redefining-service-mesh-leveraging-ebpf-to-optimize-istio-ambient-architecture-and-performance-zhou-jie-daepzhi-ebpf-istiohou-rexia-yuxing-zeng-alibaba-cloud.pdf

《redefining-service-mesh-leveraging-ebpf-to-optimize-istio-ambient-architecture-and-performance-zhou-jie-daepzhi-ebpf-istiohou-rexia-yuxing-zeng-alibaba-cloud.pdf》由会员分享，可在线阅读，更多相关《redefining-service-mesh-leveraging-ebpf-to-optimize-istio-ambient-architecture-and-performance-zhou-jie-daepzhi-ebpf-istiohou-rexia-yuxing-zeng-alibaba-cloud.pdf（25页珍藏版）》请在三个皮匠报告上搜索。

1、Redefining Service MeshLeveraging eBPF to Optimize Istio Ambient Architecture andPerformanceTechnical Expert,Alibaba CloudIstio&Envoy member,has rich experiences in cloud native fields such as Kubernetes、Networking、Istio、Envoy、Nginx Ingress、CoreDNS,etc.Yuxing ZengSpeakerIstio history201720202022Isti

2、o 1.5,Simplified Istio(istiod)2023Istio 1.18,Ambientto AlphaIstio1.22,Ambientto Beta?2024Istio Data Plane Mode:Sidecar-AmbientSidecarModeYAMLDev/Ops/SREControl planeistio-proxyistio-proxyapp Aapp BSidecarSidecarContainerContainerMachine/PodMachine/PodDataControl planeData planeApplicationPlaneReques

3、tPodConfigurationConfigurationChallenges with Sidecar ModePERFORMANCEOVERHEADCOSTOPERATIONALCOMPLEXITYAbout AmbientHBONE encapsulationGoal:Simplify OperationsCost ReductionImprove PerformanceIstio Ambient ModeL4 featuresDesign Concept:Layer the data plane to allow users to adopt service mesh technoD

4、esign Concept:Layer the data plane to allow users to adopt service mesh technologies in a more incremental manner.logies in a more incremental manner.Traffic management：TCP RouteSecurity：authorization policy for the L4ObservabilityTraffic management：HTTP Route、Load Balance、Circuit Breakers、Rate limi

5、t、Retry、Timeout、Faultinjection etc.Security：authorization policy for the L7Observability：Trace、metrics、logsL7 featuresSeparation of Business Applications and Data Plane Proxies in IstioApp AApp CApp AWaypoint ProxyNodeApp BApp CNodeApp CApp DNodeztunnelztunnelztunnelApp BWaypoint ProxyK8sGatewayCRWa

6、ypoint ProxyControllerWaypointrun completely independently of the application,enhancing security;each identity(service account in Kubernetes)has its own dedicated L7 proxy,avoiding the complexity and instability introduced by a multi-tenant L7 proxy modelztunnelThe traffic from the workload is redir