## Accelerate Istio-CNI with ebpf Xu Yizhou & Guo Ruijing ## Agenda • Istio-CNI • tcp/ip stack overhead between sidecar and service • Background knowledge of ebpf • Acceleration for Inbound/Outbound/Envoy

e will be responsible for attaching/detaching an eBPF program to the corresponding interface. istio-cni will continuously watch namespace and pod events on its node. Similar to cni-plugin case, attachment/detachment profile=ambient --skip-confirmation --set values.cni.ambient.redirectMode="ebpf" ### 3. Check the istio-cni logs to confirm eBPF redirection is on: ambient Writing ambient config: {"ztunnelReady":

istio/istio/tools/istio-iptables/pkg/dependencies/implementation.go (line 30) - istio/istio/cni/cmd/istio-cni/iptables.go (line 59) - istio/istio/istioctl/cmd/dashboard.go (line 370) Impact Malicious actors externalCommand.Stderr = os.Stderr } return externalCommand.Run() } - istio/istio/cni/cmd/istio-cni/iptables.go (line 59) func (ipt *iptables) Program(netns string, rdrct *Redirect) error { netnsArg

openshift-operators delete ds -lmaistra-version $ oc delete clusterrole/istio-admin clusterrole/istio-cni clusterrolebinding/istio-cni $ oc delete clusterrole istio-view istio-edit $ oc delete clusterrole jaegers.jaegertracing $ oc delete cm -n openshift-operators istio-cni-config $ oc delete sa -n openshift-operators istio-cni # 第 2 章 SERVICE MESH 1.X #### 2.1. SERVICE MESH 发行注记 ![Image](/uploads/documents/e/7/8/d/e78d openshift-operators daemonset/istio-node $ oc delete clusterrole/istio-admin clusterrole/istio-cni clusterrolebinding/istio-cni $ oc delete clusterrole istio-view istio-edit $ oc delete clusterrole jaegers.jaegertracing