#IstioCon Service Mesh in China 宋净超（Jimmy Song） Tetrate #IstioCon Agenda Developer Advocate at Tetrate 前蚂蚁集团云原生布道师 CNCF Ambassador ServiceMesher 及云原生社区创始人 https://jimmysong.io • ServiceMesher #IstioCon ServiceMesher 是在中国推广 Service Mesh 技术的核心力量。 Istio 是中国最流行的 Service Mesh 实现。 2018 年 5 月至今 #IstioCon ServiceMesher 大事记 • 2017 年 12 月，由数人云发起的 meetup，下一代微服务： Service Mesh is Coming • 2018 年 5 月，servicemesher 发起了 Istio 官网翻译活动 • 2019 年 3 月，社区发起了《Istio Handbook》共创活动 翻译 -> 线下交流（经验分享）->原创、实践与上游贡献 #IstioCon Service Mesh Meetup • 九届线下 meetup • 走过北京、上海、广州、深圳、杭州、成都 • 38 位讲师 • 共发表 41 场演讲 Meetup PPT 下载： https://github

Sebastian Toader & Zsolt Varga 2021-Feb-26 Apache Kafka with Istio on K8s 2 • Scalability • Resiliency • Security • Observability • Disaster recovery Production grade Apache Kafka on Kubernetes certificates • On the fly certificate renewals with no service downtime • Unified simplified configuration to enable mTLS for all services • Kubernetes service account based authn/authz • Secure cross-cluster • Broker pods need restarting to pick up the modified keystore and truststore files • May cause service degradation Challenges – Certificate renewal 6 • Client certificates has be created for each separate

#IstioCon Your laptop as part of the service mesh by Lorenzo Fundaró SRE @ Omio #IstioCon What’s on the menu today ● EnvoyFilter in practice ● Demo ● Inspiration #IstioCon Questions #istiocon through the call chain #IstioCon Demo time #IstioCon Thank you ! ● Your laptop as part of the service mesh @ Medium ● Reference implementation and run-it-yourself-demo at github.com/omio-labs/devro

Vrushali Joshi Istio Service Mesh at Enterprise Scale Feb, 2021 Who are we? Founded 5,000 Developers 50M Customers 1993 IPO $6.8B FY19 Revenue 20 Locations 1983 Why Service Mesh? Microservices Microservices Kubernetes Service Mesh Istio Monolith Era Intuit Statistics ● 900+ Teams ● 5000+ Developers ● 200+ Clusters ● 7000+ Namespaces ● ~9200 Nodes varies with autoscaling Hub and Spoke Shaping ✘ Latency ✘ Single Point of Failure Service Mesh API Gateway Book Info Payments Product Info Proxy Proxy Proxy Proxy + k8s Istio mTLS mTLS mTLS ✓ Security

Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio lei-tang Session agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture architecture ● Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster

#IstioCon Extending service mesh capabilities using a streamlined way based on WASM and ORAS 王夕宁 | 阿里云服务网格ASM 2 Envoy’s Filter Chain Listener Downstre am Filter Filter Filter Cluster Upstrea UpdateMeshFeature -- ServiceMeshId=xxxxxx --WebAssemblyFilterEnabled=true ○ 部署一个DaemonSet(asmwasm-controller)到K8s集群中 ○ asmwasm-controller监听一个configmap, 该configmap存放要拉取的wasm filter 的地址, 例如： acree-1-registry.cn-hangzhou 资源对象 Controller (Watch & Reconcile) Istio EnvoyFilter CR wasm filter二进 制文件 服务网格ASM Pod K8s集群 Proxy Service A Volume 挂载 Envoy配置 17 ASMFilterDeployment CR示例 ● 创建ASMFilterDeployment Custom Resource

#IstioCon Building resilient systems inside the mesh: abstraction and automation of Virtual Service generation Vladimir Georgiev, Thought Machine #IstioCon Sync calls failures inside the mesh All Service Owners must be aware of the Virtual Services API in order to define their SLOs. ● Potential typing errors when dealing with YAMLs. ● Potential drift between the state of the service API API and the Virtual Service config. ● Hard to manage when having hundreds of services. #IstioCon Abstracting to proto files Annotations API definition Greeting service example #IstioCon Please Build

How eBay is building a massive Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction Application Deployment: Cloud Layout ● Multiple K8s Clusters in an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes ○ Upto 100,000 Pods in a cluster ○ 10,000+ K8s services - including prod, pre-prod, staging worst-case scenario Region R1 AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster K8s Cluster Region Rn #IstioCon Application Specs Region

[1]) VM works on Istio! [1] Istio Service Mesh for VM Native, Chris Crall, Jianfei Hu, Google Cloud Next ‘19 #IstioCon Why Add VMs to the Mesh? ● = Why Service Mesh? ○ More services = more complexity Deterministic workloads with strong requirements ● For Istio ○ What is Istio? A service mesh. But more: an open service platform! ○ More use cases! ○ (Consul, Kuma…) #IstioCon Emerging Use Cases #IstioCon #IstioCon V1.1 Introducing Service Entry Service Entry v.s. Service v.s. Endpoints ● Service Entry ○ An entry that Istio maintains internally ○ Describing the properties of a service, internal/external to

Istio控制平面组件原理解析 朱经惠 2018.08.25 Service Mesh Meetup #3 深圳站关于我 • 朱经惠，ETC车宝平台工程师。 • 喜欢开源，个人开源项目”Jaeger PHP Client”。 • 喜欢研究源码，对NSQ，Jaeger，Istio（控制平面）等go语言开源项目进行 过研究。 • 除了代码还喜欢爬山和第二天睡醒后全身酸疼的感觉。目录Pil ü抢救机制触发 ü抢救令牌减少一个（总共10个） ü在2(n-1) * 200毫秒后执行（为什么不立即执行） ü失败再次触发抢救机制 ü10个令牌用完，没有抢救成功，放弃退出优雅关闭envoy ü K8s发送SIGTERM信号让容器优雅关闭 ü Pilot-Agent接收信号通过context关闭子服务，发送SIGKILL关闭envoy ü Envoy不支持优雅关闭，需要通过金丝雀或蓝绿部署方式实现 官方博客：The universal data plane API缓存Istio和k8s配置 ü一个小型的非持久性key/value数据库 ü借助k8s.io/client-go建立缓存 ü缓存Istio：route-rule，virtual-service，gateway等 ü缓存k8s：node，Service，Endpoints等触发配置生效方式 V2通过GRPC双向流，主动推送配置给envoy：