• istio-proxy容器启动pilot-agent进程，使用UID=1337 GID=1337创建Envoy启动命令行与配置文件 • 可以通过自定义deployment内istio注解sidecar.istio.io/inject: “false”跳过自动注入过程，或修改部分启动参数。 • 2. 控制面通信 • Pilot-agent进程本身创建UDS接收Envoy连接，用于证书更新下 pilot-agent LDS RDS CDS EDS tls证书 管理 SDS CSR创建证书 stat tracing 支持采集或 主动上报 监控系统 过滤器 过滤器 连接 连接 xDS 描述 模式 请求路径 LDS 监听器配置 POST /envoy.service.listener.v3.ListenerDiscoveryService/StreamListeners RDS 路由配置 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 16 Envoy过滤器架构-常用过滤器 插件名称 工作模式 功能介绍 envoy.listener.tls_inspector 监听过滤器 检测下游连接是否为TLS加密，并且获取ALPN（应用层 协商协议），用于网络层过滤器匹配判断。 envoy.listener

秒级切换 Copyright © 2021 Cloud To Go Envoy 支持用于网络管道和 HTTP 管道（HTTP 过滤器）的 Wasm 过滤器。这意味着您可以使用 Wasm 为Sidecar编写逻辑。 Copyright © 2021 Cloud To Go 虚拟机支持 ü 让虚拟机成为集群的一部分 ü 流量视图 ”看到” 虚拟机应用 ü 让虚拟机和集群享受同样的服务治理 让虚拟机和集群享受同样的服务治理 ü 让虚拟机和集群具备相互容灾的能力 ü 快速，零成本接入 SolarMesh对虚拟机的支持 Copyright © 2021 Cloud To Go 1. Istio的直连模式，在sidecar故障时提供秒级的直连流量切换 2. 多集群统一纳管，为流量运维提供上帝视角 3. 可视化、规范化Istio操作，告别terminal 4. 反应集群真实情况，流量可视化监控 5. 为istio核心组件提供监控能力

accessible to anyone within a default cluster. • The Envoy Proxy admin port is exposed via the Istio sidecar and would allow a malicious workload to override or compromise their own Istio configuration. Strategic Configuration 5 Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical High Medium Low Informational 3 | Google Istio Security Assessment Medium Default Sidecar Image Not Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File Permissions Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative

Stabilizing Istio ● Istio sidecar proxy specifications ● Kubernetes shortcomings with sidecar containers ○ Controlling containers lifecycle ○ Autoscaling pods with sidecar containers ● Are you prepared Guardrails for Istio 11 Istio sidecar proxy specifications Stabilizing Istio Pod App container Sidecar container All incoming traffic must flow through the sidecar first when entering the pod All outgoing traffic must flow through the sidecar before leaving the pod 12 What happens when the sidecar container is not ready? Stabilizing Istio Pod App container Sidecar container (not running) The

Pod之后发生的事 情： • Sidecar Injection: 注入initContainer, Sidecar, istio-certs volume • Citadel: 自动刷新secrets, k8s自动加 载istio-secrets volume • Pilot: 和Sidecar建立连接，管理动态配 置 • Mixer: 和Sidecar建立连接，管理授权 、Quota和审计数据 及两方面： • 扩展Sidecar：加入认证支持，提供了对业务系统的认证支持，将用 户相关信息以header的形式传入mesh，后续的授权、监控、限流 都可以用Istio原生的机制来完成 • 扩展Mixer：选择一部分流量来应用对应的授权逻辑 FreeWheel的Istio实践 • 右图为接入FreeWheel自定义认证和 授权模块的原理图 扩展Sidecar接入认证 • 修改 i istio-system/istio-sidecar- injector 这个ConfigMap，加入自定 义反向代理 FreeWheel的Istio实践 • 通过在Sidecar中增加FreeWheel自定义认证支持，下游可以充分利用 Istio提供的授权、限流、监控接口，不过要注意Sidecar也有一些小坑 ： • Sidecar没有k8s自动注入的secret，也无法通过容器内环境变量自

作便捷度上取 得令人满意的平衡 传统Sidecar升级方式的缺点 3 为什么需要服务网格数据面热升级 Why do we need Hot-Upgrade for ServiceMesh Data-Plane • 只替换/重启Sidecar • 替换/重启过程中进/出不会出现请求失败，连接失败 • 易于运维，可以控制升级策略 理想的Sidecar升级 4 • 为什么需要服务网格数据面热升级 Implement Hot-Upgrade 6 • Sidecar生命周期管理能力 • 启动两个Sidecar，以进行Envoy热重启的排水流程两个实例并存的阶段 • 能够对整个热升级流程中的镜像替换进行控制 实现热升级 Implement Hot-Upgrade 7 • Sidecar生命周期管理能力 • 启动两个Sidecar，以进行Envoy热重启的排水流程两个实例并存的阶段 • 能够对整个热升级流程中的镜像替换进行控制 • 更强大的生命周期管理组件 • 对需要热升级的Pod注入两个Container，Sidecar & Empty • 支持对热升级过程中Sidecar Container生命周期进行管理 实现热升级 Implement Hot-Upgrade 8 • Envoy热重启参数的协商 • PilotAgent需要使用正确的Epoch参数启动Envoy，才能触发热重启

services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar （ kubectl label namespace default istio-injec services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar （ kubectl label namespace default istio-injec Istio ● Decide what type of traffic the client sidecar to send automatically ○ If DestinationRule is configured, respect it ○ If server has a sidecar and allows mTLS, send mTLS – reviews-v1 & v3 ○

#IstioCon o Init-container added which cost ~5 seconds for Knative application pod code start. o Every sidecar needs full mesh information by default. Not a scalability solution. o Activator needs to probe the time for Istiod to discover the endpoint of ready pods and then push them to the sidecar. o Istio-proxy (envoy) sidecar costs ~2 seconds for Knative application pod cold start. Unleash maximum scalability o User cases: no service access cross user namespace. o The sidecar CR helps to limit the known egress hosts for sidecars, sidecar needs to knows mesh in his own user namespace only. o We can

lifecycle (Istio Init) Start istio init container in workload Istiod watch updates & start networking sidecar proxy init container update iptable rule for proxy terminate init container Start workload with plugins setup ip for pod Pod could get started in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing rule to workload iptable Issue in Istio CNI Kubelet Start plugins setup ip for pod Pod could get started in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing rule to workload iptable Issue in Istio CNI Could happen

secrets etc. ○ Setup dnsmasq, Istio components in the VM and verify functionality ○ Configure sidecar interception; restart Istio and manually register the services running #IstioCon V0.2 Mesh Expansion built-in Kube DNS (exposed by ILB) 3. Obtain the Cluster IP resolved 4. Traffic intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to ingress in the mesh ● Traffic flow (Container -> VM) 1 Workload Group ○ a collection of non-K8s workloads ○ metadata and identity for bootstrap ○ mimic the sidecar proxy injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support