#IstioCon Service Mesh in China 宋净超（Jimmy Song） Tetrate #IstioCon Agenda Developer Advocate at Tetrate 前蚂蚁集团云原生布道师 CNCF Ambassador ServiceMesher 及云原生社区创始人 https://jimmysong.io • ServiceMesher ServiceMesher 是在中国推广 Service Mesh 技术的核心力量。 Istio 是中国最流行的 Service Mesh 实现。 2018 年 5 月至今 #IstioCon ServiceMesher 大事记 • 2017 年 12 月，由数人云发起的 meetup，下一代微服务： Service Mesh is Coming • 2018 年 5 月，servicemesher Istio 官网翻译活动 • 2019 年 3 月，社区发起了《Istio Handbook》共创活动 翻译 -> 线下交流（经验分享）->原创、实践与上游贡献 #IstioCon Service Mesh Meetup • 九届线下 meetup • 走过北京、上海、广州、深圳、杭州、成都 • 38 位讲师 • 共发表 41 场演讲 Meetup PPT 下载： https://github

#IstioCon Your laptop as part of the service mesh by Lorenzo Fundaró SRE @ Omio #IstioCon What’s on the menu today ● EnvoyFilter in practice ● Demo ● Inspiration #IstioCon Questions #istiocon request_handle:respond(response) 13 end #IstioCon Ouch ! ● Your laptop is not part of the mesh club #IstioCon A dummy proxy for the mesh ● Called by Lua code ● Parses the contract header and makes http call #IstioCon call chain #IstioCon Demo time #IstioCon Thank you ! ● Your laptop as part of the service mesh @ Medium ● Reference implementation and run-it-yourself-demo at github.com/omio-labs/devro ute

Joshi Istio Service Mesh at Enterprise Scale Feb, 2021 Who are we? Founded 5,000 Developers 50M Customers 1993 IPO $6.8B FY19 Revenue 20 Locations 1983 Why Service Mesh? Microservices Kubernetes Kubernetes Service Mesh Istio Monolith Era Intuit Statistics ● 900+ Teams ● 5000+ Developers ● 200+ Clusters ● 7000+ Namespaces ● ~9200 Nodes varies with autoscaling Hub and Spoke API Gateway Info ✓ Security ✓ Visibility ✓ Traffic Shaping ✘ Latency ✘ Single Point of Failure Service Mesh API Gateway Book Info Payments Product Info Proxy Proxy Proxy Proxy +

Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio Github: lei-tang Session agenda 1. Service mesh security implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack vectors. ● Service mesh security architecture and Man-In-The-Middle Denial of Service Privilege Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF

#IstioCon Moving large scale consumer e-commerce Infrastructure to Mesh Rajath Ramesh Principal Software Engineer @Carousell Harshad Rotithor Software Architect @Carousell #IstioCon About Carousell isolation helps reduce Istio proxy resources #IstioCon Next Steps ● Move stateful components in to mesh discovery and routing ● Expose gateway services via Istio Gateway ● Towards RESTRICTED network policy

#IstioCon Extending service mesh capabilities using a streamlined way based on WASM and ORAS 王夕宁 | 阿里云服务网格ASM 2 Envoy’s Filter Chain Listener Downstre am Filter Filter Filter Cluster Upstrea

resilient systems inside the mesh: abstraction and automation of Virtual Service generation Vladimir Georgiev, Thought Machine #IstioCon Sync calls failures inside the mesh ● Everyone says to fail

is building a massive Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction Transport Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Achieving micro-segmentation at scale ○ Enabling TLS for all applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Security, Observability, Service Routing & Discovery

劫持Pod的所有通信， 是Mesh的基础 • Pilot: 为Proxy提供动态配置管理 • Citadel: 自动维护mTLS密钥 • Mixer: 在k8s中部署了两组Mixer • Policy提供授权、Quota等能力 • Telemetry提供监控数据收集能力 基本原理 • Istio从架构上可以分为4个板块： • Istio Proxy: Mesh的基础 • 网络安全：兼容Spiffe标准实现 机制，为了 充分利用Istio，我们通过扩展Istio来整合这些系统，涉及两方面： • 扩展Sidecar：加入认证支持，提供了对业务系统的认证支持，将用 户相关信息以header的形式传入mesh，后续的授权、监控、限流 都可以用Istio原生的机制来完成 • 扩展Mixer：选择一部分流量来应用对应的授权逻辑 FreeWheel的Istio实践 • 右图为接入FreeWheel自定义认证和 扩展Mixer接入授权 实现Handler接口 扩展Mixer接入授权 实现Handler接口 扩展Mixer接入授权 注册Handler 扩展Mixer接入授权 • Mixer会直接影响整个Mesh的稳定性，因此替换时要做到尽可能稳妥 实践总结 • k8s/etcd 配置管理存在性能瓶颈： • 单一 resource 应控制在k级别，达到 10k 量级后响应可能会出现超 时导致配置读写状态异常，进而影响整个系统稳定性