traffic ● Authorize in mesh traffic ● Summary #IstioCon Istio Architecture Connect, secure, control, and observe services. #IstioCon Security Architecture #IstioCon Bookinfo architecture without istio-injection=disabled/enabled ） http http http http http http http Result: can access reviews-v1, reviews-v2 and reviews-v3 Access productpage #IstioCon Istio Identity Istiod Istio Agent Envoy 1. Start to send request: can access reviews-v1, reviews-v2 and reviews-v3 can reach v2 as peer-authentication only defines behavior of server side and auto-mTLS is on by default Access productpage 1) Apply

where, how, and when work should happen … including some standard ones: an event loop, portable access to the system execution context, nursery for spawned work4 P2300: STD::EXECUTION Proposes: • done_as_error(sender, error) → sender … commutes the done signal into an error.19 SENDER/RECEIVER CONTROL FLOW20 BASIC LIFETIME OF AN ASYNC OPERATION SCHEDULER schedule SENDER Implementation details STRUCTURED PROGRAMMING Structured control flow constructs have a single entry and a single exit, permitting them to be treated like a black box. goto is an unstructured control flow construct conditional

VIP using a load balancer • Two types • ClusterIP provides in-cluster access • NodePort provides out-of-cluster access • Major modes • Iptables • IPVS Iptables mode • How it works • DNAT at chain • Pros • Iptables is widely adopted in popular Linux distributions • Cons • O(N^2) in control plane / O(N) in data plane • Poor in scheduling algorithm • Iptables rules are difficult to debug organized in hash table • IPVS DNAT • conntrack/iptables SNAT • Pros • O(1) time complexity in control/data plane • Stably runs for two decades • Support rich scheduling algorithm • Cons • Performance

NativeScript come to be? Swift/Obj-C Java .NET We ❤ Web. But… We need: • Better offline support • Access to all device APIs • Home screen availability • Push notifications • App monetization • App store JS/TypeScript • Angular Support (or not ?) • 100% Day 0 API Access • Everything Runs on UI Thread* • Plugins created with native code • React Support • API Access via Native Modules • UI Thread vs JS Thread • Angular/Vue/Vanilla existing skills/teams • Reuse existing libraries • Native UI (no WebView!) • Full access to device APIs • Immediate access to new OS features ? Fast to market ? Best experience Intro to NativeScript

OCI Compa tible Dedicated Docker Image Impleme ntation Language Open source Hot plug Direct access to HW Required Hyperviso rs Backed by Runc Yes Yes Golang Yes No Yes None Docker gVisor+runsc Agent gVisor Guest Kernel O C I Gofer container container Pod Sandbox Sentry KVM/ptrace File Access OCI Implementation Limited Syscall H O S T K E R N E L Comparison Solution Typical with SELinux, AppArmor, Seccomp, cgroup VM-based Sandbox Kata-container BareMetal Only Heavy control logic Application kernel based Sandbox gVisor Compatibility problem, Bottleneck in sentry mVMd

(std::size_t j = 0; j < m; ++j) y[i][j] = x[i][j] + y[i][j]; } Libraries Not Under Your Control 39 |4.2.3.17. --expt-relaxed-constexpr (-expt-relaxed-constexpr) Experimental flag: Allow host constexpr/Execution Space Specifiers? 46 |Return on Investmentstd::pmr • Allows control over allocation of memory necessary for access by GPU. • May improve performance of your CPU code by: • Reducing the

multi-reader pointer. set HP to A if SRC == A clear HP 2 3 6 if HP != A HP Safe to delete A A 7 8 SAFE ACCESS If a hazard pointer points to an object before its removal, then the object Reclamation Beyond Concurrency TS2 – Maged Michael Protector Remover / Reclaimer Hazard pointers protect access to objects that may be removed concurrently. SAFE RECLAMATION Concurrency TS2 Essential Hazard Pointer microbenchmarking. • 2020: One user: High frequency of retiring objects. Unsharded list grew out of control. • 2020: Sharded cohorts without reclamation under lock. Fast. Scalable. Robust. Quasi-Synchronous

API doc Replication • Multiple filters support • Schedule, immediate and manual trigger Access Control • RBAC • AD/LDAP integration Audit Log • Operations recorded for audit Distribution Policy

MySQL Audit Logs to ClickHouse © 2018 Percona. 17 When to use MySQL Audit Logs Audit Database Access Have Limited Level of Details Allows extensive filtering by Object, User Account etc Has information ts=ON log_slow_slave_statements=ON slow_query_log_always_write_time=1 slow_query_log_use_global_control=all © 2018 Percona. 26 Clickhouse/ClickTail Setup • Install Schema • cat schema/db.sql | clickhouse-client

(JNI) – 1997 .NET – Platform Invoke (P/Invoke), COM interop, C++/CLI – 2002, 2005 JVM – Java Native Access (JNA) – 2007 Go – cgo – permit C in the .go source file – 2009 Swift – share a runtime and be like GCHandle and C# has fixed keyword. • Conforming JVM implementations have the option.Memory model Control of “shared” memory needs to be documented and/or agreed upon. GCs make this far more complicated