hardening controls and should be replaced with a more secure-by-default option. • The Pilot admin interface exposes unnecessary ser- vices and is accessible to anyone within a default cluster. • The Envoy 017 High Ingress Gateway Configuration Generation Enables Route Hijacking 023 High Pilot Debug Interface Exposes Sensitive Information 002 Medium Default Production Profile Not Sufficiently Hardened 003 File Permissions Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative Interface Exposed To Workload Containers 018 Low DestinationRules Without CA Certificates Field Do Not Validate

balancing at requet level ○ HTTP host/header/url/method, ○ Thrift service name/method name ○ Dubbo Interface/method/attachment ○ ... ● Fault Injection with application layer error codes ○ HTTP status code ■ 地域感知负载均衡 ■ 熔断 ■ 基于版本的路由 ■ 基于 Method 的路由 ■ 基于 Header 的路由 ○ 可观测性：七层（请求级别）Metrics ○ 安全：基于 Interface/Method 的服务访问 控制 #IstioCon Aeraki Demo: 用户请求和批处理任务隔离(Dubbo) 场景：隔离处理用户请求和批处理任务的服务实例，为用户请求留出足够的处理能

#IstioCon What if ? #IstioCon EnvoyFilter - #IstioCon Envoy HTTP LuaFilter function envoy_on_request(request_handle) function envoy_on_response(request_handle) #IstioCon Who and where to reroute ? 1 X-devroute: { “foo”:”192.168.1.12:8001” } Accept: */* #IstioCon Pseudo implementation 1 function envoy_on_request(request_handle) 2 contract = request_handle:headers():get("x-devroute") 3

Authorization between CNFs 5 ©2021 Aspen Mesh. All rights reserved. 5G Network Function Decomposition Microservice Network Function Implementation 5G Architecture Looks a Lot Like a Mesh? 6 ©2021 Aspen

Me I’m a high schooler who loves learning about everything related to computers, especially interface design. I started working on Istio last summer. Istio.io Work Automation Indicator #7734 Add

static) into Pod IP addresses CNI plugins: allocate ip addresses for workloads exist in nodes CNI interface Calico Antrea Flannel Istio CNI CNI Daemonset Calico Antrea Flannel Istio CNI Networking lifecycle

rust -t webassemblyhub.io/yuval/addheader-rust:v1 ./addheader-filter ABI: Application Binary Interface 13 | Copyright © 2020 > meshctl wasm push webassemblyhub.io/yuval/addheader-rust:v1 Build Store

Concurrency limitations ■ Lack of docs etc. #IstioCon VM High Performance Networking ● VM  Host IO interface ○ Relay ■ DPDK ○ Passthrough ■ SRIOV ● SRIOV ○ Single Root I/O Virtualization ● SIOV ○

provide various programs type for different purpose ● We choose SOCK_OPS & SK_SKB to implement function #IstioCon ebpf Background Knowledge map ● Share collected information and to store state

ster/docs/en/ concepts-and-designs/oal.md • Extendable Aggregation Functions • Aggregation Function • Count • Calls per minute • Avg response time • Sum • Thermodynamic • P99/P95/P90/P75/P50Grammar