#IstioCon Preserve Original Source Address within Istio Zhonghu Xu @hzxuzhonghu #IstioCon About me Zhonghu Xu：an open source engineer from Huawei Cloud. - Github：https://github.com/hzxuzhonghu Contributor - Open source enthusiastic, previously Kubernetes active contributor and Volcano maintainer #IstioCon Agenda 1. TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve Preserve #IstioCon Content 1. TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon What is the use case of original address 1. Sticky Session: based on ip hash, traffic

Synopsis In the summer of 2020, Google enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components. Istio is a modern service mesh technology stack often commonly used by administrators, and provide perspective on whether security features sufficiently address the concerns they are designed to provide. Four consultants over a period of five weeks along with environment was deployed following Istio Documentation using istioc tl. The assessment included many open source compo- nents that were actively being updated during testing so testers used the latest release at

microservices with Istio step by step Best practice: from Spring Cloud to Istio Preserve original source address within Istio Performance tuning and best practices in a Knative based, large-scale Feb. 87% Of Istio users are new users at the end of February 2021. Impact for the project Source: http://eng.istio.io/ The team (1/3) Organizer’s Committee Co-lead Aizhamal Nurmamat kyzy (Google)

a contract match 7 address = contract[“foo”] 8 headers = request_handle:headers() 9 -- send the request somewhere else 10 response = request_handle:httpCall(address,headers,..) 11 -- respond respond immediately and don’t proxy to original Foo 12 request_handle:respond(response) 13 end #IstioCon Ouch ! ● Your laptop is not part of the mesh club #IstioCon A dummy proxy for the mesh

如路由选择等功能并创建上游连接池 • 将修改及编码后的http消息通过网络发送到对端Envoy的容器网络。 • Iptables识别为入流量则进入virtualInbound端口。 • ORIGINAL_DST恢复原始目标后，根据virtualInbound配置的监听过滤器找到对应的本地服务器地址。并发起localhost的请求。 • 请求进入本地服务器内进行处理并返回响应。 Copyright http_inspector 监听过滤器 检测应用层协议是否HTTP，并判断具体类型为HTTP/1.x 或HTTP/2，用于网络过滤器匹配判断 envoy.listener.original_dst 监听过滤器 根据Socket上属性SO_ORIGINAL_DST获取iptables DNAT 前的目标服务地址，作为后续负载均衡的输入。 envoy.filters.network.tcp_proxy L4网络过滤器 主要框架代码位于envoy项目，包含进程启动，线程 及网络、主要过滤器框架，观测数据处理等。 • 启动入口点位于envoy项目 source/exe目录下 • proxy项目中主要提供metadata_exchange，stats 等必要WASM扩展 • envoy项目中过滤器插件主要位于 source/extensions/filters，listener目录包含监听 过滤器，network目录包含L4层网络过滤器，http

Kubernetes Example source.id string Platform-specific unique identifier for the source workload instance. kubernetes://redis- master-2353460263- 1ecey.my-namespace source.ip ip_address Source workload instance instance IP address. 10.0.0.117 source.labels map[string, string] A map of key-value pairs attached to the source instance. version => v1 destination.port int64 The recipient port on the server server IP address. 8080 request.time timestamp The timestamp when the destination receives the request. This should be equivalent to Firebase “now”.上报的原始数据 üreq.Attributes： • "strings":{"131":92,"152":-1

TYPE DESCRIPTION INVENTORAY Inventory includes service, service_instance, endpoint, network_address. They are metadata for SkyWalking. Don’t delete these. INDICATOR All metric data belong to this com/apache/incubator- skywalking-query-protocolEcosystem powered by GraphQL and SkyWalking core • Open source UI project for SkyWalking • https:// github.com/ TinyAllen/ rocketbotServiceMesher公众号 SOFAStack公众号

Management for non-HTTP/gRPC - only layer-3 to layer-6 ● Routing based on headers under layer-7 ○ IP address ○ TCP Port ○ SNI ● Observability - only TCP metrics ○ TCP sent/received bytes ○ TCP opened/closed ● Security ○ Connection level authentication: mTLS ○ Connection level authorization: Identity/Source IP/ Dest Port ○ Request level auth is impossible #IstioCon BookInfo Application - AwesomeRPC

minimize the variance 2. Adjust the HPA threshold to match the original CPU absolute target (700m): Target % = Original CPU absolute target /Sum of CPU resources = 63.6%. 27 Define HPA target

#IstioCon Problem In the case of Inbound, 4-tuple key may conflict due to same src/dst ip address #IstioCon Use pod ip as hash key Use pod_ip to generate a unique key is a way to distinguish