operational deployment • preview: enables experimental features The “default” profile (used to generate the Kubernetes config shown in Appendix D on page 44) is “recommend for production deployments” Description As discussed in the istio/istio GitHub repository’s issue #25652,12 as part of its process to generate Envoy configurations from DestinationRule policies, Istio translates the Destina- tionRule trafficPolicy • Envoy Configuration Template Rendering: The current implementation used by pilot-a gent to generate the initial Envoy proxy configuration uses the Golang text/template package to render a text template

metadata: name: reviews spec: host: reviews trafficPolicy: tls: mode: ISTIO_MUTUAL 1) Generate client and server certificates and keys 2) Create a secret for the ingress gateway: productpage-credential port to send request: From curl command: need attaching certificate file Access productpage 1) Generate client and server certificates and keys 2) Create a secret for the ingress gateway: productpage-credential

may conflict due to same src/dst ip address #IstioCon Use pod ip as hash key Use pod_ip to generate a unique key is a way to distinguish socket from different network namespace #IstioCon Outbound

… ASN1 OID: prime256v1 NIST CURVE: P-256 istiod will generate a self-signed CA certificate using RSA if plugged in custom CA certificates aren’t specified

Metrics Distributed Traces Access Logs #IstioCon Excellent Observability Istio(envoy) can generate access logs for service traffic in a configurable set of formats #IstioCon Excellent Observability

Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood. ● Direct: Indicates that the configurations to be added to the group

Benchmark: Kperf (https://github.com/knative-sandbox/kperf) is a benchmark tool for Knative which can generate specific Knative Service provisioning workload and provides aggregated data of Knative Service

VMs ● Onboard steps ○ Setup Internal Load Balancers (ILBs) for Kube DNS, Pilot, Mixer and CA ○ Generate configs for VMs, incl. `cluster.env`, DNS config, Istio authN secrets etc. ○ Setup dnsmasq, Istio

Envoy Code changes at the Pilot side: ● Add AwesomeRPC support in VirtualService API ● Generate LDS/RDS for Envoy Filter AwesomeRPC Filter ● Decoding/Encoding ● Routing ● Load balancing ● Circuit

Sidecar CRDs Stabilizing Istio ● Do not expose Sidecar CRD to users, use a service definition to generate Sidecar ● Use protocol specific traffic sniffing (i.e. gRPC call discovery) to find out dependencies