The life of a packet through Istio

•

6 likes•3,511 views

Video link (paywalled): https://skillsmatter.com/skillscasts/12045-the-life-of-a-packet-in-istio Istio is a service mesh for Kubernetes that offers advanced networking features. It provides intelligent routing, resiliency, and security features, so that service authors don't have to keep re-implementing them. Istio is rapidly taking off and there are great introductory talks everywhere. However in this session, Matt will explore precisely how it does what it does, following one brave little packet in from the internet and back out again. Matt will share with you a great insight into Istio's full power, and you will also learn about its fascinating architecture.

Technology

through Istio
The Life of a Packet
Matt Turner
@mt165pro
mt165.co.uk
Cloud Native London
September 2018

Outline
● How a packet traverses an Istio / Envoy / Kubernetes system
● What control plane calls are made in that process
● Hopefully a useful mental model for reasoning about, and debugging Istio

The life of a packet through Istio @mt165pro

The life of a packet through Istio @mt165pro
API Serveretcd
istioctl

The life of a packet through Istio @mt165pro
ClusterIP
envoyenvoyenvoyenvoyenvoy
Load Balancer
NodePort
*.example.com
INGRESS
iptables
ClusterIP

The life of a packet through Istio @mt165pro
“Containers”
nginx
net
ipc
user
pid
uts
mnt
supervisord
nginx

The life of a packet through Istio @mt165pro
Kubernetes Pods
net
ipc
user
uts
fluentd
pid
uts
mnt
nginx
nginx
mnt
supervisord
logger

The life of a packet through Istio @mt165pro
Kubernetes Pods
nginx
net
ipc
user
fluentd
pid
uts
mnt
192.168.0.42
eth0
lo
sockets
iptables
routes
fluentd
uts
mnt
nginx
nginx
supervisord
logger

The life of a packet through Istio @mt165pro
Kubernetes Pods
nginx
net
ipc
user
uts
mnt
fluentd
pid
uts
mnt
eth0
lo
sockets
iptables
routes
:8080/tcp nginx fluentd
nginx
supervisord
logger
192.168.0.42

The life of a packet through Istio @mt165pro
Kubernetes Pods
nginx
net
ipc
user
uts
mnt
envoy
pid
uts
mnt
eth0
lo
sockets
iptables
routes
:8080/tcp nginx
nginx
192.168.0.42

The life of a packet through Istio @mt165pro
Sidecar Injection
net
ipc
user
eth0
lo
sockets
iptables
routes
192.168.0.42

The life of a packet through Istio @mt165pro
k8s consul zk
Data plane API

The life of a packet through Istio @mt165pro
Sidecar Injection
alpine
net
ipc
user
eth0
lo
sockets
iptables
routes
sysctl -w kernel.core_pattern=...
192.168.0.42

The life of a packet through Istio @mt165pro
Sidecar Injection
istio/proxy_init
net
ipc
user
eth0
lo
sockets
iptables
routes
/usr/local/bin/prepare_proxy.sh -p 15001 -u 1337
192.168.0.42

The life of a packet through Istio @mt165pro
Sidecar Injection
net
ipc
user
pid
uts
mnt
istio/proxy
pid
uts
mnt
eth0
lo
sockets
iptables
routes
:15001/tcp
nginx envoy
nginx
192.168.0.42

The life of a packet through Istio @mt165pro
Services
$ kubectl get services -o wide | grep httpbin
httpbin NodePort 10.0.0.244 <none> 80:30082/TCP 16m app=httpbin

The life of a packet through Istio @mt165pro
Service DNS exposure
# dig httpbin.default.svc.cluster.local
httpbin.default.svc.cluster.local. 23 IN A 10.0.0.244

The life of a packet through Istio @mt165pro
Pods
$ kubectl get pods -o wide | grep httpbin
httpbin-76ddd74666-2m6ds 1/1 Running 0 16m 172.17.0.13 minikube
httpbin-76ddd74666-ls66n 1/1 Running 0 16m 172.17.0.12 minikube
httpbin-76ddd74666-x5ql2 1/1 Running 0 16m 172.17.0.5 minikube

The life of a packet through Istio @mt165pro
Endpoints
$ kubectl get endpoints | grep httpbin
httpbin 172.17.0.12:8000,172.17.0.13:8000,172.17.0.5:8000 21m

The life of a packet through Istio @mt165pro
Endpoints
$ kubectl get endpoints httpbin -o yaml
apiVersion: v1
kind: Endpoints
…
subsets:
- addresses:
- ip: 172.17.0.12
nodeName: minikube
targetRef:
kind: Pod
…
ports:
- name: http
port: 8000
protocol: TCP

The life of a packet through Istio @mt165pro
IP 5-tuple
(src_addr, src_port, dst_addr, dst_port, proto)

The life of a packet through Istio @mt165pro
IP Router Architecture
Interrupt
Kernel module
User process
DATA PLANE
CONTROL PLANE
OSPF ARPBGP STP
Router
Information
Base
Forwarding
Information
Base

The life of a packet through Istio @mt165pro
Mixer
Mixer Fat
Client
sysdig datadog
REPORT
CHECK
Custom
auth
Custom
classifier
Mixer Fat
Client

The life of a packet through Istio @mt165pro
kittenz.com
envoyenvoyenvoyenvoyenvoy
EGRESS

Conclusion / Recap
● A packet traverses
○ Cloud
○ Kubernetes
○ Istio Ingress
○ The Pod construct
○ Envoy
○ Application
○ mTLS tunnel
○ Egress
● Pilot pre-programmes Envoys for Service Discovery
● Mixer sits on the hot path for real-time Policy
● Citadel issues certificates for mTLS

Istio is a service mesh for Kubernetes that offers advanced networking features. It provides intelligent routing, resiliency, and security features, so that service authors don’t have to keep reimplementing them. Istio is rapidly taking off and ther are great introductory talks everywhere. However in this session, we will dive deep to explore precisely how it does what it does, following one brave little packet in from the Internet and back out again. At each point we’ll see how to configure the features of that component to exploit Istio’s full potential. This will give a great insight into Istio’s full power, and its fascinating architecture.

The Life of a Packet through Istio - DevExperience Romania, April 2019

Matt Turner

Istio is a service mesh for Kubernetes that offers advanced networking features. It provides intelligent routing, resiliency, and security features, so that service authors don’t have to keep re-implementing them. Istio is rapidly taking off and there are great introductory talks everywhere. However in this session, we will explore precisely how it does what it does, following one brave little packet in from the internet and back out again. This will give a great insight into Istio’s full power, and its fascinating architecture.

Running Resillient Workloads with Istio - OpenInfra Days 2019

Matt Turner

Remember how cool Kubernetes seemed when you first started using it? A simple, easy API for scalable compute in any cloud: just a Deployment and a Service and you’re done! But as you use it more, you learn that this isn’t really enough. A production system needs requests and limits, liveness checks, HPAs, PDBs, PSPs, etc. The same is true for Istio, which can solve a lot of the problems with microservices out of the box, but isn’t magic. When you get beyond playing with bookinfo, more configuration is needed to get the most out of it. In this talk I’ll show you how to: Identify app versions, deploy canaries and run A/B tests Set timeouts Configure retries, with exponential backoff Enforce rate limits Enable circuit breakers Inject faults for testing I’ll also cover a couple of the big security features: Enabling mTLS Using service-to-service access control lists (RBAC)

Istio - The life of a packet

Matt Turner

Networks, Linux, Containers, Pods

Matt Turner

Istio, The Packet's-Eye View - KubeCon NA 2018

Matt Turner

The Istio project reached 1.0 this summer, and is mature enough to have LTS releases. It’s getting a lot of attention, but in a lot of ways it’s still a mystery. You’ve probably read about it, you might have tried it, but do you really understand it? It promises advances routing, security, and resiliency, all for free! In this session I’ll present a practical introduction to the operation of Istio - what features it can bring to your environment. What’s unique about this talk is that we’ll be exploring the different parts of Istio by following one plucky little packet into the mesh, through it, and out again. As we meet each component we’ll learn why it’s there, what it does, and see a demo of how to configure it for common tasks. This will leave you not only with slides showing example configs, but a valuable mental model and a unique insight into the service mesh’s operation.

Running Resillient Workloads with Istio - KubeCon China 2019

Matt Turner

5th tf webrtc-welcome

Mihály Mészáros

This document summarizes the agenda for the 5th TF-WebRTC meeting hosted by NORDUnet Conference 2016 in Helsinki. The key points are: 1) The meeting will bring together technical experts from browser vendors, universities, and network research and education networks to discuss the latest developments in WebRTC standardization, implementations, and services. 2) Presentations will cover topics like the WebRTC 1.0 release, CERN's integration of Vidyo with WebRTC, FCCN's WebRTC web app demos, a T4 tender for WebRTC conferencing, GN4-2 activities, and UNINETT's work on WebRTC peer-to-peer developments. 3

Istio is a service mesh for Kubernetes that offers advanced networking features. It provides intelligent routing, resiliency, and security features, so that service authors don’t have to keep re-implementing them. Istio is rapidly taking off and there are great introductory talks everywhere. However in this session, we will explore precisely how it does what it does, following one brave little packet in from the internet and back out again. This will give a great insight into Istio’s full power, and its fascinating architecture.

