quickly • What happens if you do not address the problem? – Thorough test coverage can take a lot of time and effort – Realistic outcome: Just create E2E tests • What is our solution? – Leverage Istio Early testing of services components auto-generated from end-to-end tests – Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the services as a single sub-system while isolating them from other services, for example payment processing system | CONFIDENTIAL 5 Current approaches do not scale with #APIs Service Tests E2E API

compo- nents that were actively being updated during testing so testers used the latest release at the time of testing which was 1.6.5 along with specific commits for the code base shown below: • github.com/istio/istio routing metadata for Gateways and possibly other resources declared in other namespaces. However, due to time constraints, NCC Group was unable to determine if this is the case. Description By default, Istio that prioritization of hostname matching is based on the creation time of hostnames used by Gateway resources instead of the creation time of the Gateway resources themselves. As it is unclear if such an

throughout the period of the audit. Found issues were reported as they came up which gave the Istio team time to triage and assess criticality. Results summarised 6 fuzzers written and added to Istio's OSS-Fuzz a/authenticate/fuzz_test.go#L21 The fuzzers were merged ad-hoc so they could run throughout the audit. At the time of the end of the audit, the these are the stats of the fuzzers: Fuzzer Total executions Total hours fmt.Errorf("wasm module download failed after %v attempts, last error: %v", attempts, lastError) } time.Sleep(b.NextBackOff()) continue } if resp.StatusCode == http.StatusOK { body, err := io.ReadAll(resp

#IstioCon 1. Minimize time to bug detection Dev -> PR -> master -> QA -> prod 3 steps away to find a problem #IstioCon 2. Allow simultaneous tests Only one commit at a time from your microservice before anything happens ● VirtualService evaluation order matters #IstioCon Checkpoint 1. Minimize time to bug detection: yes 2. Allow simultaneous tests: yes 3. Reuse infrastructure: yes #IstioCon Drawbacks Contract header needs to be preserved all the way through the call chain #IstioCon Demo time #IstioCon Thank you ! ● Your laptop as part of the service mesh @ Medium ● Reference implementation

a checklist(action) At 2018-0930(time) 日志输出（Transaction ID） C(application) Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出 B(application) Trasanctionid（CA Trasanctionid（CA SDK support） TOM (who) Create a checklist(action) At 2018-0930(time) 日志输出 Get the corresponding logs for one time request by transaction ID Request(Transaction ID)Java探针的基本原理 A.class 1 2

Goal ■ Understand Istio control-plane performance to support eBay scale ■ Proxy config convergence time (CDS, EDS, LDS, RDS push times) ■ Resource usage (CPU, memory, etc.) ○ Secondary Goal ■ Fine-tune Setup ○ Create Gateway Pods & thousands of Pods with sidecar Envoys ○ Measure Config convergence time ■ Time taken by all sidecars to get config from Pilot without any errors ■ For thousands of services cluster ○ Disabled egress traffic to restrict config pushed to sidecars ● Main Takeaways ○ P99.9 time from single Pilot instance to 0 - 3,000 sidecars < 1 second ○ Pilot CPU & memory within acceptable

to let downstream gRPC connections terminate, drain the Envoy listeners and sleep to give enough time for draining remaining connections. The last command is to handle container restart cases. 19 Workaround: the second part of the presentation. 28 Are you prepared to handle Istio? Stabilizing Istio Main time consumers with Istio: 1. Troubleshooting 2. Spreading adoption 3. Supporting new features 29 pipeline when onboarding with Istio This approach is quite similar to canary release so you gain time by investing into it 52 Istio default retry policy Adopting Istio Another good surprise from Istio:

cluster should support 1000 sequential (interval 5s) Knative service provisionings with route ready time <= 30s. Type Info K8s Cluster Capacity 12 nodes in 3 zones, 16 vCPU * 64 Gi MEM Knative Version Knative Service provisioning • Random missing endpoint issue is fixed #IstioCon • Tuning debounce time could mitigate the envoy overload issue Istio scalability optimization during Knative Service provisioning Activator needs to probe the service endpoint since it cannot access pods by IP directly. And it takes time for Istiod to discover the endpoint of ready pods and then push them to the sidecar. o Istio-proxy

Extendable Aggregation Functions • Aggregation Function • Count • Calls per minute • Avg response time • Sum • Thermodynamic • P99/P95/P90/P75/P50Grammar & Official OAL ScriptUnderstand new storage SkyWalking. Don’t delete these. INDICATOR All metric data belong to this. They are in min/ hour/day/hour time level. They are named by Rule: scopename_funcName_timeLevel RECORD Segment and AlarmRecord belong

docs draft throughout a release which is finalized before the release ships.. Reality: Week(s) of time for release managers to sift through commits to figure out what changed and write notes, often and hours to minutes for patch releases. Better communication of what’s important to users and more time saved for developers. #IstioCon Feature Maturity ● Consistent checklist of requirements for each