reserved. Page 11 Envoy网络及线程模型 主线程 初始化 日 志 线 程 读 取 配 置 x D S 监 听 网络事件 启 动 工 作 线 程 定时器事件 a d m i n 请 求 X D S 更 新 合 并 s t a t 刷 新 D N S 调度器 工作线程 网络事件 定时器事件 监 听 器 监 听 过 滤 器 释 放 内 存 记 录 s t ta数据接收。 • 对于HTTP协议，将继续经过L7层编解码处理后向上游发 送请求。 • 当请求处理完毕后，将调用deferredDelete删除请求对象 并记录统计观测数据。 • 使用异步I/O方式发送网络数据，降低对线程内其他操作 的阻塞。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 15 Envoy过滤器架构 /v1/xx/xx/xx/xx/xx/983980038/stopxx HTTP/1.1" 503UC"-" "-" 0 95 1 - "10.13.22.7" "Apache- HttpClient/4.5.12 (Java/1.8.0_232)" "U4REJ819523DU961535U8316KUUG2G3X" "10.18.8.13:28443" "10.19.51.51:xx" outbound|xx|210201100|xx

宏观下的监控需求 链路总体展示 展示整个服务调用过程中链路上 每一个节点的服务状况，包括延 时、吞吐量等基本信息。 服务器总体展示 展示当前所有服务器的运行状况， 包括CPU、内存、网络、I/O读写 等信息 业务总体展示 展示当前业务相关数据的 从宏观上快速定位问题，在微观上找到问题根因的 监控方案问题二：现有的系统能否完全满足需求 现有系统如何满足运维需求Istio现有的监控体系 2018-0930(time) 日志输出 Get the corresponding logs for one time request by transaction ID Request(Transaction ID)Java探针的基本原理 A.class 1 2 3 4 5 8 9 Request Response JVM 6 10 7 Class Loader Engine Agent A’ 何时调用一个特定的 Handler插件编译和镜像打包 插件的编译 CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build - a -installsuffix cgo -o eventadapter 镜像制作的dockerfile FROM scratch ADD eventadapter /usr/bin/eventadapter ENTRYPOINT ['./ev

infrastructure layer applicable to so�ware applications. Istio is platform and language agnostic, but is o�en used on top of Kubernetes. It offers users easy access to features such as observability, traffic into the source tree of dependencies of Istio to subsequently exploit it. Untrusted users Istio will o�en be deployed with the purpose of accepting untrusted input into the service mesh. Untrusted users os.Stat(dir); os.IsNotExist(err) { err := os.Mkdir(dir, 0o755) if err != nil { return "", err } } if err := os.WriteFile(destFile, data, 0o644); err != nil { return destFile, err } return destFile

Service Entry object combined the lifecycles of both the service and the workloads implementing it, w/o giving a first-class representation for the workloads themselves #IstioCon V1.6-1.8 Better VM Automate provisioning a VM's mesh identity (certificate) ■ based on a platform-specific identity ■ w/o a platform-specific identity ● using a short-lived K8s service account token ● Automatic certificate through the gateway to the service ● The data plane traffic ■ Single network ● direct communication w/o requiring intermediate Gateway ■ Multiple networks ● all goes though the Gateway ● via L3 networking

ideal Kubernetes cluster with Istio running within it. Instead, NCC Group used various hosting options (i.e. Minikube, GKE, KOPS) to build reference clusters and test various configurations. These reference security expectations of control plane traffic • Disabling default services exposed in the cluster (i.e. Envoy admin interface, Pilot admin interface) • Istio hardening best practices Recommendation At and use it below in place of $GATEWAY kubectl -n istio-system get service istio-ingressgateway \ -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 3. In a separate namespace, "test" with sidecar auto-injection

that workloads within your cluster are using ECC $ istioctl proxy-config secret . -o json | \ jq'.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | \ sed 's/"//g' plugged in custom CA certificates aren’t specified #IstioCon MeshConfig support In Istio 1.10 I am currently working on having ECC be supported in meshConfig for Istio 1.10 as an Alpha feature ○

sa/” ● istioctl proxy-config secret -o json | jq '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.i nlineBytes' -r | base64 -d | openssl x509 -noout -text -in -

calls ● 3000+ deployments every week ● REST as well as gRPC services ● Services written in Golang, Java, Clojure, Ruby gRPC, Envoy, and ● GoPay has been using gRPC since 2016 ● GoPay had services running

Prometheus, ClickHouse, etc. ○ Messaging systems - Kafka, RabbitMQ, etc. ○ Programming Languages - Java, Python, Go lang, Scala, etc. ● Running on variety of Hardware ○ General-purpose x86 servers ○

workload and provides aggregated data of Knative Service ready duration. o Knative Performance Testing Framework 2 Design #IstioCon o Ingress gateway MEM has linear growth, and it consumes ~=750k for 1 Knative Knative Service (#25145). The envoy mem release fix included in Istio 1.6.0+ resolved this issue. o Istiod MEM bumped with large numbers of Knative Services (#25532) Mem usage optimization of pilot resolved Istio scalability issue o Ingress_lb_ready is the duration from Knative Ingress and istio VirtualService are created to Knative probe thinks the configuration works. o [Istio 1.5.4] Istio is picking