#IstioCon Is Your Virtual Machine Really Ready-to-go with Istio? Kailun Qin, Intel Haoyuan Ge #IstioCon Quick Summary (from Google Cloud Next ’19 [1]) VM works on Istio! [1] Istio Service Mesh Proxy to Proxy kernel bypass w/ HW acceleration #IstioCon Quick Summary, Today Istio is ready-to-go for VM native. And should/will be ready for MORE! #IstioCon Thank you! Github: @kailun-qin @harryge00

#IstioCon Istio-redirector: the way to go to manage thousands of HTTP redirections Etienne Fontaine (@etifontaine) #IstioCon Istio-redirector 301-redirection from /bus/routes/bruxelles/lille

other mesh data/control panel • Format the telemetry toObservability Analysis Language • A compile language • Scopes • All • Service • ServiceInstance • Endpoint • ServiceRelation • Extendable Aggregation Functions • Aggregation Function • Count • Calls per minute • Avg response time • Sum • Thermodynamic • P99/P95/P90/P75/P50Grammar & Official OAL ScriptUnderstand new storage SkyWalking. Don’t delete these. INDICATOR All metric data belong to this. They are in min/ hour/day/hour time level. They are named by Rule: scopename_funcName_timeLevel RECORD Segment and AlarmRecord belong

throughout the period of the audit. Found issues were reported as they came up which gave the Istio team time to triage and assess criticality. Results summarised 6 fuzzers written and added to Istio's OSS-Fuzz trap/fuzz_t est.go#L26 2 FuzzRunTemplate istio.io/istio/pkg/kube/inje ct https://github.com/istio/istio/blob/6 5478ea81272c0ceaab568974aff7 00aef907312/pkg/kube/inject/fuzz _test.go#L23 3 FuzzReadCACert on/fuzz_test.go#L22 4 FuzzIstioCASign istio.io/istio/security/pkg/ pki/ca https://github.com/istio/istio/blob/6 5478ea81272c0ceaab568974aff7 00aef907312/security/pkg/pki/ca/f uzz_test.go#L24 5 FuzzValidateCSR

compo- nents that were actively being updated during testing so testers used the latest release at the time of testing which was 1.6.5 along with specific commits for the code base shown below: • github.com/istio/istio Default Production Profile Not Sufficiently Hardened 003 Medium Weak Hash Used for Integrity 009 Medium Go Trace Profiling Enabled By Default 013 Medium Permissive Kubernetes RBAC within a Namespace 015 Medium Istio Location The ValidateVirtualService function defined in istio/pkg/config/validation/valid ation.go Impact An attacker that is able to create an Istio VirtualService within a Kubernetes cluster can

Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent #IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent + Fast! Bottleneck is go compilation compilation time + Trivial to enable debugger or run from an IDE - Very different from production environment, may not be representative - Harder to test actual traffic, especially iptables - May be dependant multiple proxies #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent + Rapid iteration - Very different

Meetup #3 深圳站关于我 • 朱经惠，ETC车宝平台工程师。 • 喜欢开源，个人开源项目”Jaeger PHP Client”。 • 喜欢研究源码，对NSQ，Jaeger，Istio（控制平面）等go语言开源项目进行 过研究。 • 除了代码还喜欢爬山和第二天睡醒后全身酸疼的感觉。目录Pilot-Agent——管理生命周期（PA） u启动envoy u热重启envoy u监控envoy u优雅关闭envoy启动envoy 和Google强强联手 官方博客：The universal data plane API缓存Istio和k8s配置 ü一个小型的非持久性key/value数据库 ü借助k8s.io/client-go建立缓存 ü缓存Istio：route-rule，virtual-service，gateway等 ü缓存k8s：node，Service，Endpoints等触发配置生效方式 V2通过GRPC双向流，主动推送配置给envoy： version => v1 destination.port int64 The recipient port on the server IP address. 8080 request.time timestamp The timestamp when the destination receives the request. This should be equivalent to

a checklist(action) At 2018-0930(time) 日志输出（Transaction ID） C(application) Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出 B(application) Trasanctionid（CA Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出 Get the corresponding logs for one time request by transaction ID Request(Transaction ID)Java探针的基本原理 A.class 1 2 Rules。将数据交付给适配器。 定义了一个特定的 Instance 何时调用一个特定的 Handler插件编译和镜像打包 插件的编译 CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build - a -installsuffix cgo -o eventadapter 镜像制作的dockerfile FROM scratch ADD eventadapter /usr/bin/eventadapter

ClickHouse, etc. ○ Messaging systems - Kafka, RabbitMQ, etc. ○ Programming Languages - Java, Python, Go lang, Scala, etc. ● Running on variety of Hardware ○ General-purpose x86 servers ○ GPUs #IstioCon Goal ■ Understand Istio control-plane performance to support eBay scale ■ Proxy config convergence time (CDS, EDS, LDS, RDS push times) ■ Resource usage (CPU, memory, etc.) ○ Secondary Goal ■ Fine-tune Setup ○ Create Gateway Pods & thousands of Pods with sidecar Envoys ○ Measure Config convergence time ■ Time taken by all sidecars to get config from Pilot without any errors ■ For thousands of services

quickly • What happens if you do not address the problem? – Thorough test coverage can take a lot of time and effort – Realistic outcome: Just create E2E tests • What is our solution? – Leverage Istio Early testing of services components auto-generated from end-to-end tests – Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the Updates to an API require updating corresponding Service and Component tests - As a result, teams would go for just E2E tests | CONFIDENTIAL 6 Teams often focus on End-to-End tests (besides unit tests)