例 ● 创建ASMFilterDeployment Custom Resource 18

resilient systems inside the mesh: abstraction and automation of Virtual Service generation Vladimir Georgiev, Thought Machine #IstioCon Sync calls failures inside the mesh ● Everyone says to fail All Service Owners must be aware of the Virtual Services API in order to define their SLOs. ● Potential typing errors when dealing with YAMLs. ● Potential drift between the state of the service API API and the Virtual Service config. ● Hard to manage when having hundreds of services. #IstioCon Abstracting to proto files Annotations API definition Greeting service example #IstioCon Please Build

eBay is building a massive Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full isolation by confining service failures to AZ boundary AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s balancing & Traffic Flow ● Two tiers of hardware Load-Balancers (LB) ● Application-Tier LB ○ K8s service realized on Application-Tier LBs ● Web-Tier LB to control - ○ Percentage of traffic sent to an

#IstioCon Moving large scale consumer e-commerce Infrastructure to Mesh Rajath Ramesh Principal Software Engineer @Carousell Harshad Rotithor Software Architect @Carousell #IstioCon About Carousell traffic ● gRPC for inter-service traffic ● Around 100+ microservices ● Majority of services written in Go #IstioCon Architecture Overview - Discovery and Routing ● Service Discovery and Configuration routing/load balancing ● Improve performance and resilience ● Stricter zonal routing ● Capability for service authentication and authorisation ● Improved Observability ● Extendable to multi-region setup #IstioCon

Istio scalability optimization during Knative Service provisioning ○ Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled ● Reference Agenda #IstioCon Knative an Ingress Gateway • By default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress and knative-local-gateway for cluster local access. They use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic