label search is restricted to the configuration namespace in which the the resource is present. In other words, the Gateway resource must reside in the same namespace as the gateway workload instance. Such create an additional resource type for ingress gateways to abstract their configuration and enable future features. This could be used, in combination with a new Gateway resource field, to implement a additional caching mechanism to track Gateway creation, it may be worthwhile to create an Istio Hostname resource that can be referenced by Gateways, which would allow for better tracking of hostnames — and hostname

pods with multiple containers with HPA. ● Fixed in Kubernetes 1.20 by specifying a container resource as an HPA target ● In the meantime, we need to add the Istio sidecar into the HPA calculation Pod App container Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 Will container CPU: 100m Container requests HPA configuration (70% CPU) metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 The

1 vulnerability found that affected Googles managed Istio offering 11 issues found ● 5 system resource exhaustion ● 1 arbitrary file write ● 1 missing file close ● 1 certificate skipping ● 1 case implementation issues in the Go programming language such as NULL-pointers, out-of-bounds, race conditions, resource exhaustion issues and other issues stemming from improper usage of the language. Istio consists Istio offers two models for managing ingress traffic to the cluster: 1. The Kubernetes ingress resource 2. Istio Gateway These resources are exposed to the outside world and represent the first point

apply docker pull #IstioCon Fully Cloud docker push kubectl apply docker pull + No local resource utilization + Closely resembles production environments + Can test large scales - Slow, especially + Easy to setup bespoke clusters, including enabling alpha features and multicluster - Local resource utilization - Some overhead of Kubernetes and docker images - Attaching a debugger is not trivial

(#14516) 3. Istio Discovery overload (#25495) 3. Sidecar & ExportTo tuning is required 1. Resource consumption 2. Resource Mounts (#15517) 4. Tests on the production-size environment aren’t a waste of time

○ Release and Upgrade Notes ○ Release date slip ○ Release with known issues ○ Performance and resource usage ● Istio community didn’t have a process #IstioCon Led To ● Upgrade Working Group ● Release major ● Where to post announcements ● What to look for when examining releases ○ Performance ○ Resource usage ○ Open issues ○ Features being promoted ○ Release notes and upgrade notes #IstioCon Continuous

filters, or even add entirely new listeners, clusters, etc. #IstioCon Wise Platform K8s custom resource definition HTTP filters Network filters UDP listener filters … Match outbound listeners in all

of the mesh ● Workflows for collaborative agility More About Multi Cluster ● Multi tenancy ● Resource hierarchy ● NGAC Two-tier Gateway ● Tier-1 Gateways sit at the application edge and are used

注册Handler 扩展Mixer接入授权 • Mixer会直接影响整个Mesh的稳定性，因此替换时要做到尽可能稳妥 实践总结 • k8s/etcd 配置管理存在性能瓶颈： • 单一 resource 应控制在k级别，达到 10k 量级后响应可能会出现超 时导致配置读写状态异常，进而影响整个系统稳定性 实践总结 • Istio配置管理有局限性： • Endpoint的配置管理有防抖动处理，即使集群中的部署变化再快，

Proxy Service A Volume 挂载 Envoy配置 17 ASMFilterDeployment CR示例 ● 创建ASMFilterDeployment Custom Resource 18 生成的Istio Envoy Filter资源(1) apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: