Using BCC and bpftrace with Performance Co-Pilot Andreas Gerstmayr October 28, 2020 Source: https://pcp.io https://github.com/iovisor/bcc https://bpftrace.org 2 eBPF Compiler Collection bpftrace bpftrace BCC high-level tracing language for eBPF Performance Co-Pilot system performance analysis toolkit Performance Co-Pilot 3 Toolkit for collecting, analyzing, visualizing and responding to the

#IstioCon Using ECC Workload Certificates (pilot-agent environmental variables) Jacob Delgado / Aspen Mesh #IstioCon ECC workload certificates ● In various environments, the need for x509 certificates cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported #IstioCon pilot-agent environmental variables Disclaimer: Environmental variables and their use are considered experimental set the ECC_SIGNATURE_ALGORITHM environmental variable on sidecar ejection to ECDSA for use by pilot-agent ○ For gateways this environmental variable also must be set on installation/upgrade #IstioCon

common environments such as Kubernetes clusters. • Istio Pilot: The service running within the istiod service that handles service discovery. • Istio Ingress/Egress: Networking controls allowing inbound test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts. Istio does not currently have lacks many hardening controls and should be replaced with a more secure-by-default option. • The Pilot admin interface exposes unnecessary ser- vices and is accessible to anyone within a default cluster

Istio 流量管理 – 概览 • 控制面下发流量规则： Pilot • 数据面标准协议：xDS • 集群内Pod流量出入： Sidecar Proxy • 集群外部流量入口：Ingress Gateway • 集群外部流量出口：Egress Gateway（可选,在一个集中点对外部访问进行控制） • Service discovery • Load balancing • Time out • • Retries • Circuit breaker • Routing • Auth • Telemetry collecting 外部流量出口 外部流量入口 Pilot 2 Istio 流量管理 – 控制面 两类数据： q 服务数据（Mesh 中有哪些服务？缺省路由） v Service Registry § Kubernetes：原生支持 § Consul、Eureka 等其他服务注册表：MCP Istio 流量管理 – 控制面 – 服务发现 • K8s Service ： Pilot 直接支持 • ServiceEntry： 手动添加 Service 到 Pilot 内部注册表中 • WorkloadEntry：单独添加 Workload，对于虚机支持更友好 • MCP 适配器： 将第三方注册表中的服务加入到 Pilot 中 Consul MCP Adapter https://github.

#IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent #IstioCon Fully Local go run ./pilot/cmd/pilot-discovery go run ./pilot/cmd/pilot-agent + Fast! Bottleneck is #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent #IstioCon Cluster Remote Istiod, local proxy go run ./pilot/cmd/pilot-agent + Rapid iteration - Very different from production Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery #IstioCon Local Istiod, remote proxy Cluster go run ./pilot/cmd/pilot-discovery + All of the benefits of running Istiod locally

Elasticsearch operator（如果不可 用）。 MAISTRA-862 Galley 在多次命名空间删除和重新创建后丢弃了监控并停止了向其他组件提供配 置。 MAISTRA-833 Pilot 在多次命名空间删除和重新创建后停止了交付配置。 MAISTRA-684 istio-operator 中默认的 Jaeger 版本为 1.12.0，它与 Red Hat OpenShift Service SERVICE MESH 架 架构 构 9 Mixer 强制执行访问控制和使用策略（如授权、速率限制、配额、验证和请求追踪），并从 Mixer 代理服务器和其它服务收集遥测数据。 Pilot 在运行时配置代理。Pilot 为 Envoy sidecars 提供服务发现，智能路由的流量管理功能（例 如 A/B 测试或 canary 部署），以及弹性（超时、重试和电路断路器）。 Citadel 用于发布并轮转证书。Citadel OpenShift Service Mesh 中的多租户和集群范围安装的比较 多租户安装和集群范围安装之间的主要区别在于 control plane 部署使用的权限范围，比如 Galley 和 Pilot。组件不再使用集群范围的 RBAC（Role Based Access Control）资源 ClusterRoleBinding ，而是 依赖项目范围内的 binding。 members 列表中的每个项目对与

Kiali 1.36.13 spec: runtime: components: pilot: container: env: PILOT_ENABLE_GATEWAY_API: true PILOT_ENABLE_GATEWAY_API_STATUS: true # and and optionally, for the deployment controller PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER: true OpenShift Container Platform 4.8 Service Mesh 6 1.2.2.6. Red Hat OpenShift Service Mesh 2 减少 Service Mesh control plane 的资源使用情况和启动时间。 通过降低网络间 control plane 通讯来提高性能。 添加对 Envoy 的 Secret Discovery Service（SDS）的支持。SDS 是一个更加安全有效地向 Envoy side car proxies 发送 secret 的机制。 match: context:

队完成公司第一代基于Kubernetes的云平台开发和第 二代基于Kubernetes的DevOps云平台开发 来自于浙江大学SEL实验室目录 CONTENTS Kubernetes平台下的微服务演进 Pilot核心功能解读 Pilot-Agent核心流程解读Kubernetes平台下的微服务演进当我们在讨论微服务的时候我们在讨论什么？ • 解决如何微服务的问题 • 解决微服务化后带来的问题 温饱问题 • 计算资源的快速分配 Centralized Logging API Gateway Job Management Singleton Application Load Balancing Service Discovery Configuration Management Application Packaging Deployment & Scheduling Process Isolation Environment 功能上的重叠 • 服务降级 • 细粒度的鉴权（服务间的调用） • RPC支持 • 跨语言的问题 • …云平台微服务演进之Service Mesh云平台微服务演进之Service Mesh Pilot Envoy • 服务发现 • Envoy生命周期管理 • Envoy配置下发 • 服务模型 • 配置模型 • 负载均衡 • 智能路由（灰度、蓝绿） • 流量管理（超时、重试、熔断）

default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress gateway which contains o Istiod MEM bumped with large numbers of Knative Services (#25532) Mem usage optimization of pilot resolved this issue. • Tune CPU/MEM to ensure enough capacity Leveraged Metrics to monitor Istio Istiod. o From envoy logs, transient 503 UH "no healthy upstream" errors. o From Grafana dashboard, Pilot Pushes shows long latencies. • Detect and analyze Istio scalability issue #IstioCon o Radom peaks

Others Admin Debug State Upstream&C onnpool Pilot SOFARegistry Consul Nacos Consul Others Control Plane MCP Data flow Control flow xDS Discovery Client Metrics Admin REST API Request Request Other http filter AntVip/Pilot Trace ID filter Other http filter(via GoLang) Header to metadata http filter Router http filter Cluster subset LB Cluster Manager/xDS Discovery 1 2 4 1 2 Envoy SOFA Nacos Others Cluster Manager/xDS Pilot SOFARegistry Antvip Nacos Antvip Others Control Plane MCP Data flow Control flow xDS Discovery Client Admin API REST API Request REST