by prioritising security-critical parts of Istio. We found that many of these had impressive test coverage with little to no room for improvement. We identified a few APIs in security-critical code parts }() https://github.com/is tio/istio/blob/e0110ff 89739f8dc15b69c4a 9a3c53854bb57ca1/ pkg/config/analysis/ diag/message.go#L 122 j, err := json.Marshal(mb) if err != nil { return r } json.Unmarshal(j

backwards incompatible changes ● Measuring developer efficiency ○ Test flakes ○ Feature and code coverage ● Feature promotion efficacy ● Improving overall developer experience https://istio.io/lates

Peer AuthN Policy KMS Control Plane Hardening Istio Security Releases Complete Security Coverage Consistency Depth Visibility Completeness Service mesh security best practices 2 Cluster security

component tests adds up very quickly • What happens if you do not address the problem? – Thorough test coverage can take a lot of time and effort – Realistic outcome: Just create E2E tests • What is our solution

Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP Analysis Core Query CoreIstio telemetry Attribute Vocabulary https://istio.io/docs/reference/config/policy-and- formatTelemetry to Analysis scope • After you received the telemetry, either from Istio or Any other mesh data/control panel • Format the telemetry toObservability Analysis Language • A compile

Knative and Istio ● How Istio is leveraged in a Knative based platform ● Performance bottleneck analysis and tuning ○ Istio scalability optimization during Knative Service provisioning ○ Unleash maximum with mesh enabled (based on https://github.com/knative/serving) #IstioCon Performance bottleneck analysis and tuning • Performance Criteria: the platform has multiple shard k8s clusters, each cluster should

SkyWalking is an observability power tool that provides distributed tracing, service mesh telemetry analysis, metric aggregation and visualization for cloud-native workloads in a single platform. Leading

logfile Kubernetes console APP logfile APP logfile APP logfile Kubernetes console search &analysis Prometheus TSDB基于请求和日志的关联性改进架构 A Agent B Agent C Agent Request(Transaction ID) A(application)

○ Networking/Security offloading ● Hybrid solutions using SW-HW co-designs #IstioCon Latency Analysis ● ~3ms P90 latency added ○ Istio v1.6 ○ More for VM usage ● Hotspots ○ 1  2 ○ 3  4: 30%~50%

Pilot itself including detailed runtime information to allow for process debugging or performance analysis. This also includes potentially sensitive information that should not be accessible to anyone within