#IstioCon Local Istio Development John Howard / @howardjohn / Google #IstioCon Fully Cloud docker push kubectl apply docker pull #IstioCon Fully Cloud docker push kubectl apply docker pull + No local resource utilization + Closely resembles production environments + Can test large scales - Slow, especially without fast upload speeds - Expensive #IstioCon Local Machine Local Cluster kubectl apply docker pull Local Kubernetes Local Registry #IstioCon Local Machine Local Cluster + Registry docker push kubectl apply docker pull Local Kubernetes Local Registry + Fast! Image

million nais.io github.com/nais CD CD metrics alerts deploy cache events logs secrets storage runtime app dev prod dev prod internal external on-prem probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a app apiVersion: probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a nais.yaml cluster kubectl

Mesh Method Code-assisted Platforms Golang, Kubernetes Dates 2020-07-06 to 2020-07-31 Environment Local Test Environment Consultants 4 Level of Effort 50 person days Targets istio/istio Istio Source Group Confidential kubectl exec -it {YOURPOD} -n {YOURNS} -- curl istiod.istio-system.svc.clus ter.local:15014/debug • This will return the plaintext debug endpoing of Pilot Recommendation Enhance documentation match: - uri: exact: /productpage route: - destination: host: details.restrict-test.svc.cluster.local port: number: 9080 - match: - uri: exact: /login redirect: uri: / authority: www.nccgroup.com

兼容native filter调用 方式 8 Example Wasm filter configuration ● 下发到Envoy Proxy侧的配置 9 OCI Registry As Storage ● OCI Artifacts项目的参考实现, 可显著简化OCI注册库中任意内容的存储; ● 可以使用ORAS API/SDK Library来构建自定义工具， ○ 将WebAssembly模块推入到OCI注册库中; io/userVolume: '[{"name":"wasmfilters- dir","hostPath":{"path":"/var/local/lib/wasm-filters"}}]’ sidecar.istio.io/userVolumeMount: '[{"mountPath":"/var/local/lib/wasm-filters","name":"wasmfilters-dir"}]' 21 执行结果

reviews:9080 的请求对应 的 cluster 为 outbound|9080||reviews.default.svc.cluster.local。 7. outbound|9080||reviews.default.svc.cluster.local cluster 配置为通过EDS获取对应的Endpoint，通过 EDS 查询得到该 cluster 中有3个 endpoint。 8. 请求被 设置的路由配置为将其发送给 inbound|9080|http|reviews.default.svc.cluster.local 这个 inbound cluster。 12.inbound|9080|http|reviews.default.svc.cluster.local cluster 配置的 host 为 127.0.0.1:9080。 13.请求被转发到 127.0.0.1:9080，即 hosts: - reviews.prod.svc.cluster.local awesomeRPC: - name: ”canary-route" match: - headers: user: exact: jason route: - destination: host: reviews.prod.svc.cluster.local subset: v2 - name: ”default" route:

• Sum • Thermodynamic • P99/P95/P90/P75/P50Grammar & Official OAL ScriptUnderstand new storage entities ENTITY TYPE DESCRIPTION INVENTORAY Inventory includes service, service_instance,

multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway for cluster local access. They use Istio gateway service istio-ingressgateway as its underlying service teway - knative-serving/knative-local-gateway hosts: - blue.51ch62kjrnd.svc.cluster.local http: route: - destination: host: {revision-3}. 51ch62kjrnd.svc.cluster.local weight: 10 - destination: host: host: {revision-2}. 51ch62kjrnd.svc.cluster.local weight: 90 Knative Service Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end

query httpbin.ns1.svc.cluster.local 2. DNS response – 10.4.4.4 http req to 10.4.4.4 GET /status/200 http req to 172.16.1.3 GET /status/200 httpbin.ns1.svc.cluster.local SVC IP: 10.4.4.4 #IstioCon VMs accessing K8s SVCs 1. DNS query for httpbin.ns1.svc.cluster.local 2. DNS response – no such host httpbin.ns1.svc.cluster.local SVC IP: 10.4.4.4 #IstioCon DNS Issues on ext-TCP SVCs without VIPs VIPs #IstioCon Smart DNS Proxying 1. DNS query httpbin.ns1.svc.cluster.local 2. Cached DNS response – 10.4.4.4 DNS queries to the system configured name servers. Envoy does not use the agent’s

dubbo_pro xy L4网络过滤器 解析dubbo RPC协议并提取请求中方法、接口、 metadata等信息，并根据元数据进行路由选择。 envoy.filters.network.local_rateli mit L4网络过滤器 基于L4层网络限流，通过令牌桶防止定期时间间隔内 过多下游连接。 envoy.filters.network.http_conne ction_manager envoy.filters.http.lua L7 HTTP过滤器 基于Lua脚本语言，处理HTTP请求及相应，每个Lua运 行时运行在工作线程中。 envoy.filters.http.local_ratelimit L7 HTTP过滤器 基于L4层请求限流，通过令牌桶防止定期时间间隔内 过多下游请求 envoy.filters.http.wasm L7 HTTP过滤器 基于WASM（W "513cca39-1ea7-47db- 8c04-a5827464ce22" "100.85.225.193" "10.17.10.181:xx" outbound|xx|191130102|xx.xx.svc.cluster.local - 10.17.8.9:xx 100.95.165.3:28788 100.85.225.193 - 原因 分析 1. 抓包看到出现短时间内大量Retransmission 2. 超过c

matchLabels: app: details rules: - from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-productpage"] to: - operation: methods: ["GET"]" apiVersion: matchLabels: app: reviews rules: - from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-productpage"] to: - operation: methods: ["GET"]" apiVersion: from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-reviews", "cluster.local/ns/default/sa/bookinfo-reviews-v2", "cluster.local/ns/default/sa/bookinfo-reviews-v3""] to: