Using BCC and bpftrace with Performance Co-Pilot Andreas Gerstmayr October 28, 2020 Source: https://pcp.io https://github.com/iovisor/bcc https://bpftrace.org 2 eBPF Compiler Collection bpftrace bpftrace BCC high-level tracing language for eBPF Performance Co-Pilot system performance analysis toolkit Performance Co-Pilot 3 Toolkit for collecting, analyzing, visualizing and responding to the

#IstioCon Using ECC Workload Certificates (pilot-agent environmental variables) Jacob Delgado / Aspen Mesh #IstioCon ECC workload certificates ● In various environments, the need for x509 certificates cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported #IstioCon pilot-agent environmental variables Disclaimer: Environmental variables and their use are considered experimental set the ECC_SIGNATURE_ALGORITHM environmental variable on sidecar ejection to ECDSA for use by pilot-agent ○ For gateways this environmental variable also must be set on installation/upgrade #IstioCon

common environments such as Kubernetes clusters. • Istio Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts. Istio does not currently have lacks many hardening controls and should be replaced with a more secure-by-default option. • The Pilot admin interface exposes unnecessary ser- vices and is accessible to anyone within a default cluster

#IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent #IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent + Fast! Bottleneck is #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent + Rapid iteration - Very different from production Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery #IstioCon Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery + All of the benefits of running Istiod locally

Kiali 1.36.13 spec: runtime: components: pilot: container: env: PILOT_ENABLE_GATEWAY_API: true PILOT_ENABLE_GATEWAY_API_STATUS: true # and and optionally, for the deployment controller PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER: true OpenShift Container Platform 4.8 Service Mesh 6 1.2.2.6. Red Hat OpenShift Service Mesh 2 减少 Service Mesh control plane 的资源使用情况和启动时间。 通过降低网络间 control plane 通讯来提高性能。 添加对 Envoy 的 Secret Discovery Service（SDS）的支持。SDS 是一个更加安全有效地向 Envoy side car proxies 发送 secret 的机制。 match: context:

typically is Istiod. 2. To receive ADS requests from Envoy and forward these to the specified discovery server which typically is Istiod. Istiod handles certificate signing requests via the IstioCAServiceServer Severity: Low Difficulty: High Fixed: Yes Affected components: ● pkg/wasm ● Istio Agent ● Istio Pilot ● Istioctl Vectors: ● CWE-295: Improper Certificate Validation ID: ADA-IST-6 Fix: https://github 37 Istio Security Audit, 2023 tio/istio/blob/a7e57f 950edc9f06b29f977 d82fd8dfa9ae5f35b/ pilot/cmd/pilot-agent /status/server.go#L7 58 w.WriteHeader(http.StatusInternalServerError) } else { w.WriteHeader(http

list in one of the Cilium pods and validate that all nodes are discovered correctly. If the node discovery is not working, run cilium kvstore get --recursive cilium/state/nodes/v1/ and check if an entry variant of Pilot to inject the Cilium network policy filters into each Is�o sidecar proxy: $ curl -s https://raw.githubusercontent.com/cilium/cilium/v1.5/examples/ku $ awk -f cilium-pilot.awk \ < ${ISTIO_HOME}/install/kubernetes/helm/istio/charts/pilot/templates/ > istio-cilium-helm/charts/pilot/templates/deployment.yaml Configure the Is�o’s sidecar injec�on to setup the transparent

Erica Virtual Assistant (6/18) Note: We assume a start at zero users from Erica’s launch in 6/18. Pilot users excluded. Source: Bank of America (2/21, 4/24, 2/25) Bank of America Erica Virtual Assistant USA Food & Drug Administration, ‘FDA Announces Completion of First AI-Assisted Scientific Review Pilot and Aggressive Agency-Wide AI Rollout Timeline’ (5/25); NITRD.gov (5/25) New AI-Enabled Medical Devices Pre-Clinical Candidate Status marks the point at which a lead molecule (or biologic) has satisfied all discovery-stage gates and is officially handed off to the development organization for work related to beginning

WASM Multi Cluster Global Service Failover Multi Mesh 4 | Copyright © 2020 Orders Citadel Pilot Galley User Account Istiod Understanding Istio: Control and data planes data plane control webassemblyhub.io/yuval/addheader-rust:v1 --cluster mgmt-cluster --labels app=ratings Extension Config Discovery Service EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM WASM gRPC TRANSCODER ECDS 16 | Copyright

ServiceCenter Java-chassis ServiceComb Pilot Citadel Istio ServiceComb open-source ecosystem Zipkin Prometheus Skywalking ... Go-SDK Registration and discovery Service Mesh is compatible with the