| CONFIDENTIAL Leveraging Istio for Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive #bugs-in-production, Reduced eng effort for testing, velocity) – Early testing of services components auto-generated from end-to-end tests – Significantly reduced time and cost for API testing for microservices architectures Questions 2 Structure | CONFIDENTIAL 3 API-driven applications exploding Service Testing Component Testing E2E API Tests Engineering effort grows superlinearly as #APIs grow Customer services

specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts. Istio does not currently have a reference design for what an ideal Kubernetes cluster with many open source compo- nents that were actively being updated during testing so testers used the latest release at the time of testing which was 1.6.5 along with specific commits for the code base shown a lack of validation on the VirtualService Gateway fields that could allow route hijacking • In testing, it did not appear to be possible to secure the control plane either by the controlPlaneSecuri ty

updates for app and version labels ● Istio default retry policy ● Istio proxy performance and load testing ● Abstracting the Istio features 44 Moving HTTP/2 load-balancing from client-side to Envoy Adopting bigger cost ● Case 2: Adjust based on workloads + Resource cost is low - Tremendous cost in load-testing and adjusting values 59 Istio proxy performance and capacity Adopting Istio ● One size fits can we adjust the sidecar size? ○ VPA? Not working ○ HPA? Not applicable ○ Load testing application, load testing the sidecar -> seems the only way We just want a dynamic smart autoscaler for Istio

Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction #IstioCon Introduction: eBay at a glance 185M Number of Active Buyers worldwide scale …? ● Extensive Data-plane & Control-plane scale testing ● Data-plane performance of Envoy is well documented ● Control-plane scale testing ○ Primary Goal ■ Understand Istio control-plane performance configuration params - debounce interval, push concurrency, etc. #IstioCon Control-plane Scale Testing: Setup ● Setup ○ Create Gateway Pods & thousands of Pods with sidecar Envoys ○ Measure Config

#IstioCon Upgrade Working Group - Test Infrastructure ● Extend and improve the testing infrastructure ● Extend and add testing of upgrades across all supported methods. #IstioCon Definition of Done each maturity level: experimental, alpha, beta, and stable ● Ensuring appropriate documentation, testing, and code completion is done for each level ● Making sure that features continue to mature #IstioCon

istio-system spec: selector: matchLabels: istio: ingressgateway jwtRules: - issuer: testing@secure.istio.io jwksUri: "https://raw.githubusercontent.com/istio/istio/re lease-1.8/securi spec: action: ALLOW rules: - from: - source: requestPrincipals: ["testing@secure.istio.io/testing@sec ure.istio.io"] #IstioCon Authorize ingress traffic with JWT token ● Apply RequestAuthentication

infrastructure to run tests #IstioCon Why don’t you ? ● Mock ? ● Contract testing ? #IstioCon Mock ? Contract testing ? At a scale of 800+ providers ? Mocks are like any other software:

users to add these to their application code. It also offers more advanced features to support A/B testing, canary deployments, rate limiting, access control, encryption and end-to-end authentication. Istio to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing or in combination with VerifyConnection or VerifyPeerCertificate.” The issue was found to have no

Promoting revision based upgrades ○ Support skip-level upgrades ○ Pre & Post Upgrade checks ○ Better testing mirroring production use cases ● Enhanced troubleshooting ● Aligning APIs with Istio user roles

security Edge Cluster Workload Operation GitOps Gatekeeper RBAC Audit log Metrics Security testing tools Security dashboard Prometheus Kiali Security Lifecycle Concepts Secure Monitor Enforce