allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy itself was not part of the assessment). • Istio Control interface exposes unnecessary ser- vices and is accessible to anyone within a default cluster. • The Envoy Proxy admin port is exposed via the Istio sidecar and would allow a malicious workload to override branch up to July 15th, 2020. Commit: 7353c84b560fd469123611476314e4aee553611d istio/proxy Istio Envoy Proxy code in the master branch up to July 15th, 2020. Commit: c51fe751a17441b5ab3f5487c37e129e44eec823

18. 连接服务网格 1.19. 扩展 1.20. 使用 3SCALE WEBASSEMBLY 模块 1.21. 使用 3SCALE ISTIO 适配器 1.22. 服务网格故障排除 1.23. ENVOY 代理故障排除 1.24. SERVICE MESH CONTROL PLANE 配置参考 1.25. KIALI 配置参考 1.26. JAEGER 配置参考 1.27. 卸载 SERVICE MESH 和更高版本的支持。 1.2.2.1.1. Red Hat OpenShift Service Mesh 2.2.3 版中包含的组件版本 组 组件 件 版本 版本 Istio 1.12.9 Envoy Proxy 1.20.8 Jaeger 1.36 Kiali 1.48.3 1.2.2.2. Red Hat OpenShift Service Mesh 版本 版本 2.2.2 的新功能 和更高版本的支持。 1.2.2.2.1. Red Hat OpenShift Service Mesh 2.2.2 版中包含的组件版本 组 组件 件 版本 版本 Istio 1.12.7 Envoy Proxy 1.20.6 Jaeger 1.36 Kiali 1.48.2-1 1.2.2.2.2. 复制路由标签 在这个版本中，除了复制注解外，您还可以为 OpenShift 路由复制特定的标签。Red

service mesh capabilities using a streamlined way based on WASM and ORAS 王夕宁 | 阿里云服务网格ASM 2 Envoy’s Filter Chain Listener Downstre am Filter Filter Filter Cluster Upstrea m Filter Chain 扩展自定义Filter Filter Chain 4 实际示例中用到的Envoy Filters 端口9080 监听 envoy.filte rs.network .metadata _exchange envoy.http _connectio n_manage r Cluster Productp age服务 Filter Chain envoy.filters.ht tp.wasm/envo y.wasm istio-proxy curl localhost:15000/config_dump envoy.filters .http.cors envoy.filters .http.fault envoy.filters .http.router envoy.filters.ht tp.wasm/envo y.wasm.stats envoy.filters.ht tp.wasm/xxx- wasmfilter

here can be load balancers like envoy/haproxy/nginx which have already supported proxy protocol #IstioCon Istio Traffic Flow – inner cluster svcA svcB envoy envoy Pod1：10.244.0.20 Pod2：10.244.0.25 Flow - ingress svcB envoy envoy Pod1：10.244.0.19 Pod2：10.244.0.25 Dest: 127.0.0.1 Src：127.0.0.1 Ingress gateway ELB ingress EIP: 192.168.1.100 #IstioCon What does envoy provide? - Original source source filter “envoy.filters.listener.original_src” The original source listener filter replicates the downstream remote address of the connection on the upstream side of Envoy. For example, if a downstream

During pod deletion ● To prevent it, we need to make sure that: 1. Envoy is started before any other container in a pod 2. Envoy is stopped after any other container in a pod 14 Kubernetes shortcomings goal. 16 Workaround: Use postStart and preStop lifecycle hooks Stabilizing Istio 1. Ensure that Envoy is started before any other container in a pod ● Use a `postStart` lifecycle hook in the istio-proxy true 17 Workaround: Use postStart and preStop lifecycle hooks Stabilizing Istio 2. Ensure that Envoy is stopped after any other container in a pod ● Use a `preStop` lifecycle hook in the istio-proxy

overhead ● All the application data goes via sidecar (envoy) ● All the data passes TCP/IP stack 3 times ○ Inbound ○ Outbound ○ Envoy to Envoy(same host) Istio Meetup China Dataflow After Acceleration(same PILOT_ENABLE_INBOUND_PASSTHROUGH Istio Meetup China Outbound Acceleration Istio Meetup China Envoy to Envoy Acceleration(same host) Istio Meetup China Deploy eBPF Istio Meetup China Performance Comparison istio benchmarking tool ◦ Two pods run on the same node Configurations ◦ mTLS enabled ◦ Number of Envoy workers: 2 ◦ Response payload size: 1KB Latency ◦ 11-17% improvement Istio Meetup China Summary

#IstioCon Plain Envoy envoy -c envoy-config.yaml #IstioCon Plain Envoy envoy -c envoy-config.yaml + Fastest - bottleneck is typing speed + No Istio dependency. Great for minimal Envoy bug reproductions reproductions + Great for rapid iteration of Envoy options - Very different from production environment - May be challenging to reproduce Istio configurations #IstioCon Direct clients grpcurl localhost:15012 grpcurl localhost:15012 StreamAggregatedResources + Fastest - bottleneck is typing speed + No envoy dependency + Complete control over requests - Very different from production environment - May

plane 5 | Copyright © 2020 Extend Envoy Proxy with Filter Develop: Envoy Filters are written in C++ Asyc Build: need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER Custom Envoy Filter 6 | Copyright © 2020 Portable Secure Fast Any Language Outside the Web Web Assembly 7 | Copyright © 2020 Extend Envoy Proxy with Web Assembly (Wasm) Polyglot: Envoy Filters dynamically update w/o Envoy restarts, no hard dependencies or cascading failures Speed: Near native performance Sustainable: Eliminates need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE

• 实践热升级 目录 Catalog 5 • Envoy热重启 • 以Epoch + 1的方式启动新实例，触发热重启 • ListenSocket转移到新实例 • 旧实例进行排水，不再接受新的请求 • 排水结束后旧实例退出，热重启完成 References: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overvi ations/hot_restart https://blog.envoyproxy.io/envoy-hot-restart-1d16b14555b5 实现热升级 Implement Hot-Upgrade 6 • Sidecar生命周期管理能力 • 启动两个Sidecar，以进行Envoy热重启的排水流程两个实例并存的阶段 • 能够对整个热升级流程中的镜像替换进行控制 实现热升级 启动两个Sidecar，以进行Envoy热重启的排水流程两个实例并存的阶段 • 能够对整个热升级流程中的镜像替换进行控制 • 更强大的生命周期管理组件 • 对需要热升级的Pod注入两个Container，Sidecar & Empty • 支持对热升级过程中Sidecar Container生命周期进行管理 实现热升级 Implement Hot-Upgrade 8 • Envoy热重启参数的协商

project from memory-unsafe implementation issues such as buffer overflow and use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ and memory-corruption ISTIO-SECURITY-2019-007 which was a security vulnerability in Istio with root cause from a heap buffer overflow in Envoy. Istio is vulnerable to other types of implementation issues in the Go programming language such as connection between services and forms a series of proxies deployed as sidecars. The proxies consist of Envoy proxies and an Istio-agent and manage network traffic between microservices. The control plane is