100MB Pod App container Container requests 23 Define HPA target for multi-containers pods Stabilizing Istio CPU: 1 Pod App container Container requests HPA configuration (70% CPU) metrics: multi-containers pods Stabilizing Istio CPU: 1 Pod App container Sidecar container CPU: 100m Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 The HPA takes the average of all containers CPU requests values. 25 Define HPA target for multi-containers pods Stabilizing Istio CPU: 1 Pod App container

attacker that is able to create an Istio VirtualService within a Kubernetes cluster can hi- jack the requests of any other namespace’s Istio Gateways if their VirtualService was initially created before other Impact An attacker that is able to create an Istio Gateway within a Kubernetes cluster can intercept requests for any other namespace’s services by using a more specific hostname or if their Gateway was initially Istio uses a single ingress gateway, istio-ingressgateway, in the istio-sys tem namespace to handle requests for all namespaces. As a result of this, it is possible for Gateways in different namespaces to

was reported by the auditing team to the Istio maintainers, because Istio does not cap the size of requests made on an h2c connection, which could lead to a denial of service scenario if a large request was the Istio team, Istio maintainer John Howard assessed Golangs recommended solution for capping H2c requests which is: “The first request on an h2c connection is read entirely into memory before the Handler security in the mesh. Istio's security components are especially exposed, as they handle and validate requests from unauthenticated sources. These components need to be robust enough to defend against a series

apply -f ) Capture traces for E2E test requests Create tests & mocks for all services Configure system under test Forward egress requests to mock services | CONFIDENTIAL 10 Capture request and response data for every API request in a trace From this data, we can: • Drive test requests to any of the endpoints • Create precise mocks for any of the endpoints | CONFIDENTIAL Mesh Dynamics Services | CONFIDENTIAL 14 Configure mocks with Istio virtual service Route requests to mock svc with a virtual service - match: - uri: prefix: /reviews rewrite:

+ No envoy dependency + Complete control over requests - Very different from production environment - May be challenging to reproduce Istio requests #IstioCon Thank you! For more information: ●

adaptor• Service. Represent a set/group of workloads to provide the same behaviors for incoming requests. You can define the service name when you are using instrument agents or SDKs. Or SkyWalking uses actually a real process in OS. • Endpoint. It is a path in the certain service for incoming requests, such as HTTP URI path or gRPC service class + method signature. Core ConceptsIstio telemetry

hesitate to ask a question or send a PR.” https://github.com/istio/istio/wiki/Reviewing-Pull-Requests #IstioCon Learn Istio is a complex project, and Istio.io is the perfect place to start committing

#IstioCon About Carousell ● C2C Marketplace in SEA ● Over 4 million monthly active users ● User requests over 10 billion per month ● Internet egress bandwidth over 100 TB/month ● Internal egress bandwidth

the client side and server side’s “envoy proxies” verify each other’s identities before sending requests. • If the verification is successful, then the client-side proxy encrypts the traffic, and sends