部署一个DaemonSet(asmwasm-controller)到K8s集群中 ○ asmwasm-controller监听一个configmap, 该configmap存放要拉取的wasm filter 的地址, 例如： acree-1-registry.cn-hangzhou.cr.aliyuncs.com/asm/sample:v0.1 ○ 如果需要授权认证, 该asmwasm-controller会根据定义的pullSecret值获得相应的 llSecret值获得相应的 secret值; ○ 然后,调用oras API从注册库中动态拉取wasm filter; ○ 该asmwasm-controller使用HostPath方式挂载volume, 所以拉取的wasm filter会落 盘到对应的节点上; 15 创建私钥仓库登录Secret ● 获取私有仓库登录信息之后, 按照如下命令创建Secret ○ kubectl create --type=kubernetes.io/dockerconfigjson 16 ��������� ������������� ASMFilter Deployment 资源对象 Controller (Watch & Reconcile) Istio EnvoyFilter CR wasm filter二进 制文件 服务网格ASM Pod K8s集群 Proxy Service

like Terraform to deploy a cluster with Callico CNI along with OPA or another dynamic admission controller that can show how Istio can integrate with something like OPA. 6https://istio.io/latest/docs/ 0x135de04 0x4674a1 # 0x135de03 k8s.io/client- go/tools/cache.(*controller).Run.func1+0x33 k8s.io/client- go@v0.18.0/tools/cache/controller.go:124 32 @ 0x4374a0 0x447663 0x1355d95 0x135561b 0x135ea23 0x1226f5f b.logf("External process exec name: %s", exeName) cmd := exec.Command(exeName, controller.location().Address, controller.location().Path) cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr • istio/istio

DiscoveryServe r clientset Envoy Envoy KubeApiServ er List/Watc h 1. Controller实现ServcieDiscovery 若干服务发现的接口定义 2. Controller List/Watch KubeAPIserver上service、 endpoint等资源对象 3. DiscvoeryServer使用 S 60% Scheduler Controller- Managerr 灰度发布：基于Kubernetes + Loadbalancer SVC svc1 SVC svc1 SVC svc1 SVC svc1 SVC svc1 SVC svc1 prod canary KubeAPIServer Ingress- Controller List/watch reLoad

DiscoveryServe r clientset Envoy Envoy KubeApiServ er List/Watc h 1. Controller实现ServcieDiscovery 若干服务发现的接口定义 2. Controller List/Watch KubeAPIserver上service、 endpoint等资源对象 3. DiscvoeryServer使用 S 60% Scheduler Controller- Managerr21 灰度发布：基于Kubernetes + Loadbalancer SVC svc1 SVC svc1 SVC svc1 SVC svc1 SVC svc1 SVC svc1 prod canary KubeAPIServer Ingress-Controller List/watch reLoad22

istioctl scanning tool designed for CNI Repair controller Valid through istio-init (iptable) Detect crashloop init container Kill and Restart them Taint controller No need for istio init container (faster

SidecarSet将EmptyContainer替换为新Sidecar镜像，新Sidecar镜像启动 • 新Envoy进程与老Envoy交互，开始进行热重启流程 • 最大排水时间到达，SidecarSet Controller将老Container替换为Empty镜像 • 热升级结束 10 • 为什么需要服务网格数据面热升级 • 实现热升级 • 实践热升级 目录 Catalog 11 实践热升级 Practice

metadata: name: bookinfo-gateway spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 443 name: https protocol: HTTPs tls: mode:

default networking layer solution of Knative. It is leveraged for Net-istio is A Knative ingress controller for Istio. Knative is an open source project which provides a set of components (Serving and

to manage any layer-7 protocols other than just HTTP and gRPC. You can think of Aeraki as the “Controller" to automate the creation of envoy configuration for layer-7 protocols #IstioCon Aeraki: Manage

Run make lint locally to verify changes and check for problems Click on the Netlify preview to view updates as if they were live #IstioCon Summary ● Don't be afraid to create issues, ask around