Mesh Operator we are here TROUBLE SHOOTING January 2019 PoC March 2020 December 2020 PROD REPLICATION Innovation trigger Peak of inflated Expectations Though of Disillusionment Slope of Enlightenment

-43b7-ad68-af515a9ed2e0 Executive Summary Synopsis In the summer of 2020, Google enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components. Istio is a worked on the project in tight partnership with Google’s Istio subject matter experts. Scope NCC Group’s evaluation of Istio included: • Istio Architecture: The overall design and archi- tecture of Istio services • Istio Documentation: The documentation and secu- rity guides hosted on istio.io. NCC Group started the assessment with an overall architecture review which extrapolated areas of focus for subsequent

didn’t have a process #IstioCon Led To ● Upgrade Working Group ● Release Note Generation ● Definition of Done #IstioCon Upgrade Working Group Mission: To improve the stability, user experience, and and test infrastructure around Istio upgrades #IstioCon Upgrade Working Group - Stability ● Standards and processes ○ Control plane behavior ○ Data plane communication ● Promote revision-based upgrades #IstioCon Upgrade Working Group - User Experience ● Add pre-checks to identify and warn about known potential issues ○ Provide a clear path forward #IstioCon Upgrade Working Group - Test Infrastructure

o-shadows/ #IstioCon Listening to our users UX Working Group - Upgrade Survey 2020 #IstioCon Listening to our users ... UX Working Group - Upgrade Survey 2020 Do users on old versions understand understand their security and support posture? #IstioCon Listening to our users ... UX Working Group - Upgrade Survey 2020 #IstioCon Theme for Istio 2021 #IstioCon Day 2 operations https://dzone.com/ar Operations’ #IstioCon Stability & Maintainability ● Improved upgrade experience ○ Upgrade Working Group ○ Promoting revision based upgrades ○ Support skip-level upgrades ○ Pre & Post Upgrade checks

with security. In particular, it is worth highlighting that: ● The Istio Product Security Working Group responds swi�ly to security disclosures. ● The documentation on the projectʼs security is comprehensive privilege and that are able to escalate to higher privileges. There are a number of areas where either group could exceed their assumed privilege boundaries. We enumerate these below: Policy Enforcement Points previous security audit disclosed here: https://istio.io/latest/blog/2021/ncc-security-assessment/NCC_Group_Google_GOIST2005 _Report_2020-08-06_v1.1.pdf. These issues were found in an audit performed in 2020

telemetry/attribute-vocabulary/Metric settings in Istio bypass adaptor• Service. Represent a set/group of workloads to provide the same behaviors for incoming requests. You can define the service name name you defined in platform such as Istio. • Service Instance. Each one workload in the Service group is named as an instance. Like pods in Kubernetes, it doesn't need to be a single process in OS

configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood. ● Direct: Indicates that the configurations to be added to the group will directly use Istio

Version1(canary) group=dev svcB svcA Rules API Pilot apiVersion: … kind: VirtualService metadata: name: ratings-route spec: hosts: - svcb http: - match: - headers: cookie: exact: “group=dev” route:

Version1(canary) group=dev svcB svcA Rules API Pilot apiVersion: … kind: VirtualService metadata: name: ratings-route spec: hosts: - svcb http: - match: - headers: cookie: exact: “group=dev” route:

Demo: 用户请求和批处理任务隔离(Dubbo) 1. 在 dubbo: application 配置中为 Provider 增加 service_group 自定义属性 2. 通过 Provider 的 deployment 设置 SERVICE_GROUP 环境变量 3. 在 consumer 发起调用时设置 batchJob header 4. 设置相应的 DR 和 VS 流量规则 https://docs