using a client-side load-balancing library + Headless Services Headless services are to us what ClusterIP services are to common people! However, our KubeDNS was not happy at all with the SRV requests headless services worse. Conclusion: We stopped using headless services and gradually migrated to ClusterIP services 46 The hell of migrating hundreds of services Adopting Istio ● Services are immutable each service migration, we need to: ○ Write the ClusterIP service equivalent ○ Make sure Istio-enabled callers update their config with the ClusterIP service ○ Keep a double standard during migration

balancer) www.my-application.com External Traffic 75% 25% POD POD POD POD S E R V I C E (ClusterIP) 75% 25% POD POD Cross-version Traffic My-data-service Service Demo-canary Service Canary my-application.com External Traffic POD POD POD POD S E R V I C E (ClusterIP) – my-data-svc POD POD S E R V I C E (ClusterIP) – demo-canary-svc ISTIO VIRTUAL SERVICE + Destination Rules ISTIO VIRTUAL

APP发出的请求被iptables拦截，并根据源信息判断为outbound被DNAT后拦截进入Envoy 15001端口 • 15001上监听器通过ORIGINAL_DST获取原始目标地址（服务的clusterIp），匹配业务监听器（不真正监听网络）地址并传递新建下游连接。 • 下游连接过滤器判断TLS，ALPN（应用协议名），HTTP版本后匹配到L4层http_connection_manager网络过滤器。