Dubbo, Proprietary RPC Protocol … ● Messaging: Kafka, RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management Port ○ SNI ● Observability - only TCP metrics ○ TCP sent/received bytes ○ TCP opened/closed connections ● Security ○ Connection level authentication: mTLS ○ Connection level authorization: Identity/Source

with a DaemonSet pod ○ eBPF program tracks connections from client to redirected Envoy (127.0.0.1) and back (outbound) ○ eBPF program also tracks connections from Envoy (127.0.0.6) to Pod IP address address and back (inbound) ○ eBPF program also tracks connections from Envoy to Envoy(in the same node) and back (envoy to envoy) ● Works with Istio >= 1.10 ● CNI agnostic and should work with all CNIs (wo/

envoy | wc -l | xargs) -ne 0 ]; do sleep 1; done”] This preStop hook will wait for application connections to be drained before stopping the container. 18 Workaround: Use postStart and preStop lifecycle preStop hook will sleep to let downstream gRPC connections terminate, drain the Envoy listeners and sleep to give enough time for draining remaining connections. The last command is to handle container restart

As Envoy does not listen on port 22, this enables the workload container to do so and receive connections to the port. Additionally, even if this port were not granted a short-circuit, Istio’s sidecar Google Istio Security Assessment Google / NCC Group Confidential Note: As with general direct Pod connections involving Istio, it may be necessary for the client to bind to 127.0.0.6 as the source address; istio/pilot/pkg/networking/core/v1alpha3/cluster.go Impact An attacker that is able to intercept raw network connections between Envoy proxies and upstream DestinationRule targets can perform a man-in-the-middle attack

Ways to Preserve Original Src Addr  L3 • LVS, one connection • HAProxy transparent mode, two connections  L4 • Add IP in TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for”

protocol ● A little like TCP + TLS, but build on top of UDP ○ Uses UDP like TCP uses IP ○ Adds connections, resends and flow control on top ○ Provides independent streams ■ Extremely similar to HTTP/2

Panel: Istio Istio Open Source Ecosystem Outlook From China The road to microservice for Database as a Service (DBaaS) via Istio Tencent Music service mesh with Istio and Aeraki Flexible proxy