distributed tracing, service mesh telemetry analysis, metric aggregation and visualization for cloud-native workloads in a single platform. Leading Cloud Native Varun Talwar Co-founder/CEO Co-creator Zhou Envoy Senior Maintainer Sheng Wu Creator, SkyWalking Agenda CNI and Networking basics Introduction to Istio Networking and CNI Race Condition issues in istio CNI during Node bootstrap Community Daemonset Calico Antrea Flannel Istio CNI Networking lifecycle (Istio Init) Start istio init container in workload Istiod watch updates & start networking sidecar proxy init container update iptable

Further Steps • Multi-cluster Discovery for OCP & Kubernetes • Multi-cluster Service Topology • Cloud-Native Event Hub • Full Support for VM-Based Workloads • UX Simplification CONTACT US Head of integration

service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration kubectl -n test apply -f the samples/bookinfo/platform/kube/b ookinfo.yaml and samples/bookinfo/networking/bookinfo-gateway.yaml configu- rations 4. Using the restricted user, kubectl -n restrict-test Using the restricted user, kubectl -n restrict-test apply the following configuration apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: evil-bookinfo spec: hosts: 2https://istio

in each Region ● AZ: One or more Availability Zones in each DC ○ Independent power, cooling, networking, etc. ● PoP: 20+ Points of Presence, locations across globe peering with the Internet closer gateways: - apiVersion: networking.istio.io/v1beta1 kind: Gateway spec: ... virtualServices: - apiVersion: networking.istio.io/v1beta1 kind: VirtualService destinationRules: - apiVersion: networking.istio.io/v1beta1 kind: DestinationRule spec: ... ... serviceEntries: - apiVersion: networking.istio.io/v1beta1

w/o requiring intermediate Gateway ■ Multiple networks ● all goes though the Gateway ● via L3 networking (if enhanced performance is desired) #IstioCon Demo #IstioCon Istio VM integration seems closer multi-vendor services ○ End-to-end security! (not just between middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra low latency ○ And of course, reduce overheads first-class support for VM Multiple Networks ○ All traffic goes though the Gateway ○ Need to setup L3 networking if enhanced performance is desired ● Overheads introduced ● No high performance data path support

service mesh enabled ● Reference Agenda #IstioCon Knative and Istio Istio is the default networking layer solution of Knative. It is leveraged for Net-istio is A Knative ingress controller for blue/green deployment How Istio is leveraged in a Knative based platform 90% 10% apiVersion: networking.istio.io/v1beta1 kind: VirtualService spec: gateways: - knative-serving/knative-ingress-gateway vCPU 2 vCPU 2 Gi 4 Gi Y, min=3, max=20 Istiod 1 vCPU 1 vCPU 2 Gi 4 Gi Y, min=3, max=6 Knative Networking-istio 30m 80Mi 900m 2 Gi N #IstioCon Istio scalability optimization during Knative Service provisioning

navigate it safely 2 About me Raphael Fraysse @la1nra (Twitter) Github / @lainra Tech Lead, Networking Mercari, Inc. 3 Today’s agenda ● Istio at Mercari ● Stabilizing Istio ● Adopting Istio Stabilizing Istio ● Dedicated resources for it (the more the better) ● A good in-house knowledge of networking : Linux, Kubernetes and Envoy ● Be patient and resisting the temptations from users to open features exposure of mesh configuration to a specific proxy, based on namespace or labels. apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: default namespace: mercari-echo-jp-dev spec:

Enterprise Service Mesh 宋净超（Jimmy Song） September 24, 2022 Shanghai, China Cloud Native Application Networking Secure, Observe and manage microservices Outline ● Background ● Enterprise Service Mesh: Tetrate a developer building and operating an application Why is Istio? TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload

ASMFilterDeployment CR示例 ● 创建ASMFilterDeployment Custom Resource 18 生成的Istio Envoy Filter资源(1) apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: …. spec: configPatches: - applyTo: HTTP_FILTER match: workloadSelector: labels: app: productpage version: v1 19 生成的Istio Envoy Filter资源(2) apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: …. spec: configPatches: - applyTo: HTTP_FILTER match:

with the cert you specified, common if you want to TLS with service outside mesh apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: Service ● AUTO_PASSTHROUGH: pass through the TLS traffic purely using SNI without VS apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: