Networking and CNI Race Condition issues in istio CNI during Node bootstrap Community Solutions to istio CNI CNI Basics Kube Proxy: exists in each node and manage iptable IPTables: Responsible for translating container (faster startup speed) Taint Node when istio CNI did not get installed, and unTaint node when they are ready Inspired by kubernetes planned extension (Node Readiness Gate) Useful links CNI beta beta RFC Istio CNI Race Condition Mitigation CNI beta Graduation Kubernets Node Readiness Gates Q&A @tetrateio Tetrate https://tetrate.io THANK YOU For any further queries, feel free to contact us at

to connect, manage, and secure microservices. Istio项目 微服务角度看Istio: 治理形态的演变 Node 1 svc1 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK Sidecar 服务治理 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 应用侵入--； 治理位置--； } 微服务角度看Istio: 服务网格 服务网格控制面 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.ns svcc.ns svcb svcd svce svce.ns svcd.ns svcd.ns Kube-proxy Kube-APIServer ServiceIp Backend Istio & Kubernetes：架构结合 Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints, Pod) 用户 Istio & Kubernetes：统一服务发现

connect, manage, and secure microservices.4 Istio项目5 微服务角度看Istio: 治理形态的演变 Node 1 svc1 自身业务 SDK Sidecar 服务治理 Node 2 svc 2 自身业务 SDK Sidecar 服务治理 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 应用侵入--； 治理位置--； }6 微服务角度看Istio: 服务网格 服务网格控制面7 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.n s svcc.ns svcb svcd svce svce.n s svcd.n s svcd.n s Kube-proxy Kube-APIServer ServiceIp Istio & Kubernetes：架构结合 Kube-APIServer Etcd istioctl / kubectl Pilot Envoy SVC Pod Node Envoy SVC Pod Node Envoy SVC Pod list/watch (Service, Endpoints, Pod) 用户13 Istio & Kubernetes：统一服务发现

security controls that, if an Istio service is compromised, may allow an attacker to compromise a Node or Cluster. Description The default configuration provided by istioctl does not enable seccomp or Configs, authn_model.ConstructSdsSecretConfig(res.GetResourceName(), opts.push.Mesh.SdsUdsPath, node.RequestedTypes.CDS)) // If tls.CaCertificate or CaCertificate in Metadata isn't configured don't containerization. Recommendation For non-CNI Istio configurations, consider introducing additional per-node agent functionality to manage iptables rules for sidecar-enabled Pods. While such privileged agent

Leverage eBPF ● Target Pod/VMs on the same node ● Use case: edge computing ○ Limited number of nodes ○ More traffic across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol IO ● Application advantage ○ Low latency ○ High bandwidth ○ Low CPU consumption ● Istio: cross-node Proxy to Proxy kernel bypass w/ HW acceleration #IstioCon Quick Summary, Today Istio is ready-to-go

verify-install upgrade Istio simplify install helm3 #IstioCon Pilot Mixer Citadel Node Agent Injector Galley istio-system Node Pod Sidecar Pilot Agent Ingress Egress Istio Single Cluster Simplified #IstioCon

Meetup China Performance Comparison Refactored istio benchmarking tool ◦ Two pods run on the same node Configurations ◦ mTLS enabled ◦ Number of Envoy workers: 2 ◦ Response payload size: 1KB Latency address and back (inbound) ○ eBPF program also tracks connections from Envoy to Envoy(in the same node) and back (envoy to envoy) ● Works with Istio >= 1.10 ● CNI agnostic and should work with all CNIs

template. Mitigations: o When adding new worker node, make sure daemonset pod of istio CNI plugin is up and running before knative pods scheduling on the node. o Crontab job could help to detect whether

Istio.io Work Automation Indicator #7734 Add IBM Cloud Kubernetes Service specific instructions for node port Ingress Host #7663 Homepage Redesign Proposal #IstioCon #IstioCon “First and foremost: as

io/how-to-capture-packets-that-dont-exist/ Optical Tap Network Analyzer Encrypted traffic w/PFS Intra node traffic HTTP/2 awareness Contextual data 16 ©2021 Aspen Mesh. All rights reserved. EP EP DDOS