#IstioCon Service Mesh in China 宋净超（Jimmy Song） Tetrate #IstioCon Agenda Developer Advocate at Tetrate 前蚂蚁集团云原生布道师 CNCF Ambassador ServiceMesher 及云原生社区创始人 https://jimmysong.io • ServiceMesher #IstioCon ServiceMesher 是在中国推广 Service Mesh 技术的核心力量。 Istio 是中国最流行的 Service Mesh 实现。 2018 年 5 月至今 #IstioCon ServiceMesher 大事记 • 2017 年 12 月，由数人云发起的 meetup，下一代微服务： Service Mesh is Coming • 2018 年 5 月，servicemesher 发起了 Istio 官网翻译活动 • 2019 年 3 月，社区发起了《Istio Handbook》共创活动 翻译 -> 线下交流（经验分享）->原创、实践与上游贡献 #IstioCon Service Mesh Meetup • 九届线下 meetup • 走过北京、上海、广州、深圳、杭州、成都 • 38 位讲师 • 共发表 41 场演讲 Meetup PPT 下载： https://github

#IstioCon Your laptop as part of the service mesh by Lorenzo Fundaró SRE @ Omio #IstioCon What’s on the menu today ● EnvoyFilter in practice ● Demo ● Inspiration #IstioCon Questions #istiocon through the call chain #IstioCon Demo time #IstioCon Thank you ! ● Your laptop as part of the service mesh @ Medium ● Reference implementation and run-it-yourself-demo at github.com/omio-labs/devro

Vrushali Joshi Istio Service Mesh at Enterprise Scale Feb, 2021 Who are we? Founded 5,000 Developers 50M Customers 1993 IPO $6.8B FY19 Revenue 20 Locations 1983 Why Service Mesh? Microservices Microservices Kubernetes Service Mesh Istio Monolith Era Intuit Statistics ● 900+ Teams ● 5000+ Developers ● 200+ Clusters ● 7000+ Namespaces ● ~9200 Nodes varies with autoscaling Hub and Spoke Product Info ✓ Security ✓ Visibility ✓ Traffic Shaping ✘ Latency ✘ Single Point of Failure Service Mesh API Gateway Book Info Payments Product Info Proxy Proxy Proxy Proxy +

Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio lei-tang Session agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture architecture ● Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster

#IstioCon Extending service mesh capabilities using a streamlined way based on WASM and ORAS 王夕宁 | 阿里云服务网格ASM 2 Envoy’s Filter Chain Listener Downstre am Filter Filter Filter Cluster Upstrea Controller (Watch & Reconcile) Istio EnvoyFilter CR wasm filter二进 制文件 服务网格ASM Pod K8s集群 Proxy Service A Volume 挂载 Envoy配置 17 ASMFilterDeployment CR示例 ● 创建ASMFilterDeployment Custom Resource 18 yment CR 确认Istio EnvoyFilter CR Troubleshooting 在ASM中开启 wasm能力 确认Workload部 署变更生效 1.可以登录到proxy container进行查看 wasm filter是否挂载成功 2.调整wasm log level： curl -X POST http://localhost:15000/logging?wasm=debug

#IstioCon Building resilient systems inside the mesh: abstraction and automation of Virtual Service generation Vladimir Georgiev, Thought Machine #IstioCon Sync calls failures inside the mesh All Service Owners must be aware of the Virtual Services API in order to define their SLOs. ● Potential typing errors when dealing with YAMLs. ● Potential drift between the state of the service API API and the Virtual Service config. ● Hard to manage when having hundreds of services. #IstioCon Abstracting to proto files Annotations API definition Greeting service example #IstioCon Please Build

How eBay is building a massive Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction catering to the AZ, e.g., AZ IPAM, Network Load-balancers, etc. ■ Full isolation by confining service failures to AZ boundary AZ 1 AZ 2 AZ n Data Center DC1 K8s Cluster K8s Cluster K8s balancing & Traffic Flow ● Two tiers of hardware Load-Balancers (LB) ● Application-Tier LB ○ K8s service realized on Application-Tier LBs ● Web-Tier LB to control - ○ Percentage of traffic sent to an

● Istio at Mercari ● Stabilizing Istio ● Adopting Istio Istio at Mercari What Is Mercari? ● Service start: July 2013 ● OS: Android, iOS *Can also be accessed by web browsers ● Usage fee: Free *Commission where individuals can easily sell used items. We want to provide both buyers and sellers with a service where they can enjoy safe and secure transactions. Mercari offers a unique customer experience, Guardrails for Istio 11 Istio sidecar proxy specifications Stabilizing Istio Pod App container Sidecar container All incoming traffic must flow through the sidecar first when entering the pod All outgoing

Istio and all of its components. Istio is a modern service mesh technology stack often used within Kubernetes clusters to provide service-to-service communication, manages TLS certificates, provides workload common environments such as Kubernetes clusters. • Istio Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts. Istio does not currently

Tetrate Service Bridge developer, Tetrate.io, 2021-Present Istio Developer(Security SIG), Istio Community, 2020-Present Anthos Service Mesh, Google Inc, 2020 Envoy is an edge and service proxy that industry-standard service mesh control plane that makes it easier to connect, observe, and secure microservices. SkyWalking is an observability power tool that provides distributed tracing, service mesh telemetry Basics Kube Proxy: exists in each node and manage iptable IPTables: Responsible for translating service IP addresses (which are static) into Pod IP addresses CNI plugins: allocate ip addresses for workloads