isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) ○ Business reasons ■ Legacy applications ■ Deterministic workloads with strong requirements ● For Istio ○ What is Istio Use Cases #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift and shift ● Packaged software

mesh: 100+ Kubernetes cluster ● VM integration ● On-prem, AWS, Azure, GCP, OpenShift ● 10000+ core business apps ● Plan to move to public cloud in 18 months ● Using F5 to distribute traffic at the DMZ

#IstioCon Common services are in core cluster Projects shared solution cluster • Different namespace • Project runs as tenant, need control rights Solution cluster connect core cluster with Istio multi-cluster multi-cluster - Replicated control planes Some standalone cluster without Istio can access core cluster also, as tenant. HP Horizon Platform Connect With Istio #IstioCon Secure Platform • JWT Verify observability of service behavior, empowering operators to troubleshoot, maintain, and optimize their applications – without imposing any additional burdens on service developers. Through Istio, operators gain

for accounts with access to only specific namespaces to surreptitiously intercept the traffic of applications from other namespaces that they do not otherwise have any access to. Reproduction Steps 1. Configure traffic leaves the mesh bypassing the egress gateway.”8 This means that Istio alone cannot provide some core security controls and the documenta- tion suggests that additional mitigations, such as a network ns/admin#post--quitquitquit 11https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/core/address.proto#core-pipe 29 | Google Istio Security Assessment Google / NCC Group Confidential Finding DestinationRules

Threat model Istio is a service mesh which is an infrastructure layer applicable to so�ware applications. Istio is platform and language agnostic, but is o�en used on top of Kubernetes. It offers users memory-unsafe implementation issues such as buffer overflow and use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ and memory-corruption issues can therefore policies to the proxies and checks whether the policy of each proxy is up to date. Authentication has two core features in Istio: 1. Peer authentication: used for service-to-service authentication to verify the

and 40 MB memory / 1000 RPS 56 ● What do we want when implementing Istio? ○ Added value to the business ○ Reliable performance ○ Reasonable cost Istio proxy performance and capacity Adopting Istio

Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction #IstioCon Introduction: Number of Sellers worldwide 1.7B Number of Live Listings $26.6B GMV in Q4 2020 #IstioCon eBay Applications eBay is powered by ● More than 5,000 Microservices ranging from ○ API services, Search Engine including prod, pre-prod, staging, etc. ● Applications deployment for HA ○ In all regions ○ In multiple AZs in each region ○ Capability to run all applications from a single region or AZ in a worst-case

Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP Analysis Core Query CoreIstio telemetry Attribute Vocabulary https://istio.io/docs/reference/config/policy-and- service for incoming requests, such as HTTP URI path or gRPC service class + method signature. Core ConceptsIstio telemetry formatSkyWalking native telemetry formatTelemetry to Analysis scope • https://github.com/apache/incubator- skywalking-query-protocolEcosystem powered by GraphQL and SkyWalking core • Open source UI project for SkyWalking • https:// github.com/ TinyAllen/ rocketbotServiceMesher公众号

Share collected information and to store state ● Accessed from eBPF programs as well as from applications in user space #IstioCon Work Flow of Acceleration ● Attach SOCK_OPS program to global cgroup

Knowledge map ● Share collected information ● Accessed from eBPF programs as well as from applications in user space ● Map type o HASHMAP o SOCKHASH: Hold socket as value Istio Meetup China ebpf