container update iptable rule for proxy terminate init container Start workload with updated ip routing rules Networking lifecycle (Istio CNI) Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins and premptable nodes Bypassing all iptable rules set by data plane proxies Troubleshooting Istio CNI Check the istio proxy container through nsenter Check CNI logs in kubelet (journalctl) Will do:

○ kubectl exec -c istio-proxy curl localhost:15000/config_dump #IstioCon Istio identity – check configuration result ● Result: cert generated automatically with Istio identity 1) Apply peer-authentication AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: action: ALLOW rules: - from: - source: requestPrincipals: ["testing@secure.istio.io/testing@sec ure.istio "productpage-viewer" namespace: default spec: selector: matchLabels: app: productpage rules: - to: - operation: methods: ["GET"] apiVersion: "security.istio.io/v1beta1" kind:

this could not be reproduced. Description Istio VirtualServices define the sets of traffic routing rules to apply when a host is addressed. They support matching on various criteria including URI paths and they must declare a gateways field containing a list of strings identifying the Gateway that the rules should be applied to. One feature of this field is that the string can also specify the namespace pods, services, IPs as well as specific Istio configurations such as routing policies, networking rules, and the configuration of the Istio sidecar injected into each workload. As discussed in finding NCC-GOIST2005-013

logfile Proxy Transaction ID Transaction ID …Commit to Client Success 成就客户卓越Mixer组件功能介绍Mixer的介绍 • Check:也叫precondition，前置条件检查， 比如说黑白名单，权限。 • Quota:访问次数 • Report: 日志。Mixer的二次开发流程Mixer插件工作模型 上述的过程中，E Handlers 。为适配器提供配置。例如，到后端的 URL 、证书、缓存选项等等。基于Mixer的二次开发Instances Instances。属性映射。基于Mixer的二次开发Rules Rules。将数据交付给适配器。 定义了一个特定的 Instance 何时调用一个特定的 Handler插件编译和镜像打包 插件的编译 CGO_ENABLED=0 GOOS=linux GOARCH=amd64

End-to-end Component Service | CONFIDENTIAL REQUEST RESPONSE API MOCKS ASSERTION RULES CONTEXT RULES … … … … … … Test Driver TEST ENVIRONMENT Derive different types of tests Mocks for to test any component/service | CONFIDENTIAL REQUEST RESPONSE API MOCKS ASSERTION RULES CONTEXT RULES … … … … … … Test Driver TEST ENVIRONMENT Derive different types of tests Mocks for Comprehensive comparison of results • ML-driven identification of decision rules • Human review to accept the learned rules • No code! Test data | CONFIDENTIAL 18 Summary: create different types

R V I C E (ClusterIP) – demo-canary-svc ISTIO VIRTUAL SERVICE + Destination Rules ISTIO VIRTUAL SERVICE + Destination Rules Header: X-User-Type: Non-Admin Header: X-User-Type: Admin Header: X-User-Type:

istio.io/interceptionMode: TPROXY, istio will automatically set the original src filter and iptabels rules #IstioCon Preserve TCP Original Src Addr - inner ① Config original src filter: IP_TRANSPARENT and listener. ② Setting annotation sidecar.istio.io/interceptionMode: TPROXY， this will set all the rules as inner cluster #IstioCon Content 1. TCP Original Address Preserve Background Demo 1. HTTP

20% svcB svcA Rules API Pilot 80% Istio 灰度发布：基于请求内容 Version2 Envoy SVC Envoy SVC Pod1 Pod2 Pod3 Envoy SVC Pod1 Pod2 Version1(canary) group=dev svcB svcA Rules API Pilot apiVersion:

20% svcB svcA Rules API Pilot 80%23 Istio 灰度发布：基于请求内容 Version2 Envoy SVC Envoy SVC Pod1 Pod2 Pod3 Envoy SVC Pod1 Pod2 Version1(canary) group=dev svcB svcA Rules API Pilot apiVersion:

https://github.com/thought-machine/please ● Uses BUILD and allows for creation of miscellaneous rules Misc please rule for autogeneration K8s Greeter service example #IstioCon Building the new rule