#IstioCon Extending service mesh capabilities using a streamlined way based on WASM and ORAS 王夕宁 | 阿里云服务网格ASM 2 Envoy’s Filter Chain Listener Downstre am Filter Filter Filter Cluster Upstrea envoy.http _connectio n_manage r Cluster Productp age服务 Filter Chain envoy.filters.ht tp.wasm/envo y.wasm.metad ata_exchange Istio_authn kubectl exec -it [productpage-xxx] -c istio-proxy curl loc envoy.filters .http.fault envoy.filters .http.router envoy.filters.ht tp.wasm/envo y.wasm.stats envoy.filters.ht tp.wasm/xxx- wasmfilter 5 添加新Filter的方式 ● Built-in Filter & Community Provided: ○

recommended MaxBytesHandler was used, the request body was not fully consumed, meaning that when a server attempts to read HTTP2 frames from the connection it will instead be reading the body. As such, the FuzzBuildSecurityCaller istio.io/istio/security/pkg/ server/ca https://github.com/istio/istio/blob/6 5478ea81272c0ceaab568974aff7 00aef907312/security/pkg/server/c a/authenticate/fuzz_test.go#L21 The fuzzers typically is Istiod. 2. To receive ADS requests from Envoy and forward these to the specified discovery server which typically is Istiod. Istiod handles certificate signing requests via the IstioCAServiceServer

Page 2 个人介绍 张伟 华为云容器网格数据面技术专家 拥有10年以上中间件及高性能系统开发经验， 作为架构师及核心开发人员发布过传输网管系 统、Tuxedo交易中间件、ts-server多媒体转码服 务、GTS高性能事务云服务、SC高性能注册中心、 ASM数据面等多个产品。先后就职于亿阳信通、 北电、甲骨文、polycom、阿里巴巴等公司；目 前在华为云云原生团队负责网格数据面的架构 onNewConnection新连接建立，可以决定是否拒绝 • onData处理连接数据到达 • onWrite处理连接数据发送 • L7 HTTP过滤器 • 修改HTTP请求头，限流处理，Lua扩展、WASM扩展、开发调试支持、压缩、元数据交换、 路由等。 • decodeHeaders处理HTTP请求头部 • decodeData处理HTTP请求数据 • decodeTrailers处理HTTP请求结束位置 前的目标服务地址，作为后续负载均衡的输入。 envoy.filters.network.tcp_proxy L4网络过滤器 基于L4层1对1上下游网络连接代理 envoy.filters.network.wasm L4网络过滤器 基于WASM（WebAssembly）技术，支持沙箱、热升级、 跨语言的扩展机制，处理L4层新连接、数据收发。 envoy.filters.network.dubbo_pro xy L4网络过滤器

require client application restarts Challenges – Client certificates 7 • mTLS provided by Istio • Server certificate provided by Istio Proxy sidecar container • Each Kafka client request gets a client layer provided by Istio 9 • Kafka does not process client certificate in PLAINTEXT mode • Envoy WASM filter extracts client identity from client certificate and passes it to Kafka Kafka client authentication authentication with Istio 12 • Istio provides a security layer for workloads in a uniform way • Envoy WASM filters opens the gates for a whole array of useful features such as Kafka protocol level metrics

API Gateway Security (EW) Observability Zero-trust Approval Processes Rollback Delegation WASM Multi Cluster Global Service Failover Multi Mesh 4 | Copyright © 2020 Orders Citadel Pilot © 2020 Extend Envoy Proxy with Web Assembly (Wasm) Polyglot: Envoy Filters are written in C++ and Wasm expands to any language Secure and Reliable: Wasm runs in isolated VM, can dynamically update need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM WASM gRPC TRANSCODER Why WebAssembly? 8 | Copyright © 2020 8 | Copyright © 2020 User Experience

simplification ○ Monolith control plane ○ Mixerless telemetry ● New extension capabilities ○ WebAssembly (Wasm) support ● Secure by default ○ Secret Discovery Service (SDS) ○ Auto mTLS ● API and feature promotion #IstioCon Extension Ecosystem ● WebAssembly (Wasm) enhancements ○ APIs for adding custom Wasm extensions ○ Focus on Developer workflow ○ Discovery of Wasm extensions ● External AuthZ extensions ● Telemetry

Sink： • Source 是资源提供方（server），资源变化了推送给订阅者（Pilot），Istio 1.5 之前这个 角色就是 Galley 或者自定义 MCP Server； • Sink 资源的订阅者（client），在 Istio1.5 之前这个角色就是 Pilot 和 Mixer，都是订阅 Galley 或者自定义 MCP Server 的资源；8/23 MCP mcpserver EnvoyFilter 资源来给 xDS 资源打 patch • Envoy 解析 Dubbo 协议中的 Serivce 和 Method • 根据路由策略配置把流量转发到对应的 Provider • 通过WASM扩展 华为云：https://support.huaweicloud.com/bestpractice-istio/istio_bestpractice_3005.html18/23 改造方案2

proxy in the outbound listener Replace TCP proxy in the inbound listener client Server v1 30% 70% Server v2 9090 9090 #IstioCon EnvoyFilter is Powerful, But ... It’s very difficult if Mutation、负载均衡、断路器、多路复用、流量镜像 等。 ● 基于 MetaProtocol 实现一个自定义协议时，只需要实现 Decode 和 Encode 扩展点的少量代码 (C++)。 ● 提供基于 WASM 和 Lua 的 L7 filter 扩展点，用户可以实现一些灵活的自定义协议处理逻辑，例如认证授权等。 #IstioCon MetaProtocol: 请求处理路径 处理流程： 1. Decoder

11:25 Ambient Q&A 10:50 Istio Feature Gates 12:00 Ambient + Pod Identity 12:40 Multiplayer Istio WASM 1:15 What’s New Since 2022 CNCF Graduation Ambient Mesh A new dataplane mode for Istio without 1. sail What about the rest of the boat? Upcoming Talks: Aperture - Load Management Meshery - WASM plugin management Argo - Multi-cluster orchestration JP Morgan SLO Generation Reflecting on the Value

Cloud To Go 无需重启 秒级切换 Copyright © 2021 Cloud To Go Envoy 支持用于网络管道和 HTTP 管道（HTTP 过滤器）的 Wasm 过滤器。这意味着您可以使用 Wasm 为Sidecar编写逻辑。 Copyright © 2021 Cloud To Go 虚拟机支持 ü 让虚拟机成为集群的一部分 ü 流量视图 ”看到” 虚拟机应用 ü