Mesh 中的七层流量管理能力 ❏ 几种扩展 Istio 流量管理能力的方法 ❏ Aeraki - 在 Isito 服务网格中管理所有七层流量 ❏ Demo - Dubbo Traffic Management ❏ MetaProtocol - Service Mesh 通用七层协议框架 #IstioCon Protocols in a Typical Microservice Application Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 Header Layer-7 Header Data Traffic Management for HTTP/gRPC - all good ● We get all the capabilities we mentioned on the previous slide Traffic Management for non-HTTP/gRPC - only layer-3 to layer-6

composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation, and other factors. For an explanation of NCC Group’s access to. Reproduction Steps 1. Configure a cluster per Appendix E on page 49, with a restricted user confined to a "rest rict-test" namespace per the Istio cluster setup guide2 2. Obtain the output configu- rations 4. Using the restricted user, kubectl -n restrict-test apply -f samples/bookinfo/ platform/kube/bookinfo.yaml 5. Using the restricted user, kubectl -n restrict-test apply the following

complexity ○ Need consistent policy enforcement ○ Need consistent metrics aggregation ● Traffic management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security on the VM ■ Dependency on K8s API server ■ Requires creating an RBAC impersonation rule for each user ■ Private key and CSR generation limited to Istio agent (no support of other provisioner tools workload certificate attributes #IstioCon Security & Usability Limitations (cont.) ● Access management: CNI needs improvements ○ Much required to avoid escalated Pod privileges ○ No support for smart

used on top of Kubernetes. It offers users easy access to features such as observability, traffic management and security without requiring users to add these to their application code. It also offers more Istio-agent and manage network traffic between microservices. The control plane is responsible for applying user configuration to the proxies. The following diagram demonstrates the Istio architecture: 11 Istio ● Certificate management ● Authentication ● Authorization ● Policy Enforcement Points (PEPs) ● A set of Envoy proxy extensions to manage telemetry and auditing Certificate management Alongside each

Cluster Global Service Failover Multi Mesh 4 | Copyright © 2020 Orders Citadel Pilot Galley User Account Istiod Understanding Istio: Control and data planes data plane control plane 5 | Copyright WebAssembly? 8 | Copyright © 2020 8 | Copyright © 2020 User Experience 9 | Copyright © 2020 10 | Copyright © 2020 SECURITY Technology User Experience 11 | Copyright © 2020 11 | Copyright © 2020 in Production Cluster 1 Acco unt User Cluster 2 Istiod Order s User AWS EKS Istiod Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane SRE / Platform Team Deploy

Mesh) Louis Ryan (Principal Engineer, Google) #IstioCon Highlights of 2020 ● Better life cycle management ○ Istioctl install & Operator support ● Architectural simplification ○ Monolith control plane Sustain the tremendous production adoption of Istio ● Stable core ○ Current Istio functionality meets user needs ○ Measured feature introduction ● Reducing operational overhead ○ Maintenance ○ Upgrades Better testing mirroring production use cases ● Enhanced troubleshooting ● Aligning APIs with Istio user roles and responsibilities https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon Feature

capacity, increased availability, and a more uniform user experience to more users. Higher performance and improved efficiency empower new user experiences and connects new industries. -Qualcomm traffic via mTLS Autonomous PKI service for certificate lifecycle management at scale What Do You Get From Istio? Traffic Management Powerful Layer 7 (HTTP/2) routing 8 ©2021 Aspen Mesh. All

"bookinfo", "mesh" ], “http”: [ { "match": [ { "headers": { "cookie": { "regex": "^(.*?;)?(user=jason)(;.*)?" } }, "uri": { "prefix": "/catalog1" } }, 一个典型的VirtualService Istio在华为云：Kubernetes全栈容器服务 在Google：microservices become API Apigee API Management complements Istio with the robust features of Google Cloud's Apigee API management platform, Apigee Edge, by extending API management natively into the microservices

benefits: Focus on code Scale to zero Quick entry to serverless computing … … traffic management observability security … Knative design based on knative.dev #IstioCon r How Istio is leveraged Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use Istio authorization policy to #IstioCon o User cases: no service access cross user namespace. o The sidecar CR helps to limit the known egress hosts for sidecars, sidecar needs to knows mesh in his own user namespace only

active users ● User requests over 10 billion per month ● Internet egress bandwidth over 100 TB/month ● Internal egress bandwidth ~2 PB/month #IstioCon Architecture Overview ● User traffic infrastructure connection and TCP settings ● Handle signals gracefully (SIGINT, SIGTERM) ● Automate for easy management of setup across environments ● Ignore ports / IP as applicable - consul ● Namespace isolation