#IstioCon Preserve Original Source Address within Istio Zhonghu Xu @hzxuzhonghu #IstioCon About me Zhonghu Xu：an open source engineer from Huawei Cloud. - Github：https://github.com/hzxuzhonghu 1. TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon Content 1. TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon #IstioCon What is the use case of original address 1. Sticky Session: based on ip hash, traffic from same client is forwarded to the same backend 2. Security Policy: set white/black list 3. Access log &

commonly used by administrators, and provide perspective on whether security features sufficiently address the concerns they are designed to provide. Four consultants over a period of five weeks along with != nil && !os.IsExist(err) { return err } for address, certs := range addressCertMapping { err = ioutil.WriteFile(path.Join(directory, "cert-"+address+".pem"), certs.Cert, 0644) if err != nil { return WriteFile(path.Join(directory, "key-"+address+".pem"), certs.Key, 0644) if err != nil { return err } err = ioutil.WriteFile(path.Join(directory, "ca-cert-"+address+".pem"), certs.CaCert, 0644) if err

instance. kubernetes://redis- master-2353460263- 1ecey.my-namespace source.ip ip_address Source workload instance IP address. 10.0.0.117 source.labels map[string, string] A map of key-value pairs attached the source instance. version => v1 destination.port int64 The recipient port on the server IP address. 8080 request.time timestamp The timestamp when the destination receives the request. This should

a contract match 7 address = contract[“foo”] 8 headers = request_handle:headers() 9 -- send the request somewhere else 10 response = request_handle:httpCall(address,headers,..) 11 -- respond

#IstioCon Problem In the case of Inbound, 4-tuple key may conflict due to same src/dst ip address #IstioCon Use pod ip as hash key Use pod_ip to generate a unique key is a way to distinguish

1) and back (outbound) ○ eBPF program also tracks connections from Envoy (127.0.0.6) to Pod IP address and back (inbound) ○ eBPF program also tracks connections from Envoy to Envoy(in the same node)

TYPE DESCRIPTION INVENTORAY Inventory includes service, service_instance, endpoint, network_address. They are metadata for SkyWalking. Don’t delete these. INDICATOR All metric data belong to this

Istio step by step Best practice: from Spring Cloud to Istio Preserve original source address within Istio Performance tuning and best practices in a Knative based, large-scale serverless

maintainting E2E, service tests, component tests adds up very quickly • What happens if you do not address the problem? – Thorough test coverage can take a lot of time and effort – Realistic outcome: Just

Management for non-HTTP/gRPC - only layer-3 to layer-6 ● Routing based on headers under layer-7 ○ IP address ○ TCP Port ○ SNI ● Observability - only TCP metrics ○ TCP sent/received bytes ○ TCP opened/closed