©2024 by josuttis.com 1 C++ Nicolai M. Josuttis josuttis.com @NicoJosuttis Taming the C++ Filter View September 17, 2024 16:45 - 17:45 MDT ©2024 by josuttis.com 2 C++ Nicolai M. Josuttis • Independent Other Topics: – Systems Architect – Technical Manager – SOA – X and OSF/Motif Nico Josuttis C++ Filter View @cppcon 2024-09-17 1©2024 by josuttis.com 3 C++ Views C++20 ©2024 by josuttis.com 4 C++ print(coll2); Output: 0 8 15 47 11 42 1 0 1 8 11 15 42 47 C++20 template Nico Josuttis C++ Filter View @cppcon 2024-09-17 2©2024 by josuttis.com 5 C++ C++20: Views void print(const auto& coll)

based on WASM and ORAS 王夕宁 | 阿里云服务网格ASM 2 Envoy’s Filter Chain Listener Downstre am Filter Filter Filter Cluster Upstrea m Filter Chain 扩展自定义Filter, 并通过xDS API动态配置 L4 Network Filters L7 Http Filters Listener Downst ream Filter Filter Filter Cluster Upstrea m Filter Chain Listener Downst ream Filter Filter Filter Cluster Upstrea m Filter Chain 4 实际示例中用到的Envoy Filters 端口9080 监听 envoy.filte rs.network network .metadata _exchange envoy.http _connectio n_manage r Cluster Productp age服务 Filter Chain envoy.filters.ht tp.wasm/envo y.wasm.metad ata_exchange Istio_authn kubectl exec -it [productpage-xxx]

here can be load balancers like envoy/haproxy/nginx which have already supported proxy protocol #IstioCon Istio Traffic Flow – inner cluster svcA svcB envoy envoy Pod1：10.244.0.20 Pod2：10.244.0.25 svcB envoy envoy Pod1：10.244.0.19 Pod2：10.244.0.25 Dest: 127.0.0.1 Src：127.0.0.1 Ingress gateway ELB ingress EIP: 192.168.1.100 #IstioCon What does envoy provide? - Original source filter “envoy listener filter replicates the downstream remote address of the connection on the upstream side of Envoy. For example, if a downstream connection connects to Envoy with IP address 10.1.2.3, then Envoy will

18. 连接服务网格 1.19. 扩展 1.20. 使用 3SCALE WEBASSEMBLY 模块 1.21. 使用 3SCALE ISTIO 适配器 1.22. 服务网格故障排除 1.23. ENVOY 代理故障排除 1.24. SERVICE MESH CONTROL PLANE 配置参考 1.25. KIALI 配置参考 1.26. JAEGER 配置参考 1.27. 卸载 SERVICE MESH 和更高版本的支持。 1.2.2.1.1. Red Hat OpenShift Service Mesh 2.2.3 版中包含的组件版本 组 组件 件 版本 版本 Istio 1.12.9 Envoy Proxy 1.20.8 Jaeger 1.36 Kiali 1.48.3 1.2.2.2. Red Hat OpenShift Service Mesh 版本 版本 2.2.2 的新功能 和更高版本的支持。 1.2.2.2.1. Red Hat OpenShift Service Mesh 2.2.2 版中包含的组件版本 组 组件 件 版本 版本 Istio 1.12.7 Envoy Proxy 1.20.6 Jaeger 1.36 Kiali 1.48.2-1 1.2.2.2.2. 复制路由标签 在这个版本中，除了复制注解外，您还可以为 OpenShift 路由复制特定的标签。Red

plane 5 | Copyright © 2020 Extend Envoy Proxy with Filter Develop: Envoy Filters are written in C++ Asyc Build: need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER Custom Envoy Filter 6 | Copyright © 2020 Portable Secure Fast Any Language Outside the Web Web Assembly 7 | Copyright © 2020 Extend Envoy Proxy with Web Assembly (Wasm) Polyglot: Envoy Filters dynamically update w/o Envoy restarts, no hard dependencies or cascading failures Speed: Near native performance Sustainable: Eliminates need to recompile and maintain a build of Envoy EXTERNAL AUTH RATE

allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy itself was not part of the assessment). • Istio Control interface exposes unnecessary ser- vices and is accessible to anyone within a default cluster. • The Envoy Proxy admin port is exposed via the Istio sidecar and would allow a malicious workload to override branch up to July 15th, 2020. Commit: 7353c84b560fd469123611476314e4aee553611d istio/proxy Istio Envoy Proxy code in the master branch up to July 15th, 2020. Commit: c51fe751a17441b5ab3f5487c37e129e44eec823

connectivity between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result, Cilium not only makes it simple to apply security particular port is either completely trusted or blocked entirely. Cilium provides the ability to filter on individual application protocol requests such as: Allow all HTTP requests with method GET and

Connect With Istio #IstioCon Secure Platform • JWT Verify • Mutual TLS • Authorization Policy • Envoy External Authorization #IstioCon Secure Platform #IstioCon Secure Platform – JWT Verify Using traffic, the traffic always goes through the Envoy proxies first. • When mTLS is enabled between two services, the client side and server side’s “envoy proxies” verify each other’s identities before #IstioCon Wise Platform Using envoy filter to handle things from platform level, reduce workload of developers. EnvoyFilter provides a mechanism to customize the Envoy configuration generated by Istio

connectivity between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result, Cilium not only makes it simple to apply security particular port is either completely trusted or blocked entirely. Cilium provides the ability to filter on individual application protocol requests such as: Allow all HTTP requests with method GET and

connectivity between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result, Cilium not only makes it simple to apply security particular port is either completely trusted or blocked entirely. Cilium provides the ability to filter on individual application protocol requests such as: Allow all HTTP requests with method GET and