## Using ECC Workload Certificates ## (pilot-agent environmental variables) Jacob Delgado / Aspen Mesh ## I stioCon ## ECC workload certificates - In various environments, the need for x509 certificates use ECC cryptography (using ECDSA P-256) to use this feature • Only ECDSA P-256 is supported ## pilot-agent environmental variables Disclaimer: Environmental variables and their use are considered experimental set the ECC_SIGNATURE_ALGORITHM environmental variable on sidecar ejection to ECDSA for use by pilot-agent ☐ For gateways this environmental variable also must be set on installation/upgrade ## istioctl

management services for Istio. mixc Utility to trigger direct calls to Mixer's API. pilot-agent Istio Pilot agent. ✓ istio_ca Istio Certificate Authority (CA). ✓ istio control interface Istio Pilot. sidecar-injector Kubernetes webhook for automatic Istio sidecar injection. ## Pilot-Agent——管理生命周期（PA） 启动 envoy 热重启 envoy 监控 envoy 优雅关闭 envoy  get listen sockets (3) start drain (4) fetch stats (5) terminate parent ## 热重启涉及以下步骤 • Pilot-Agent只是负责启动S，其他步骤由envoy完成。 • 1. 启动另外一个S进程（Secondary process） • 2. S通知P（Primary process）关闭其管理的端口，由S接管

rnetes的云平台开发和第二代基于Kubernetes的DevOps云平台开发 来自于浙江大学SEL实验室 Kubernetes平台下的微服务演进 Pilot核心功能解读 Pilot-Agent核心流程解读 ## 目录 CONTENTS  ## Pilot-Agent的部署形式 pilot ~/go/src/istio.io/istio/pilot cmd pilot-agent main tools codecov.requirement OWNERS External Libraries Scratches and Consoles pilot-agent在pilot/cmd包下面，是个单独的二进制。 pilot-agent 跟 envoy 打包在同一个 docker 镜像里，镜像由 Dockerfile.proxy 定义， Makefile（include 🔧 tools/istio-docker

则 • istio-proxy容器启动pilot-agent进程，使用UID=1337 GID=1337创建Envoy启动命令行与配置文件 - 可以通过自定义deployment内istio注解sidecar.istio.io/inject: “false” 跳过自动注入过程，或修改部分启动参数。 ### 2. 控制面通信 • Pilot-agent进程本身创建UDS接收Envoy连接，用 于证书更新下发。并且与istiod建立证书更新通道。 Envoy 通过pilot-agent转发机制与istiod建立长连接，通过xDS协议接收系统下发的监听器、路由、集群节点等更新信息。 ### • 3. 数据面通信 • 客户端请求进入容器网络，并被iptables规则拦截，经过DNAT后进入Envoy virtualOutbound监听器 • virtualOutbound经过监听过滤 > ## Envoy问题分析方法 ## 查看istio配置 • 通过pilot-agent：访问Envoy 15000端口，指定url获取： • kubectl exec -it $podname -c istio-proxy -- pilot-agent request GET /config_dump > config.json 查看listener：istioctl

PILOT_SCOPE_GATEWAY_TO_NAMESPACE environment variable feature setting, which, if enabled, configures the pilot-agent such that "a gateway workload can only select gateway resources in the same namespace" applicable";4 however, it is unclear how such a setting would be configured for the istio-ingressgateway pilot-agent and this would likely break standard Istio configurations from the Istio documentation which rely what situations, dangerous Istio annotations should be allowed. If such attestation is desired, pilot-agent template generation should be revisited to ensure that all templating performs output encoding

debugger is not trivial ## Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent ## Fully Local  Challenging to have multiple proxies ## Remote Istiod, local proxy Cluster go run ./pilot/cmd/pilot-agent ## Remote Istiod, local proxy ![Image](/uploads/documents/a/1/4/6/a146b4326a708f4d32d9ab286b21ab7e/p9_1

go#L122|if err != nil { return r}| |tio/istio/blob/a7e57f950edc9f06b29f977d82fd8dfa9ae5f35b/pilot/cmd/pilot-agent/status/server.go#L758|w.WriteHeader(http.StatusInternalServerError)} else {w.WriteHeader(http.StatusOK)conn |---|---| |https://github.com/istio/istio/blob/a7e57f950edc9f06b29f977d82fd8dfa9ae5f35b/pilot/cmd/pilot-agent/status/server.go#L499|if envoy != nil {envoy.Close)}if application != nil {application.Close)}|

agnostic-tools/proxy-cmd/ Pilot agent config https://istio.io/latest/docs/reference/commands/pilot-agent/ Istio Sidecar Configuration https://istio.io/latest/docs/reference/config/networking/sidecar/

hook in the istio-proxy container manifest lirecycle: postStart: exec: command: - pilot-agent - wait Fortunately, it is handled automatically since Istio 1.8 by setting the `holdA

agnostic-tools/proxy-cmd/ Pilot agent config https://istio.io/latest/docs/reference/commands/pilot-agent/ Istio Sidecar Configuration https://istio.io/latest/docs/reference/config/networking/sidecar/