to Enterprise Service Mesh 宋净超（Jimmy Song） September 24, 2022 Shanghai, China Cloud Native Application Networking Secure, Observe and manage microservices Outline ● Background ● Enterprise Service Enterprise team structure gap (Workspace, Tenants, etc) ○ UI&UX Background ● Leads to complexity and lack of operational agility ● You can't be Cloud Native at scale without a modern application- aware network different from the perspective of a developer building and operating an application Why is Istio? TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management

Management ❏ MetaProtocol - Service Mesh 通用七层协议框架 #IstioCon Protocols in a Typical Microservice Application Service Service Service Service Service Service Message Broker RPC RPC RPC Message Message with application layer error codes ○ HTTP status code ○ Redis Get error ○ ... ● Observability with application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer authorization: Identity/Source IP/ Dest Port ○ Request level auth is impossible #IstioCon BookInfo Application - AwesomeRPC ProductPage Reviews v1 AwesomeRPC (header: user != Jason) AwesomeRPC (header:

from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application UI – Create E2E tests, component tests and service tests from the same data • Key product benefits of improved API tests • Istio benefits – Venky / Prasad – point here • Demo • Questions 2 Structure | CONFIDENTIAL 3 API-driven applications exploding Service Testing Component Testing E2E API Local Service Testing by Devs Component, E2E Tests Service Tests Learning from usage of application and services Dev Usage Staging/UAT Env API catalog | CONFIDENTIAL #Rollbacks MTTR

finding, NCC Group uses a composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation, and other factors. For an purpose, an attacker could create a malicious file with the same hash as the original. A user or application would not be able to tell the difference between the legitimate and malicious files based on the Scale NCC Group uses a composite risk score that takes into account the severity of the risk, application’s exposure and user population, technical difficulty of exploitation, and other factors. The risk

Scala, etc. ● Running on variety of Hardware ○ General-purpose x86 servers ○ GPUs #IstioCon Application Deployment: Cloud Layout ● Region: A metro region ● DC: One or more Data Centers in each Region customer ○ PoPs are mini AZs Region R1 AZ 1 AZ 2 AZ n Data Center DC1 Region Rn #IstioCon Application Deployment: Cloud Layout ● Multiple K8s Clusters in an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes Region Rn #IstioCon Application Specs Region R1 Application Deployment: Federation ● Hierarchy of control planes ● Global Control Plane ○ Users provide application specs to Global Control-Plane

balancer) www.my-application.com External Traffic 75% 25% Deployment Canary Releases Using Kubernetes Deployment POD POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic I C E (Load balancer) www.my-application.com External Traffic POD POD 0% 100% Deployment Deployment Deployment Canary Releases Using Kubernetes – Across application Layers Deployment POD POD S S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% POD POD POD POD S E R V I C E (ClusterIP) 75% 25% POD POD Cross-version Traffic My-data-service Service Demo-canary

app app app app apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: inbound: - name: consumer-a app apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: -f nais.yaml application deployment service virtualservice autoscaler networkpolicy servicerole servicerolebinding serviceentry apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name:

| grep -v envoy | wc -l | xargs) -ne 0 ]; do sleep 1; done”] This preStop hook will wait for application connections to be drained before stopping the container. 18 Workaround: Use postStart and preStop that Envoy is stopped after any other container in a pod ● Use a `preStop` lifecycle hook in the application container manifest: lifecycle: preStop: exec: connection draining may not complete, leading to 5xx errors Example: for sleep 30 + sleep 45 in the application container, we set terminationGracePeriodSeconds to 90 seconds. 20 Warning: These are workarounds

use Istio gateway service istio-ingressgateway as its underlying service. Knative Activator or Application Front door design #IstioCon - Traffic Splitting, blue/green deployment How Istio is leveraged Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use Istio authorization policy to control flow with Istio mesh/mTLS #IstioCon o Init-container added which cost ~5 seconds for Knative application pod code start. o Every sidecar needs full mesh information by default. Not a scalability solution

as observability, traffic management and security without requiring users to add these to their application code. It also offers more advanced features to support A/B testing, canary deployments, rate limiting pilot/cmd/pilot-agent /status/server.go#L4 99 if envoy != nil { envoy.Close() } if application != nil { application.Close() } https://github.com/is tio/istio/blob/959887 237eee77be3e2715 2438c479aa4c4712 serve using grpcServer if r.ProtoMajor == 2 && strings.HasPrefix(r.Header.Get("content-type"), "application/grpc") { s.grpcServer.ServeHTTP(w, r) return } // Otherwise, this is meant for the standard HTTP