connects with a valid identity token ● All we have to do is ○ specify a new WorkloadGroup with a template (to create WorkloadEntry) ○ create a ServiceEntry (to select specific workloads) #IstioCon What control on top ○ Provides independent streams ■ Extremely similar to HTTP/2, but in transport layer ● Improvements ○ TCP head of line blocking ○ Faster handshakes ○ Earlier data ○ Connection-ID ● CapEx, OpEx #IstioCon RDMA (Remote Direct Memory Access) ● Advance transport protocol (same layer as TCP and UDP) ● Main features ○ Remote memory r/w semantics in addition to send/receive ○ Kernel

json:application/vnd.module.wasm.config.v1+json example- filter.wasm:application/vnd.module.wasm.content.layer.v1+wasm ○ Wasm Artifact镜像规范参考 ■ https://github.com/solo-io/wasm/blob/master/spec/README.md ■ https://istio 以hostpath方式挂载wasm filter文件到Proxy容器 apiVersion: extensions/v1beta1 kind: Deployment metadata: .… spec: …. template: metadata: annotations: sidecar.istio.io/userVolume: '[{"name":"wasmfilters- dir","hostPath":{

mesh enabled ● Reference Agenda #IstioCon Knative and Istio Istio is the default networking layer solution of Knative. It is leveraged for Net-istio is A Knative ingress controller for Istio. istio-validation is introduced. o We can remove the istio-validation container by modifying the injection template. Mitigations: o When adding new worker node, make sure daemonset pod of istio CNI plugin is up

resources and concurrency 65 Abstracting Istio Adopting Istio ● Should you expose a whole new layer of YAMLs to people that are already overfed with? The answer is no. ● Should you require your users handle the Sidecar CRD Policy and GitOps CI/CD pipeline to apply them ● We are exploring Cuelang to template a simple DSL for managing various features ○ Full Istio onboarding (lifecycles, injection…) ○

RPC RPC RPC Message Message Message Cache RDB NoSQL We need to manage multiple types of layer-7 traffic in a service mesh, not just HTTP and gRPC ● RPC：HTTP, gRPC, Thrift, Dubbo, Proprietary Kafka, RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 理能力： ● Routing based on layer-7 header ○ Load balancing at requet level ○ HTTP host/header/url/method, ○ Thrift service name/method

Istio 流量管理原理与协议扩展 赵化冰 赵化冰 腾讯云 服务网格团队 https://zhaohuabing.com Service Mesh Service Mesh Layer 处理服务间通信（主要是七层通信）的云原生基础设施层： Service Mesh 将各个服务中原来使用 SDK 实现的七层通信相关功能抽象 出来，使用一个专用层次来实现，Service Mesh 对应用透明，因此应用 流量控制：服务发现、请求路由、负载均衡、灰度发布、错误重试、 断路器、故障注入 可观察性：遥测数据、调用跟踪、服务拓扑 通信安全： 服务身份认证、访问鉴权、通信加密 Proxy Application Layer Service 1 Istio 流量管理 – 概览 • 控制面下发流量规则： Pilot • 数据面标准协议：xDS • 集群内Pod流量出入： Sidecar Proxy • 集群外部流量入口：Ingress Circuit Breaker – 基于四层的路由（IP + Port） – 基于四层的 Metrics（TCP收发包数量等） IP Header TCP Header Layer 7 Protocol Header Layer 7 Protocol Data Istio 支持的七层协议非常有限：HTTP 1.1、 HTTP2、 gRPC 其余协议只能在四层进行处理（Thrift、Redis 等其他七层协议的控制面支持非常有限）

fly certificate renewal • Kafka listeners configured in PLAINTEXT mode Security layer provided by Istio 8 Security layer provided by Istio 9 • Kafka does not process client certificate in PLAINTEXT authentication with Istio 11 Kafka client authentication with Istio 12 • Istio provides a security layer for workloads in a uniform way • Envoy WASM filters opens the gates for a whole array of useful

10 Istio Security Audit, 2023 Threat model Istio is a service mesh which is an infrastructure layer applicable to so�ware applications. Istio is platform and language agnostic, but is o�en used on top 273 274 275 gr, err := gzip.NewReader(r) if err != nil { return nil, fmt.Errorf("failed to parse layer as tar.gz: %v", err) } // The target file name for Wasm binary. // https://github.com/solo-io

Envoy ● Internet egress using NAT gateway #IstioCon Motivation ● Reliability of central proxy layer (HAProxy/Envoy) ● More control over load balancing ● Offload application services from networking

Chinese 51 sessions presented in English 3 Workshops covering the topics “Using Istio” (by Layer5), “Istio multiclusters” (by Solo.io), and “Istio cookbook using Kiali” (by RedHat). Office