## Accelerate Istio-CNI with ebpf Xu Yizhou & Guo Ruijing ## Agenda • Istio-CNI • tcp/ip stack overhead between sidecar and service • Background knowledge of ebpf • Acceleration for Inbound/Outbound/Envoy Inbound/Outbound/Envoy to Envoy ## I stio-CNI - The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup phase. - Removing the requirement for the and NET_RAW capabilities for users deploying pods into the Istio mesh. The Istio CNI plugin replaces the functionality provided by the istio-init container. ![Image](/uploads/documents/5/a/b/b/5abb1

## Istio Meetup China 服务网格安全—— 理解 Istio CNI 张之晗 Tetrate 工程师/Istio 社区 Release Manager ## About me Istio 1.10 Release Manager, Istio Community, 2021-Present GetMesh(GetIstio) core contributor, Istio Community Community, 2021-Present Tetrate Service Bridge developer, Tetrate.io, 2021-Present Istio Developer(Security SIG), Istio Community, 2020-Present Anthos Service Mesh, Google Inc, 2020 ## Leading Cloud Native p3_1.jpg) Varun Talwar Co-founder/CEO Co-creator gRPC, Istio Jeyappragash (JJ) Co-founder Chair CNCF SIG Security Zack Butcher Istio Steering Committee Lizan Zhou Envoy Senior Maintainer Sheng

well as from applications in user space • Map type O HASHMAP O SOCKHASH: Hold socket as value Istio Meetup China  ## ebpf socket in SOCKHASH map and determine its destination socket ➢ Help functions: BPF_MSG_REDIRECT_HASH Istio Meetup China ## Work Flow of Acceleration ## • sock_ops ○ Capture socket in specific states and Outbound Acceleration  Istio Meetup China ## Envoy to Envoy Acceleration(same host) envoy socket local_ip: 10.0.0.3 local_port:

## Local Istio Development John Howard / @howardjohn / Google ## I stioCon ## Fully Cloud docker pull ## Fully Cloud  6b4326a708f4d32d9ab286b21ab7e/p5_1.jpg) + Reproducible configuration with other developers and Istio tests Easy to setup bespoke clusters, including enabling alpha features and multicluster Local resource speed + No Istio dependency. Great for minimal Envoy bug reproductions Great for rapid iteration of Envoy options Very different from production environment May be challenging to reproduce Istio configurations

[Image](/uploads/documents/a/5/9/c/a59c70e237af7d1abccba9edbfb1edb2/p10_3.jpg) WEB AssemblyHub ## Simplified Istio Multicluster Model API server Istiod API server Istiod Service A ◇ Ingress Service B Mirror bug-report #IstioCon ## You Are Innovating Too Fast! #IstioCon ## I stio Feature Process Tracked at the Istio enhancements repository Checklist and approval required for feature promotions: Experimental-&g [Image](/uploads/documents/a/5/9/c/a59c70e237af7d1abccba9edbfb1edb2/p18_19.jpg) ## 2020 : Year of Istio Innovation Simplified installation Simplified control plane New extension Model Unified multicluster

## Experiences from running Istio in a k8s production environment Line Moseng @linemoseng Johnny Horvi ## /nciv// 5,2 million ## 2023 年10月15日   ## app ## ↓ Istio RBAC Kubernetes Network Policy ## naiscar ## Lessons learned ## What's next? ## @nais_io @linemoseng

Google enlisted NCC Group to perform an assessment on the open-source version of Istio and all of its components. Istio is a modern service mesh technology stack often used within Kubernetes clusters to facilitated by its control plane. The goal of the assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective partnership with Google's Istio subject matter experts. ## Scope NCC Group's evaluation of Istio included: - Istio Architecture: The overall design and architecture of Istio as it is deployed within

an API Gateway? • What is a Service Mesh? Common Features API Gateway + Service Mesh together! Istio as the API Gateway Advantages • Challenges • Where It Isn’t a Good Fit? ## What is an API Gateway

Service Mesh Meetup #4 上海站 2018.11.25 Observability And Istio Telemetry 吴晟 Apache SkyWalking Creator Apache ShardingSphere Co-founder Microsoft MVP Tetrate founding Engineer Bitmain tech expert tensions/v1beta1/namespace/istio-system/deployments/istio-policy| |source.workload.uid|string|Unique identifier of the source workload.|istio://istio-system/workloads/istio-policy| |source.workload.name|string|Source name|string|Source workload name.|istio-policy| https://istio.io/docs/reference/config/policy-and-telemetry/attribute-vocabulary/ # Metric settings in Istio bypass adaptor # instance for template metric

## Taming Istio Configuration with Helm Ryan Michela / @ryanmichela / Salesforce IstioCon ## I n this talk This is a talk about using Helm with Istio Look at helm from a new perspective • Helm helps helps automate Istio day-2 tasks • Helm gitops ## HELM ## HELM The package manager for Kubernetes It's not just for installation anymore! ## HELM ## What is Helm? • Installer for Charts • Define need most of Helm to get the most from Helm! ## Managing Istio with Helm ## How does Helm relate to Istio? - Istio install built on Helm • Istio runs on YAML - Our services are installed with YAML