5s) Knative service provisionings with route ready time <= 30s. Type Info K8s Cluster Capacity 12 nodes in 3 zones, 16 vCPU * 64 Gi MEM Knative Version Knative 0.16, 0.17, 0.18 Istio Version 1.5, 1.6 istio-validation container by modifying the injection template. Mitigations: o When adding new worker node, make sure daemonset pod of istio CNI plugin is up and running before knative pods scheduling

peak on API Gateway ● 1 main production Google Kubernetes Engine (GKE) cluster ● 12k+ pods ● 750+ nodes Istio at Mercari 7 Istio at Mercari Apr 2019 Started Istio PoC Sep 2019 First release important for performance. ● Default -> 2 ● For minimal performance impact -> Workers = vCPU (1 worker/vCPU) ● Load test your workloads at different level of concurrency and resources ● Account for

放 内 存 记 录 s t a t 状 态 更 新 调度器 L 4 网 络 过 滤 L 7 H T T P 过 滤 路 由 处 理 上 游 连 接 池 • 分为Envoy主线程及worker线程： • 主线程： • 负责初始化Envoy并读取解析配置文件 • 启动gRPC监听器，并启动xDS变化监听 • 启动日志写入线程，每个目标日志文件有独立线程负责输出 • 启动concurrency数目的工作线程 RESTful监听，处理运行状态输出，prometheus收集等请求 • 定期将工作线程内监控数据stat进行合并 • 定期刷新DNS信息，加速域名解析。 • 目标cluster内主机列表健康状态判断。 • worker线程： • 通过启动配置参数concurrency指定，不支持动态调整。 • 启动virtualoutbound/virtualinbound网络监听，每个工作线程都对此监听端口进行监听。 由内核随机挑选监听线程处理新连接。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 14 Envoy网络及线程模型-网络处理 系统内核 Worker Thread Dispatcher LibeventDispatcher 待清理对象 ListenerManager Listener Connection 创建 监听 socket

üMixer使用协程池处理Adapter ü处理完成所有Adapter才响应Envoy 疑问 协程池堵塞是否会影响envoy性能？Mixer协程池 ü 初始化一定量worker（协程） ü 监听同一队列 ü 任务放入队列 ü Worker处理任务Jaeger架构设计Mixer阻塞对envoy的影响 压测环境： ü 模拟接口延迟响应 ü 使用hey压力工具 ü 相同压力 ü 先用hey进行预热 ü 从10份数据中取中位数解决方案

(which are static) into Pod IP addresses CNI plugins: allocate ip addresses for workloads exist in nodes CNI interface Calico Antrea Flannel Istio CNI CNI Daemonset Calico Antrea Flannel Istio CNI Networking routing rule to workload iptable Issue in Istio CNI Could happen in suddenly increased nodes and premptable nodes Bypassing all iptable rules set by data plane proxies Troubleshooting Istio CNI Check

if an administrator expected the egress controls to restrict outbound network communications, the worker could simply use UDP to communicate outside of the cluster. • 1337 UID bypass: Istio’s sidecar creates

Intuit Statistics ● 900+ Teams ● 5000+ Developers ● 200+ Clusters ● 7000+ Namespaces ● ~9200 Nodes varies with autoscaling Hub and Spoke API Gateway Book Info Payments Product Info ✓

Application Deployment: Cloud Layout ● Multiple K8s Clusters in an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes ○ Upto 100,000 Pods in a cluster ○ 10,000+ K8s services - including prod, pre-prod, staging, etc

Leverage eBPF ● Target Pod/VMs on the same node ● Use case: edge computing ○ Limited number of nodes ○ More traffic across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol ●