Ingress gateway MEM has linear growth, and it consumes ~=750k for 1 Knative Service (#25145). The envoy mem release fix included in Istio 1.6.0+ resolved this issue. o Istiod MEM bumped with large numbers in some of the ingress gateway and recover automatically after ~30mins or restart Istiod. o From envoy logs, transient 503 UH "no healthy upstream" errors. o From Grafana dashboard, Pilot Pushes shows scalability issue #IstioCon o Radom peaks are fixed in istio 1.7.1 (istio #23029, envoyproxy #13037) o envoy still suffers from overload of XDS pushes in a high churn environment. Istio scalability optimization

between sidecar and service ● Background knowledge of ebpf ● Acceleration for Inbound/Outbound/Envoy to Envoy #IstioCon Istio-CNI ● The Istio CNI plugin performs the Istio mesh pod traffic redirection between sidecar and service Overhead sidecar traffic from 3 scopes ● Inbound ● Outbound ● Envoy to Envoy(same host) #IstioCon Dataflow After Acceleration(same host) #IstioCon ebpf Background distinguish socket from different network namespace #IstioCon Outbound Acceleration #IstioCon Envoy to Envoy Acceleration(same host) #IstioCon Performance Comparison #IstioCon Thank you!

ds-2020/ #IstioCon Impact on users https://thenewstack.io/when-service-meshes-can-emerge-from-envoy-istio-shadows/ #IstioCon Listening to our users UX Working Group - Upgrade Survey 2020 #IstioCon integration ○ Kubernetes Service APIs ○ Kubernetes Multi-cluster APIs ● Adopt & drive innovation in Envoy community ○ Delta xDS ○ HTTP2 tunnels https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon

it all scale …? ● Extensive Data-plane & Control-plane scale testing ● Data-plane performance of Envoy is well documented ● Control-plane scale testing ○ Primary Goal ■ Understand Istio control-plane etc. params of Istio Pilot #IstioCon Future Direction ● Support for on-demand config pushes to Envoy via Incremental XDS ● Support for multiple trust domains & namespace isolation natively in Istio

cluster.local 2. Cached DNS response – 10.4.4.4 DNS queries to the system configured name servers. Envoy does not use the agent’s DNS cache. http req to 10.4.4.4 GET /status/200 httpbin.ns1.svc.cluster ○ Less engineering effort ○ Particularly valuable for some VM user scenarios ● Limitations ○ Envoy QUIC support in early stages ■ Security ● Both the downstream and upstream need to be trusted ■

minutes. But in the same amount of time, you may still be learning how to write filters rules for Envoy. #IstioCon Easy to extend ● NGINX + Lua ● multi-language plugins #IstioCon How to implement