Kubernetes is pretty bad at load-balancing it ● So we solved it by using a client-side load-balancing library + Headless Services Headless services are to us what ClusterIP services are to common people! However Make sure Istio-enabled callers update their config with the ClusterIP service ○ Keep a double standard during migration Compounding to hundreds of services, the cost is terrible so be strategic 47 Calling authn/z service on each call? Depending on the answers, the application RPS measured in library may vary between 2 and n times when using Istio. 61 Istio proxy performance and capacity Adopting

file close ● 1 certificate skipping ● 1 case unhandled errors ● 1 case of using a deprecated library ● 1 race condition 2 Istio Security Audit, 2023 Notable findings Issue 10 - “H2c handlers are verification Low High Yes 7 Unhandled errors Informational n/a Yes 8 Use of deprecated 3rd party library Low High Yes 9 TOCTOU race conditions in file utils Medium High Yes 10 H2c handlers are uncapped 1024*1024*10), f.destDirRoot) } 40 Istio Security Audit, 2023 8: Use of deprecated 3rd party library Severity: Low Difficulty: High Fixed: Yes Affected components: ● pkg/model Vectors: ● CWE-1104:

setting would be configured for the istio-ingressgateway pilot-agent and this would likely break standard Istio configurations from the Istio documentation which rely on a shared istio gateway. This feature plane can obtain unauthenticated access to this information. Description The Golang trace profiling library used by Pilot provides administrators debug information about Pilot itself including detailed runtime

to visualize problem areas, tune performance, and add substrate features. Istio is the industry-standard service mesh control plane that makes it easier to connect, observe, and secure microservices.

is present. - Proxy Protocol Transport Socket #IstioCon HTTP XFF x-forwarded-for (XFF) is a standard proxy header which indicates the IP addresses that a request has flowed through on its way from

Proxy侧的配置 9 OCI Registry As Storage ● OCI Artifacts项目的参考实现, 可显著简化OCI注册库中任意内容的存储; ● 可以使用ORAS API/SDK Library来构建自定义工具， ○ 将WebAssembly模块推入到OCI注册库中; ○ 或者从OCI注册库中拉取WebAssembly模块; ● oras cli类似于docker cli 10