Info K8s Cluster Capacity 12 nodes in 3 zones, 16 vCPU * 64 Gi MEM Knative Version Knative 0.16, 0.17, 0.18 Istio Version 1.5, 1.6, 1.7 Istio scalability optimization during Knative Service provisioning enabled • Enable Istio mesh on Knative – Impact without optimization #IstioCon o With istio CNI plugin, we can move the iptables configuration parts to CNI. But another init- container, the istio-validation injection template. Mitigations: o When adding new worker node, make sure daemonset pod of istio CNI plugin is up and running before knative pods scheduling on the node. o Crontab job could help to detect

tes.Bytes()) } func main() { maliciousGzip := createMaliciousGzip() // Below is a minimized version of https://github.com/istio/istio/blob/master/operator/pkg/util/tgz/tgz.go#L70 (Extract()) uncompressedStream m/httpfetcher.go#L138 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 // wasm plugin should be the only file in the tarball. func getFirstFileFromTar(b []byte) []byte { buf := bytes https://github.com/solo-io/wasm/blob/master/spec/spec-compat.md#specificati on const wasmPluginFileName = "plugin.wasm" // Search for the file walking through the archive. tr := tar.NewReader(gr) for { h, err

of ebpf ● Acceleration for Inbound/Outbound/Envoy to Envoy #IstioCon Istio-CNI ● The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup NET_ADMIN and NET_RAW capabilities for users deploying pods into the Istio mesh. ● The Istio CNI plugin replaces the functionality provided by the istio-init container. #IstioCon Tcp/ip stack overhead

Demo: Dubbo 协议支持 ● Dubbo2Istio 连接 Dubbo 服务注册表，支持： ○ ZooKeeper ○ Nacos ○ Etcd ● Aeraki Dubbo Plugin 实现了控制面的管理，支持 下述能力： ○ 流量管理： ■ 七层（请求级别）负载均衡 ■ 地域感知负载均衡 ■ 熔断 ■ 基于版本的路由 ■ 基于 Method 的路由 ■ 基于 中支持一个新的七层协议 ● 为七层协议如 Dubbo、Thrift 等等添加 RDS 能力 #IstioCon MetaProtocol：控制面 通过 Aeraki MetaProtocol Plugin 实现控制面的流量管理规则下发 ： 1. Aeraki 从 Istio 中获取 ServicEntry，通过端口命名判断 协议类型（如 tcp-metaprotocol-thrift） 2

sail What about the rest of the boat? Upcoming Talks: Aperture - Load Management Meshery - WASM plugin management Argo - Multi-cluster orchestration JP Morgan SLO Generation Reflecting on the Value

service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: 灰度发布：蓝绿 灰度发布：A/B Testing 灰度发布：Canary releases 灰度发布：基于Kubernetes RC Version2 SVC SVC Pod1 Pod2 Pod3 SVC Pod1 Pod2 Version1(canary) 40% svcB svcA KubeAPIServer 60% Scheduler Controller- name: v2 weight: 80 Version2 Envoy SVC Envoy SVC Pod1 Pod2 Pod3 Envoy SVC Pod1 Pod2 Version1(canary) 20% svcB svcA Rules API Pilot 80% Istio 灰度发布：基于请求内容 Version2 Envoy SVC Envoy SVC

service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: 灰度发布：蓝绿18 灰度发布：A/B Testing19 灰度发布：Canary releases20 灰度发布：基于Kubernetes RC Version2 SVC SVC Pod1 Pod2 Pod3 SVC Pod1 Pod2 Version1(canary) 40% svcB svcA KubeAPIServer 60% Scheduler Controller- name: v2 weight: 80 Version2 Envoy SVC Envoy SVC Pod1 Pod2 Pod3 Envoy SVC Pod1 Pod2 Version1(canary) 20% svcB svcA Rules API Pilot 80%23 Istio 灰度发布：基于请求内容 Version2 Envoy SVC Envoy

Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup Synopsis In the summer of 2020, Google enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components. Istio is a modern service mesh technology stack often used within NCC-GOIST2005-003 on page 14, the Default production profile could be updated or replaced by a hardened version that describes each of the security controls in more detail. See Appendix B on page 40. 8 | Google

● Moving HTTP/2 load-balancing from client-side to Envoy ● Label selector updates for app and version labels ● Istio default retry policy ● Istio proxy performance and load testing ● Abstracting the Track 48 Label selector updates for app and version labels Adopting Istio ● Is there anyone in the audience who was prescient enough to use the app or version before starting Istio? ● Chances are huge app and version labels Adopting Istio First, headless services, now labels... Who said that migrating to Istio is only about adding sidecars?? 50 Label selector updates for app and version labels

headers) TARS ServantName ServantName, FuncName, Context Dubbo service name service name, service version, service method Any RPC Protocol service name in message header some key:value pairs in message header • Dubbo version-based routing • Dubbo traffic splitting • 后续规划： • 其他协议支持：Thrift，Redis ，TARS … • 在 TCM 中提供托管的 Aeraki，为客户提供第三方协议支 持 16 Aeraki 项目后续计划 Dubbo [Done] Default routing [Done] Version-based routing Traffic splitting [Todo] Header based routing [Todo] RDS 需数据面配合 Thrift [Done] Default routing [Done] Version-based routing [Done] Traffic splitting [Todo] Header based routing [Todo] Rate limit [Todo] RDS 需数据面配合