#IstioCon Local Istio Development John Howard / @howardjohn / Google #IstioCon Fully Cloud docker push kubectl apply docker pull #IstioCon Fully Cloud docker push kubectl apply docker pull requests #IstioCon Thank you! For more information: ● https://github.com/howardjohn/local-istio-development

based, large-scale serverless platform with Istio 张龚, Gong Zhang, IBM China Development Lab 庄宇, Yu Zhuang, IBM China Development Lab #IstioCon Speakers Gong (Grace) Zhang, zhanggbj@cn.ibm.com, twitter enabled • Enable Istio mesh on Knative – Impact without optimization #IstioCon o With istio CNI plugin, we can move the iptables configuration parts to CNI. But another init- container, the istio-validation injection template. Mitigations: o When adding new worker node, make sure daemonset pod of istio CNI plugin is up and running before knative pods scheduling on the node. o Crontab job could help to detect

m/httpfetcher.go#L138 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 // wasm plugin should be the only file in the tarball. func getFirstFileFromTar(b []byte) []byte { buf := bytes https://github.com/solo-io/wasm/blob/master/spec/spec-compat.md#specificati on const wasmPluginFileName = "plugin.wasm" // Search for the file walking through the archive. tr := tar.NewReader(gr) for { h, err crypto/tls documentation: “In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing or in combination with VerifyConnection

Istio PoC Sep 2019 First release in production Feb 2021 ~25% production services ~50% development services migrated to Istio End of 2021 100% services migrated to Istio 8 Features isolation is enabled. 34 The Sidecar CRD to save the mesh Stabilizing Istio The Sidecar CRD (Custom Resource Definition) allows to control the exposure of mesh configuration to a specific proxy, based /* - istio-system/* 35 The Sidecar CRD to save the mesh Stabilizing Istio The Sidecar CRD (Custom Resource Definition) allows to control the exposure of mesh configuration to a specific proxy, based

trols), one such isolation scheme could be implemented with ValidatingAdmissionWebhooks that introduce custom access control checks to prevent users from directly accessing sidecar proxy binding secrets, and security area to which those findings belong. This can help organizations identify gaps in secure development, deployment, patching, etc. Access Controls Related to authorization of users, and assessment gid=1337(istio-proxy) groups=1337(istio-proxy) kind: ConfigMap apiVersion: v1 metadata: name: custom-envoy-config data: envoy.yaml: | admin: access_log_path: /dev/null address: pipe: path: "@testenvoy"

of ebpf ● Acceleration for Inbound/Outbound/Envoy to Envoy #IstioCon Istio-CNI ● The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup NET_ADMIN and NET_RAW capabilities for users deploying pods into the Istio mesh. ● The Istio CNI plugin replaces the functionality provided by the istio-init container. #IstioCon Tcp/ip stack overhead

Demo: Dubbo 协议支持 ● Dubbo2Istio 连接 Dubbo 服务注册表，支持： ○ ZooKeeper ○ Nacos ○ Etcd ● Aeraki Dubbo Plugin 实现了控制面的管理，支持 下述能力： ○ 流量管理： ■ 七层（请求级别）负载均衡 ■ 地域感知负载均衡 ■ 熔断 ■ 基于版本的路由 ■ 基于 Method 的路由 ■ 基于 中支持一个新的七层协议 ● 为七层协议如 Dubbo、Thrift 等等添加 RDS 能力 #IstioCon MetaProtocol：控制面 通过 Aeraki MetaProtocol Plugin 实现控制面的流量管理规则下发 ： 1. Aeraki 从 Istio 中获取 ServicEntry，通过端口命名判断 协议类型（如 tcp-metaprotocol-thrift） 2

sail What about the rest of the boat? Upcoming Talks: Aperture - Load Management Meshery - WASM plugin management Argo - Multi-cluster orchestration JP Morgan SLO Generation Reflecting on the Value

recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM CUSTOM gRPC TRANSCODER Build Custom Envoy Filter 6 | Copyright © 2020 Portable Secure Fast Any Language Outside

API tests to identify problems Iterate • Fix bugs • Repeat Testing starts late in the API development process. That’s not good!! | CONFIDENTIAL Start testing earlier Create and maintain a balanced