Envoy可扩展过滤器架构、可观测性 4. Envoy线程模型 5. 生产环境问题分析及解决方法 6. 针对Envoy做的一些优化及效果 7. 常用性能分析测试工具及使用方法 8. 华为ASM产品介绍 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 4 前言 • 微服务架构最早由Fred G iptables SO_ORIG INAL_DS T 路 由 上 游 连 接 池 12.localhost app2 15.lo 1 2 3.非本 POD、 非 Envoy 自身 4.DNAT 5 6 7. UID=1337 8 9 10.跳 过普 通端 口 11.DNAT 1 3 14.lo 网络发送 • outbound方向：本POD内发起对外调用流量 • oints SDS 安全及证书配置 POST /envoy.service.secret.v3.SecretDiscoveryService/StreamSecrets 监听端口，连接入口 L4过滤，请求入口 L7过滤 路由策略 上游集群 目标主机策略，请求出口 Copyright © Huawei Technologies Co., Ltd. All rights reserved

2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 Threat model 11 Issues found 17 Review of fixes for manual code audit for security issues. 3. Review the fixes for the issues found in an audit from 2020. 4. Review and improve Istio's fuzzing suite. 5. Perform a SLSA review of Istio. The audit was started Engineering Manager neelimabk@google.com Shankar Ganesan So�ware Engineer shankgan@google.com OSTIF 4 Istio Security Audit, 2023 Name Title Email Amir Montazery Managing Director Amir@ostif.org Derek

specific commits for the code base shown below: • github.com/istio/istio – 7353c84b560fd469123611476314e4aee553611d • github.com/istio/proxy – c51fe751a17441b5ab3f5487c37e129e44eec823 • github.com/istio/istio Environment Consultants 4 Level of Effort 50 person days Targets istio/istio Istio Source code in the master branch up to July 15th, 2020. Commit: 7353c84b560fd469123611476314e4aee553611d istio/proxy Commit: 26dacdde40968a37ba9eaa864d40e45051ec5448 Finding Breakdown Critical issues 0 High issues 4 Medium issues 5 Low issues 7 Informational issues 2 Total issues 18 Category Breakdown Access

app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav

Active Buyers worldwide 19M Number of Sellers worldwide 1.7B Number of Live Listings $26.6B GMV in Q4 2020 #IstioCon eBay Applications eBay is powered by ● More than 5,000 Microservices ranging from Web-Tier Load-Balancer Pods Pods Pods AZ 1 AZ 2 AZ n Client #IstioCon What about Security? ● L4 Micro-segmentation Solution ○ Central Policy store capturing Application-to-Application dependencies into K8s NetworkPolicies to be enforced in the clusters ○ There are also other enforcers to enforce L4 policies on - ■ hardware Firewalls, Bare Metals, legacy OpenStack, etc. ● Transport Layer Security

service_group 自定义属性 2. 通过 Provider 的 deployment 设置 SERVICE_GROUP 环境变量 3. 在 consumer 发起调用时设置 batchJob header 4. 设置相应的 DR 和 VS 流量规则 https://docs.qq.com/doc/DVnlqUVB1ek1laFBQ #IstioCon Aeraki Demo: 地域感知负载均衡(Dubbo) 2. 在 provider 的 deployment 中通过环境变量设置其所属地域 3. 在 consumer 的 deployment 中通过 label 声明其所处的 region 和 zone 4. 通过 dr 规则启用 locality load balancing https://docs.qq.com/doc/DVnlqUVB1ek1laFBQ #IstioCon What’s next？ Filter 配置 ，Filter 配置中将 RDS 指向 Aeraki 3. Istio 下发 LDS(Patch)/CDS/EDS 给 Envoy 4. Aeraki 根据缺省路由或者用户设置的路由规则下发 RDS 给 Envoy 1 2 3 4 #IstioCon MetaProtocol：数据面 ● MetaProtocol Proxy 中实现七层协议的通用逻辑：路由、Header

2021 Cloud To Go Copyright © 2021 Cloud To Go 目录 1. 为什么我们需要服务网格 2. SolarMesh的定位 3. SolarMesh的特点 4. SolarMesh 对Istio社区的产品化改进 5. SolarMesh的架构 6. SolarMesh 组件介绍 7. 应用场景 Copyright © 2021 Cloud To Go 从网关开始，顺着调用链看日志 4. 日志没报错，下一个 5. 循环 4 6. 直到找到故障位置 1. 流量告警 / 发现页面报错 2. 看图 3. 直接找到故障位置 Copyright © 2021 Cloud To Go 应用场景 - 灰度版本迁移 传统的版本升级方式 使用solarmesh的版本升级方式 1. 打好部署包 2. 等到半夜 3. 部署一个机器 4. 使用模拟的测试数据测试 To Go 1. Istio的直连模式，在sidecar故障时提供秒级的直连流量切换 2. 多集群统一纳管，为流量运维提供上帝视角 3. 可视化、规范化Istio操作，告别terminal 4. 反应集群真实情况，流量可视化监控 5. 为istio核心组件提供监控能力 6. 服务质量(SLO)检测能力 7. 一键部署分布式链路追踪组件jaeger 8. 一键部署数据可视化工具grafana，进一步提升流量监控的体验

S通知P（Primary process）关闭其管理的端口，由S接管 • 3. S加载配置，开始绑定listen sockets，在这期间使用UDS从P获取合适的listen sockets • 4. S初始化成功，通知P停止监听新的链接并优雅关闭未完成的工作 • 5. 在P优雅关闭过程中，S会从共享内存中获取stats • 5. 到了时间S通知P自行关闭 • 6. S升级为P • 官方博客：Envoy to Firebase “now”.上报的原始数据 üreq.Attributes： • "strings":{"131":92,"152":-1,"154":-2,"17":-7,"18":-4,"19":90,"22":92 • "int64s":{"1":33314,"151":8080,"169":292,"170":918,"23":0,"27":780,"30":200} • "bools":{"177":false} ot-8696f764dd-fqxtg.istio-system", • "3a7a649f-4eeb-4d70-972c-ad2d43a680af", • "172.00.00.000","Thu, 05 Jul 2018 08:12:19 GMT","780", • "bc1f172f-b8e3-4ec0-a070-f2f6de38a24f","718"]转换成属性词汇异步Flush到Adapter

Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 ? SEO specialist creates the file manually Matching old URLs with the new ones based on different tools configuration Deploy to production 1 3 4 2 How does it work ? #IstioCon Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 4 2 3 Istio-redirector takes the Creating the .csv Importing the file Generating the Istio configuration Deploy to production 1 2 3 4 The files are reviewed, merged and deployed! How does it work ? #IstioCon >26k redirections are

log & Stats 4. Specific scenarios like SIP Trunking #IstioCon Common Ways to Preserve Original Src Addr  L3 • LVS, one connection • HAProxy transparent mode, two connections  L4 • Add IP in TCP reporting the client IP address and port. A PROXY Protocol plain-text header has the format: PROXY TCP4 192.0.2.0 192.0.2.255 42300 443\r\n  Proxy Protocol v2 #IstioCon Proxy Protocol client Server fwmark 1337 lookup 133 ip -f inet route add local default dev lo table 133 ③ echo 1 > /proc/sys/net/ipv4/conf/eth0/route_localnet #IstioCon Preserve TCP Original Src Addr - ingress svcB envoy envoy Pod1：10