| CONFIDENTIAL Leveraging Istio for Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive testing earlier Create and maintain a balanced test pyramid Create different types of tests with low effort 7 What we need… End-to-end Component Service | CONFIDENTIAL REQUEST RESPONSE API MOCKS

middle boxes) ● High performance networking ○ Much higher multi-Gbps peak data speeds ○ Ultra low latency ○ And of course, reduce overheads introduced! ● High availability ● CapEx, OpEx #IstioCon Overheads introduced ● No high performance data path support ○ Multi-Gbps bandwidth ○ Ultra low latency #IstioCon Performance Limitations: Solutions ● Software techniques ○ (eBPF-based) TCP/IP stack co-designs #IstioCon Latency Analysis ● ~3ms P90 latency added ○ Istio v1.6 ○ More for VM usage ● Hotspots ○ 1  2 ○ 3  4: 30%~50% ● Others ○ Latency between Pods ○ Latency introduced by C/S #IstioCon

target for multi-containers pods Stabilizing Istio Two options: 1. Make the istio-proxy CPU very low compared to the application CPU (Between x% and y% of app CPU) to minimize the variance ● Putting sidecars everywhere has a cost ○ Latency ○ Compute resources The Istio 1.9 community reference values for sidecar performance are: ● Latency: +2.65 ms at p90 (no telemetry) ● Compute resources: capacity Adopting Istio ● Each workload may be different, even in a same product. Some examples: ○ Latency-sensitive workloads ○ Long-lived batches (ML) ○ Web platforms ● How do you define a common answer

error ○ ... ● Observability with application layer metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer security ○ HTTP JWT Auth ○ Redis Auth ○ ... IP Data IP Header manually create and maintain these EnvoyFilters, especially in a large service mesh: ● It exposes low-level Envoy configurations to operation ● It depends on the structure/name convention of the generated stand-alone component ● Provides an abstract layer with Aeraki CRDs, hiding the trivial details of the low-level envoy configuration from operation ● Protocol-related envoy configurations are now generated

Matter? 5G wireless technology is meant to deliver higher multi-Gbps peak data speeds, ultra low latency, more reliability, massive network capacity, increased availability, and a more uniform user

Gateway Book Info Payments Product Info ✓ Security ✓ Visibility ✓ Traffic Shaping ✘ Latency ✘ Single Point of Failure Service Mesh API Gateway Book Info Payments Product Info Proxy + k8s Istio mTLS mTLS mTLS ✓ Security ✓ Visibility ✓ Traffic Shaping ✓ Latency ✓ Single Point of Failure Adoption Challenges ● Multi-region deployments ● Non-flat networks

same node Configurations ◦ mTLS enabled ◦ Number of Envoy workers: 2 ◦ Response payload size: 1KB Latency ◦ 11-17% improvement Istio Meetup China Summary ● eBPF functionality enabled with a DaemonSet to envoy) ● Works with Istio >= 1.10 ● CNI agnostic and should work with all CNIs (wo/ eBPF) ● Latency：11~17% improvement Istio Meetup China Thank you! luyao.Zhong@intel.com

Zonal routing, zonal deployment and HPA ● Endpoint accessed by service via config #IstioCon Latency improvement #IstioCon Tooling and Automation ● Automate the Istio setup during Kubernetes cluster

logs Log Files Parse Istio-proxy Log • Each API Access Count • Each API Fail Rate • Each API Latency Easy to debug Easy to report Easy to alert Elastalert #IstioCon Excellent Observability - Access

26dacdde40968a37ba9eaa864d40e45051ec5448 Finding Breakdown Critical issues 0 High issues 4 Medium issues 5 Low issues 7 Informational issues 2 Total issues 18 Category Breakdown Access Controls 7 Configuration 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical High Medium Low Informational 3 | Google Istio Security Assessment Google / NCC Group Confidential Table of Findings Sidecar Image Not Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File Permissions Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative