service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: 灰度发布：蓝绿 灰度发布：A/B Testing 灰度发布：Canary releases 灰度发布：基于Kubernetes RC Version2 SVC SVC Pod1 Pod2 Pod3 SVC Pod1 Pod2 Version1(canary) 40% svcB svcA KubeAPIServer 60% Scheduler Controller- name: v2 weight: 80 Version2 Envoy SVC Envoy SVC Pod1 Pod2 Pod3 Envoy SVC Pod1 Pod2 Version1(canary) 20% svcB svcA Rules API Pilot 80% Istio 灰度发布：基于请求内容 Version2 Envoy SVC Envoy SVC

service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: 灰度发布：蓝绿18 灰度发布：A/B Testing19 灰度发布：Canary releases20 灰度发布：基于Kubernetes RC Version2 SVC SVC Pod1 Pod2 Pod3 SVC Pod1 Pod2 Version1(canary) 40% svcB svcA KubeAPIServer 60% Scheduler Controller- name: v2 weight: 80 Version2 Envoy SVC Envoy SVC Pod1 Pod2 Pod3 Envoy SVC Pod1 Pod2 Version1(canary) 20% svcB svcA Rules API Pilot 80%23 Istio 灰度发布：基于请求内容 Version2 Envoy SVC Envoy

Istio Security Assessment Google August 6, 2020 – Version 1.1 Prepared for Arun Kumar R Prepared by Mark Manning Jeff Dileo Divya Natesan Andy Olsen Feedback on this project? https://my.nccgroup Synopsis In the summer of 2020, Google enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components. Istio is a modern service mesh technology stack often used within NCC-GOIST2005-003 on page 14, the Default production profile could be updated or replaced by a hardened version that describes each of the security controls in more detail. See Appendix B on page 40. 8 | Google

● Moving HTTP/2 load-balancing from client-side to Envoy ● Label selector updates for app and version labels ● Istio default retry policy ● Istio proxy performance and load testing ● Abstracting the Track 48 Label selector updates for app and version labels Adopting Istio ● Is there anyone in the audience who was prescient enough to use the app or version before starting Istio? ● Chances are huge app and version labels Adopting Istio First, headless services, now labels... Who said that migrating to Istio is only about adding sidecars?? 50 Label selector updates for app and version labels

headers) TARS ServantName ServantName, FuncName, Context Dubbo service name service name, service version, service method Any RPC Protocol service name in message header some key:value pairs in message header • Dubbo version-based routing • Dubbo traffic splitting • 后续规划： • 其他协议支持：Thrift，Redis ，TARS … • 在 TCM 中提供托管的 Aeraki，为客户提供第三方协议支 持 16 Aeraki 项目后续计划 Dubbo [Done] Default routing [Done] Version-based routing Traffic splitting [Todo] Header based routing [Todo] RDS 需数据面配合 Thrift [Done] Default routing [Done] Version-based routing [Done] Traffic splitting [Todo] Header based routing [Todo] Rate limit [Todo] RDS 需数据面配合

tes.Bytes()) } func main() { maliciousGzip := createMaliciousGzip() // Below is a minimized version of https://github.com/istio/istio/blob/master/operator/pkg/util/tgz/tgz.go#L70 (Extract()) uncompressedStream time.Millisecond * 500, requestMaxRetry: requestMaxRetry, } } // Fetch implements a minimized version of istio.io/pkg/wasm.(f *HTTPFetcher).Fetch() // The main minimization is: // - Removal of logging specifications of SLSA v0.1 that are outlined here: https://slsa.dev/spec/v0.1/requirements. This version of compliance requirements is currently in alpha and is likely to change. Istio performs well in

External Traffic 75% 25% POD POD POD POD S E R V I C E (ClusterIP) 75% 25% POD POD Cross-version Traffic My-data-service Service Demo-canary Service Canary Releases Using Spring Cloud Demo-canary V1 Service Instance V1 My-data-service Service Service Instance V2 SPRING EUREKA Cross-version Traffic Load Balancer My-data-service Service Demo-canary Service Canary Releases Using Spring V1 Service Instance V1 My-data-service Service Service Instance V2 SPRING EUREKA Same-version Traffic SPRING EUREKA Service Instance V2 Service Instance V2 Service Instance V2 Service

Platform – Extra Authorization Version 1 : Istio Mixer authz adapt Implement role-based authorization – whether this user can access this api based on its role => Version 2: Envoyfilter ext_authz #IstioCon

listener filter adds support for HAProxy Proxy Protocol. This implementation supports both version 1 and version 2, it automatically determines on a per-connection basis which of the two versions is present

configPatches: - applyTo: HTTP_FILTER match: …. patch: …. workloadSelector: labels: app: productpage version: v1 19 生成的Istio Envoy Filter资源(2) apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: configPatches: - applyTo: HTTP_FILTER match: …. patch: …. workloadSelector: labels: app: productpage version: v1 20 更新后的Deployment - 以hostpath方式挂载wasm filter文件到Proxy容器 apiVersion: extensions/v1beta1 kind: