#IstioCon Set Sail for a Ship-Shape Istio Release Brian Avery / twitter: @briansvgs / Red Hat Senior Software Engineer Eric Van Norman / twitter: @kf0s / IBM Senior Software Engineer #IstioCon First you consuming Istio? ○ Istio 1.9 was recently released. ○ How soon will you investigate this release? ○ How soon before you will use it in production? #IstioCon Feedback Across ● GitHub issues Feedback ● Users found upgrades challenging ● Releases were inconsistent ○ Release and Upgrade Notes ○ Release date slip ○ Release with known issues ○ Performance and resource usage ● Istio community didn’t

open source compo- nents that were actively being updated during testing so testers used the latest release at the time of testing which was 1.6.5 along with specific commits for the code base shown below: 1.4 but in Istio 1.5, it was disabled again with notes that it should be replaced by a DNS-based secure signing method. So the updated change log notes: “Despite the naming, in Istio 1.5 when control that is not managed by Istio 1https://istio.io/latest/news/releases/1.5.x/announcing-1.5/upgrade-notes/#control-plane-security 5 | Google Istio Security Assessment Google / NCC Group Confidential kubectl

…Istio目前的突出问题 • API稳定性问题：流量管理也仅仅是v1alpha3，用alpha特性发布 1.0的情况似乎比较罕见。 • 发布进度和质量：大版本以月计算的发布延迟，据我所知的 Release撤回发生了两次。 • 世纪难题：多出一层Sidecar造成的延迟。 • Pilot的性能，近几个版本一直在出问题。 • Mixer按照我个人的看法，API较为混乱，重构风险比较大Istio还用不用？ 再次强调：No Freestyle • 非功能需求：并发、成功率、响应时间等服务质量参数。 • 故障处理需求：故障预案。 • 影响范围分析。 • 选定测试版本：研读开放Issue以及Release Notes。测试方案部署 • Istio部署 • 复查集群环境 • 调整资源参数 • 调整亲和性参数 • 调整HPA • 日志输出和调试开关复查 • Istio功能裁剪 • 备用业务部署 • 试用服务部署

gateway MEM has linear growth, and it consumes ~=750k for 1 Knative Service (#25145). The envoy mem release fix included in Istio 1.6.0+ resolved this issue. o Istiod MEM bumped with large numbers of Knative provisioning • Envoy overload issue still exits 800 Knative Services #IstioCon o 1400 total with dev release with flow control fix looks great, ingress_ready p100 < 30s o [Istio 1.9.x] Support for backpressure PILOT_ENABLE_FLOW_CONTROL environment variable in Istiod. o Final solution is envoy delta-XDS push in future Istio release. Istio scalability optimization during Knative Service provisioning • support for backpressure

nodes Istio at Mercari 7 Istio at Mercari Apr 2019 Started Istio PoC Sep 2019 First release in production Feb 2021 ~25% production services ~50% development services migrated to Istio use the migration pipeline when onboarding with Istio This approach is quite similar to canary release so you gain time by investing into it 52 Istio default retry policy Adopting Istio Another good managing various features ○ Full Istio onboarding (lifecycles, injection…) ○ True Managed Canary Release with Spinnaker ○ And more coming in the future! 68 Takeaways Adopting Istio ● Headless services

Cloud and Kubernetes Presented by Archna Gupta What is a Canary Release or Deployment? • A canary deployment, or canary release, is a deployment pattern that allows you to roll out new code/features

张之晗 Tetrate ⼯程师/Istio 社区 Release Manager 服务⽹格安全—— 理解 Istio CNI Istio Meetup China About me Istio 1.10 Release Manager, Istio Community, 2021-Present GetMesh(GetIstio) core contributor, Istio Community

cluster #IstioCon ● Easy way to manage Virtual Service configs. ● Virtual Service configs become a release artifact. ● Easy abstraction for defining timeouts and retries in a language agnostic way. ● Application

Istio's graduation within the CNCF Join CNCF Istio has applied to become a CNCF project Release v1.0 Istio is ready for production Started Started by teams from Google and IBM 2017 2018

are considered experimental. There is no guarantee that they will not be deprecated in a future release. Use at your own discretion. ● To enable this, users must set the ECC_SIGNATURE_ALGORITHM environmental