iptables \ iproute2 \ iputils-ping \ knot-dnsutils \ netcat \ tcpdump \ net-tools \ lsof \ linux-tools-generic \ sudo \ ... Tools like tcpdump, sudo, and curl are designed for debugging purposes and when used ["*"] routes: - match: { prefix: "/" } route: { cluster_header: "backend", cluster_not_found_response_code: "SERVICE_UNAVAILABLE" } http_filters: - name: envoy.lua config: inline_code: | function

tests with low effort 7 What we need… End-to-end Component Service | CONFIDENTIAL REQUEST RESPONSE API MOCKS ASSERTION RULES CONTEXT RULES … … … … … … Test Driver TEST ENVIRONMENT Derive At this point, we have: • Full trace of every request from the gateway • Complete request and response data for every API request in a trace From this data, we can: • Drive test requests to any of ews/reviews On-demand configuration to test any component/service | CONFIDENTIAL REQUEST RESPONSE API MOCKS ASSERTION RULES CONTEXT RULES … … … … … … Test Driver TEST ENVIRONMENT Derive

read into memory. Case 1 A general Get function that makes an http request and reads the entire response into memory: https://github.com/istio/istio/blob/ed2de8c50dab2b10bdd165a2bdb2349d6d0eaeb6/ope r with a route that writes a large buffer to the http response. It then implements a copy of Istio's HTTPFetcher which prints out the size of the response body a�er it has been read into memory. The global global variable bufferSize can be modified to demonstrate that the response body will be read no matter its size. To run the program, copy the code to main.go and run the file with go run main.go. The resulting

- #IstioCon Envoy HTTP LuaFilter function envoy_on_request(request_handle) function envoy_on_response(request_handle) #IstioCon Who and where to reroute ? #IstioCon The contract GET / HTTP/1 somewhere else 10 response = request_handle:httpCall(address,headers,..) 11 -- respond immediately and don’t proxy to original Foo 12 request_handle:respond(response) 13 end #IstioCon Ouch

io/v1alpha2" kind: metric metadata: name: requestduration namespace: istio-system spec: value: response.duration | "0ms" dimensions: source_service: source.service | "unknown" source_version: source destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 200 Istio & Kubernetes: 总结 对于云原生应用，采用Kubernetes构建微服务部署和集群管理能力，采用 Istio构建服务治理能力，将逐渐成为应用微服务转型的标准配置。

io/v1alpha2" kind: metric metadata: name: requestduration namespace: istio-system spec: value: response.duration | "0ms" dimensions: source_service: source.service | "unknown" source_version: source destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 20015 Istio & Kubernetes: 总结 对于云原生应用，采用Kubernetes构建微服务部署和集群管理能力，采用 Istio构建服务治理能

clusters #IstioCon Role of DNS in Istio, Today 1. DNS query httpbin.ns1.svc.cluster.local 2. DNS response – 10.4.4.4 http req to 10.4.4.4 GET /status/200 http req to 172.16.1.3 GET /status/200 httpbin #IstioCon DNS Issues on VMs accessing K8s SVCs 1. DNS query for httpbin.ns1.svc.cluster.local 2. DNS response – no such host httpbin.ns1.svc.cluster.local SVC IP: 10.4.4.4 #IstioCon DNS Issues on ext-TCP VIPs #IstioCon Smart DNS Proxying 1. DNS query httpbin.ns1.svc.cluster.local 2. Cached DNS response – 10.4.4.4 DNS queries to the system configured name servers. Envoy does not use the agent’s

endpoint and init a connection to server with original user’s address (IP_TRANSPARENT) ⑤ Server’s response packet is flowing through the same path (TPROXY + Custom Route) #IstioCon TOA Address Caveats inner ① Config original src filter: IP_TRANSPARENT and mark upstream packets to 1337 ② Make the response packet redirected back to envoy -A PREROUTING -p tcp -m mark --mark 0x539 -j CONNMARK --save-mark

tool ◦ Two pods run on the same node Configurations ◦ mTLS enabled ◦ Number of Envoy workers: 2 ◦ Response payload size: 1KB Latency ◦ 11-17% improvement Istio Meetup China Summary ● eBPF functionality

Extendable Aggregation Functions • Aggregation Function • Count • Calls per minute • Avg response time • Sum • Thermodynamic • P99/P95/P90/P75/P50Grammar & Official OAL ScriptUnderstand