Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 2 个人介绍 张伟 华为云容器网格数据面技术专家 拥有10年以上中间件及高性能系统开发经验， 作为架构师及核心开发人员发布过传输网管系 统、Tuxedo交易中间件、ts-server多媒体转码服 务、GTS高性能事务云服务、SC高性能注册中心、 A 。 • 非侵入服务网格最早为2016年Linkerd。 • 2017年，Goole、IBM、Lyft发布Istio。Istio目前为服务网格的事实标准，并且是2019年Github增长最快的TOP 10开源 项目之一。目前最新为1.10版本。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 5 Envoy介绍 上 游 连 接 池 12.localhost app2 15.lo 1 2 3.非本 POD、 非 Envoy 自身 4.DNAT 5 6 7. UID=1337 8 9 10.跳 过普 通端 口 11.DNAT 1 3 14.lo 网络发送 • outbound方向：本POD内发起对外调用流量 • outbound方向增加ISTIO_OUTPUT、 ISTIO_REDIRECT链。

using a deprecated library ● 1 race condition 2 Istio Security Audit, 2023 Notable findings Issue 10 - “H2c handlers are uncapped” - was an interesting finding, in that it affected Googleʼs managed Istio the issue, including Googleʼs managed Istio offering which has MultiplexHTTP configured. A�er issue 10 had been reported to the Istio team, Istio maintainer John Howard assessed Golangs recommended solution Istio team. Subsequent issues added ad-hoc to the same doc. October 3 2022 Status meeting #2 October 10 2022 Status meeting #3 October 17 2022 Status meeting #4 December 15 2022 All issues have been fixed

Twitter, & VMWare ● Top contributors to Envoy and Istio ● Wrote Istio: Up and Running, NIST SPs 800-204A, NIST SP 800-204B Sheng Wu Creator, SkyWalking ● Tetrate’s product build on top of the upstream Certified Istio Admin, En https://academy.tetrate.io/ Tetrate Academy Warp up • We built products on top of the upstream Istio. • We aim to solve the complexity of Istio and build a zero-trust network for

transport protocol ● A little like TCP + TLS, but build on top of UDP ○ Uses UDP like TCP uses IP ○ Adds connections, resends and flow control on top ○ Provides independent streams ■ Extremely similar to

Keynotes ● 6 Keynotes for US TZ ● 2 Keynotes for China TZ Lightning talks ● 8 lightning talks of 10 minutes each for US TZ ● 4 for China TZ Tech Talks ● 14 tech talks of 40 minutes each for US participate in a raffle of 10 a gift cards ● Event attendees will need to solve a scavenger hunt (quick questions, and visits to different places at Gather.town) ● The first 10 to solve the hunt, will will get a gift card 10 x $100 per gift card ($1000 usd) per social event. Social event Gift cards Available sponsorship: 2 ● We give trivia winners a gift to the 1st 3 places. ● We will name the trivia

- Traffic Splitting, blue/green deployment How Istio is leveraged in a Knative based platform 90% 10% apiVersion: networking.istio.io/v1beta1 kind: VirtualService spec: gateways: - knative-serving/k cluster.local http: route: - destination: host: {revision-3}. 51ch62kjrnd.svc.cluster.local weight: 10 - destination: host: {revision-2}. 51ch62kjrnd.svc.cluster.local weight: 90 Knative Service Inspection 00ms and PILOT_DEBOUNCE_MAX=10s are the env vars on pilot that can be tuned. o Set PILOT_DEBOUNCE_AFTER=1s helps under our workload. (we tested with 100ms, 1s, 2s, 5s, 10s) o With 800 Knative Services

7 Configuration 5 Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical High Medium Low Informational 3 | Google Istio the following two commands curl -v "http://$GATEWAY/productpage" curl -v "http://$GATEWAY/login" 10. Observe that the first command now returns a 404 error and the second command returns a redirect to wherein the client could perform the same VirtualService operation (e.g. create, update, delete, etc.). 10 | Google Istio Security Assessment Google / NCC Group Confidential Finding Ingress Gateway Configuration

Managed Infra 9:25 Roadmap Update 9:35 Pre-Sail Checks 10:10 Fine Grained RBAC + NGAC 9:25 Schedule Preview Istio Fault Tolerance 11:25 Ambient Q&A 10:50 Istio Feature Gates 12:00 Ambient + Pod Identity

solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application UI – Create services Configure system under test Forward egress requests to mock services | CONFIDENTIAL 10 Capture API interactions with lua filters Service A Proxy Proxy Service B Service C Proxy Mesh Velocity Scale API Functional & Integration Testing Improve productivity of each of your developers 10x API test and mock creation speed | CONFIDENTIAL 20 DEMO | CONFIDENTIAL Download MeshD and

官方博客：Envoy hot restart什么时候会进行热重启？监控envoy ü获取非正常退出状态 ü抢救机制触发 ü抢救令牌减少一个（总共10个） ü在2(n-1) * 200毫秒后执行（为什么不立即执行） ü失败再次触发抢救机制 ü10个令牌用完，没有抢救成功，放弃退出优雅关闭envoy ü K8s发送SIGTERM信号让容器优雅关闭 ü Pilot-Agent接收信号通过con ü 任务放入队列 ü Worker处理任务Jaeger架构设计Mixer阻塞对envoy的影响 压测环境： ü 模拟接口延迟响应 ü 使用hey压力工具 ü 相同压力 ü 先用hey进行预热 ü 从10份数据中取中位数解决方案 ü方案一 • 业务性能和日志之间的选择，出现阻塞，丢弃日志保性能 ü方案二 • 使用主题订阅模式，减少阻塞问题Istio_Ca——安全证书管理（ICA） u证书生成