Observability ○ See VM metrics alongside containers ● Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of forward ■ Retry, timeout, fault injection, mtls policies ■ VM service, multicluster Istio mesh support ● Service + Endpoints ○ Usually for internal traffic ○ ExternalName ■ Service <-> DNS name ○ sidecar proxy injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support with Added Security ● Secure bootstrapping process ○ Automate provisioning a VM's mesh identity

urity-issues/: This section has a lot of good information but appears to be designed to provide support to security problems after they happen or guidance on error messages. This is a great goal and should towards less “fun” tasks such as documentation by building social events or incentivizing community support with some token of appreciation. This has historically been a successful way of getting new people traffic routing rules to apply when a host is addressed. They support matching on various criteria including URI paths and header values and support sending traffic to a specific in-cluster destination or returning

monitor and mount secrets under istio-system to ingress gateway which contains credentials for https support of multi tenants. • Knative has knative-ingress-gateway for external access and knative-local-gateway tuning • Performance Criteria: the platform has multiple shard k8s clusters, each cluster should support 1000 sequential (interval 5s) Knative service provisionings with route ready time <= 30s. Type total with dev release with flow control fix looks great, ingress_ready p100 < 30s o [Istio 1.9.x] Support for backpressure on XDS pushes to avoid overloading Envoy during periods of high configuration churn

to connect, manage, and secure microservices. Istio项目 微服务角度看Istio: 治理形态的演变 Node 1 svc1 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK Sidecar 服务治理 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 应用侵入--； 治理位置--； } 微服务角度看Istio: 服务网格 服务网格控制面 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.ns svcc.ns svcb svcd svce svce.ns svcd.ns svcd.ns Kube-proxy Kube-APIServer ServiceIp Backend Istio & Kubernetes：架构结合 Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints, Pod) 用户 Istio & Kubernetes：统一服务发现

nject 和 Pilot 成为 Istiod。 功能 • 根据不同的平台（Kubernetes、Console） 获取一些资源（Kubernetes 中使用 Informer 机制获取 Node、Endpoint、 Service、Pod 变化） • 根据用户的配置（CR、MCP 推送，文件） 触发推送流程 推送流程 • 记录变化的资源类型 • 根据变化的资源类型整理本地数据 patch • Envoy 解析 Dubbo 协议中的 Serivce 和 Method • 根据路由策略配置把流量转发到对应的 Provider • 通过WASM扩展 华为云：https://support.huaweicloud.com/bestpractice-istio/istio_bestpractice_3005.html18/23 改造方案2 MOSN+Dubbo-go • MOSN

requiring users to add these to their application code. It also offers more advanced features to support A/B testing, canary deployments, rate limiting, access control, encryption and end-to-end authentication happened. https://github.com/is tio/istio/blob/a27511 3235b95a10ace56b 8bef5d69278513bcc 1/security/pkg/node agent/caclient/provi ders/google/client.g o#L124 func (cl *googleCAClient) Close() { if cl.conn

Networking and CNI Race Condition issues in istio CNI during Node bootstrap Community Solutions to istio CNI CNI Basics Kube Proxy: exists in each node and manage iptable IPTables: Responsible for translating container (faster startup speed) Taint Node when istio CNI did not get installed, and unTaint node when they are ready Inspired by kubernetes planned extension (Node Readiness Gate) Useful links CNI beta beta RFC Istio CNI Race Condition Mitigation CNI beta Graduation Kubernets Node Readiness Gates Q&A @tetrateio Tetrate https://tetrate.io THANK YOU For any further queries, feel free to contact us at

connect, manage, and secure microservices.4 Istio项目5 微服务角度看Istio: 治理形态的演变 Node 1 svc1 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK Sidecar 服务治理 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 应用侵入--； 治理位置--； }6 微服务角度看Istio: 服务网格 服务网格控制面7 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.n s svcc.ns svcb svcd svce svce.n s svcd.n s svcd.n s Kube-proxy Kube-APIServer ServiceIp Istio & Kubernetes：架构结合 Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints, Pod) 用户13 Istio & Kubernetes：统一服务发现

verify-install upgrade Istio simplify install helm3 #IstioCon Pilot Mixer Citadel Node Agent Injector Galley istio-system Node Pod Sidecar Pilot Agent Ingress Egress Istio Single Cluster Simplified #IstioCon

Meetup China Performance Comparison Refactored istio benchmarking tool ◦ Two pods run on the same node Configurations ◦ mTLS enabled ◦ Number of Envoy workers: 2 ◦ Response payload size: 1KB Latency address and back (inbound) ○ eBPF program also tracks connections from Envoy to Envoy(in the same node) and back (envoy to envoy) ● Works with Istio >= 1.10 ● CNI agnostic and should work with all CNIs