服务集群。Envoy 通过负载均衡 策略决定将请求路由到哪个集群成员。 xDS 协议的主要概念： • Listener Discovery Service (LDS) : 监听器发现服务。 • Route Discovery Service(RDS) : 路由发现服务。 • Cluster Discovery Service (CDS)： 集群发现服务。 • Endpoint Discovery Service 6 Istio 流量管理 – 数据面 – Istio 中的 Envoy Sidecar 配置 Istio中的 Envoy Sidecar 配置： • Istio 通过 Listener、Route Config 和 Cluster 为 Mesh 中的 Envoy 生成了入向和出向两个不同方向的处理流程的配 置。 • 在 Envoy 的基础上增加了 VirtualInboundListene outbound listener。 5. 根据 0.0.0.0_9080 listener 的 http_connection_manager filter 配置，该请求采用 9080 route 进行分发。 6. 9080 这个 route 的配置中，host name 为 reviews:9080 的请求对应 的 cluster 为 outbound|9080||reviews.default.svc.cluster

Istio灰度发布：基于权重 apiVersion: … kind: VirtualService metadata: name: vs-svcb spec: hosts: - svcb http: route: - destination: name: v1 weight: 20 - destination: name: v2 weight: 80 Version2 Envoy SVC Envoy VirtualService metadata: name: ratings-route spec: hosts: - svcb http: - match: - headers: cookie: exact: “group=dev” route: - destination: name: v1 - route: - destination: name: v2 灰度发布：灰度版本存在形式 “/newcatalog” }, “route”: [ { "destination": { "name": "reviews", "subset": "v2" }, "weight": 25 }, { "destination": { "name": "reviews", "subset": "v3" }, "weight": 75 } ] }, { “route”: [ { "destination":

Istio灰度发布：基于权重 apiVersion: … kind: VirtualService metadata: name: vs-svcb spec: hosts: - svcb http: route: - destination: name: v1 weight: 20 - destination: name: v2 weight: 80 Version2 Envoy SVC Envoy VirtualService metadata: name: ratings-route spec: hosts: - svcb http: - match: - headers: cookie: exact: “group=dev” route: - destination: name: v1 - route: - destination: name: v224 灰度发布：灰度版本存在形式 “/newcatalog” }, “route”: [ { "destination": { "name": "reviews", "subset": "v2" }, "weight": 25 }, { "destination": { "name": "reviews", "subset": "v3" }, "weight": 75 } ] }, { “route”: [ { "destination":

Findings • There was a lack of validation on the VirtualService Gateway fields that could allow route hijacking • In testing, it did not appear to be possible to secure the control plane either by the Field Validation Enables Request Hijacking 017 High Ingress Gateway Configuration Generation Enables Route Hijacking 023 High Pilot Debug Interface Exposes Sensitive Information 002 Medium Default Production Confidential - "*" gateways: - test/bookinfo-gateway http: - match: - uri: exact: /productpage route: - destination: host: details.restrict-test.svc.cluster.local port: number: 9080 - match: - uri:

(IP_TRANSPARENT) ⑤ Server’s response packet is flowing through the same path (TPROXY + Custom Route) #IstioCon TOA Address Caveats : install toa module in kernel #IstioCon Proxy Protocol  Proxy ip -f inet rule add fwmark 1337 lookup 133 ip -f inet route add local default dev lo table 133 ③ echo 1 > /proc/sys/net/ipv4/conf/eth0/route_localnet #IstioCon Preserve TCP Original Src Addr - ingress

HTTPFetcher.Fetch() can be demonstrated with the following simple program. It sets up a server with a route that writes a large buffer to the http response. It then implements a copy of Istio's HTTPFetcher bufferSize = 500000000 ) // Creates a server and serves it. // There is nothing from Istio here. // The route writes a large buffer to the response to demonstrate // that Istio reads the entire response body parse query from STS request: %v", parseErr) } This is also the case for the STS serverʼs second route, StsStatusPath, which also passes an unbounded http request to DumpRequest() in case the user has

are used in multi-cluster environments to route traffic between clusters hosting the same application. ● Tier-2 Gateways sit at the cluster edge and route traffic to the mesh- managed services inside

ateway - knative-serving/knative-local-gateway hosts: - blue.51ch62kjrnd.svc.cluster.local http: route: - destination: host: {revision-3}. 51ch62kjrnd.svc.cluster.local weight: 10 - destination: host: clusters, each cluster should support 1000 sequential (interval 5s) Knative service provisionings with route ready time <= 30s. Type Info K8s Cluster Capacity 12 nodes in 3 zones, 16 vCPU * 64 Gi MEM Knative

tests Mesh Dynamics Services | CONFIDENTIAL 14 Configure mocks with Istio virtual service Route requests to mock svc with a virtual service - match: - uri: prefix: /reviews rewrite:

universal data plane API缓存Istio和k8s配置 ü一个小型的非持久性key/value数据库 ü借助k8s.io/client-go建立缓存 ü缓存Istio：route-rule，virtual-service，gateway等 ü缓存k8s：node，Service，Endpoints等触发配置生效方式 V2通过GRPC双向流，主动推送配置给envoy： ü事件触发