Running Resillient Workloads with Istio - OpenInfra Days 2019

Matt Turner

Istio - The life of a packet

Matt Turner

Networks, Linux, Containers, Pods

Matt Turner

Istio, The Packet's-Eye View - KubeCon NA 2018

Matt Turner

Running Resillient Workloads with Istio - KubeCon China 2019

Matt Turner

5th tf webrtc-welcome

Mihály Mészáros

OAuth and STUN, TURN in WebRTC context RFC7635

Mihály Mészáros

This document discusses using OAuth authentication with STUN/TURN servers in the context of WebRTC. It provides an overview of RFC 7635 and outlines the step-by-step process for a client to request an access token from an authentication server and for the STUN/TURN server to validate that token. The goal is to explain how STUN/TURN servers can leverage OAuth to authenticate clients in a WebRTC environment.

Webrtc puzzle

Mihály Mészáros

The document discusses various implementations of WebRTC technologies like STUN/TURN, MCU/SFU, gateways, and recording/streaming. It summarizes the status of standards for STUN/TURN with OAuth and efforts to standardize them in the W3C. It also outlines open source projects for WebRTC components and areas that need more work, such as refactoring code for a STUN/TURN PoC service and improving collaboration.

The Concierge Paradigm

Gareth Brown

This document discusses the "Concierge Paradigm" for simplifying container management at scale. It proposes using two fundamental components - service discovery and process orchestration - to automate common container operations. This approach leverages small scripts to automatically register, discover, and take corrective actions on containers with minimal overhead. It has been optimized over many years and allows containers to "fly on autopilot" with drastically less management than traditional frameworks.

OVS Hardware Offload with TC Flower

Netronome

LF_OVS_17_LXC Linux Containers over Open vSwitch

LF_OpenvSwitch

This document discusses using LXC Linux containers over Open vSwitch (OVS) for container networking. It provides information on the Orabuntu-LXC project which builds and installs OVS and LXC to deploy containerized Oracle software. It describes how LXC 2.1.0 added explicit support for OVS and how OVS can be configured as a systemd service. It also discusses using OVS with containerized DNS/DHCP and sending container traffic over GRE tunnels.

Containers from scratch

J On The Beach

Containers from scratch by Liz Rice What is a container? Is it really a “lightweight VM”? What happens when you type in "docker run"? In this talk you'll see exactly what a container is, as Liz builds one from scratch in a few lines of Go code. You'll learn what's happening under the covers when you start a container, and understand how namespaces, controls and chroot each contribute to the making of a container, We'll also cover what it means to run a privileged or non-privileged container.

Sipwise rtpengine

Andreas Granig

Super-Charging Kamailio

Andreas Granig

This document summarizes the author's experience optimizing Kamailio and Redis for horizontal scaling. Some of the key points covered include: - Using Redis as a persistent data store for Kamailio provides better scaling than MySQL - Tuning disk I/O settings in Debian was needed to optimize Redis performance - Tuning network I/O such as rx queues was also important for fully utilizing CPU resources - Defining custom keys for Redis is necessary to map data in a way that supports lookups by AoR - Redis persistence settings like AOF and RDB snapshots can be tuned to balance data integrity with infrastructure costs - Future work includes shipping default Redis key definitions and leveraging additional Redis features.

Kubernetes Intro

Antonio Ojea Garcia

This document provides an overview of Kubernetes. It begins by introducing Kubernetes and its origins at Google. It then discusses key Kubernetes concepts like pods, deployments, services, ingress, namespaces, labels, and storage. It explains how Kubernetes provides automation of application deployment, scaling, and management using containers. It also discusses how Kubernetes helps enable continuous integration, continuous deployment, and digital transformation. The document concludes by mentioning the Kubernetes ecosystem and Cloud Native Computing Foundation.

Metrics spark meetup

Steven Le Roux

This document summarizes a presentation about moving from OpenTSDB to Warp 10 for metrics storage and analytics. It discusses some of the drawbacks of OpenTSDB, including issues with its row key design, cardinality, and compaction. It then outlines advantages of Warp 10, such as its in-memory index, lockfree ingestion, and WarpScript query language. Examples are given of how Warp 10 supports use cases like rollups, retention policies, and histogram generation through its scripting capabilities. Metrics platforms and tools used at OVH are also mentioned.

Salottino MIX 2017 - ARouteServer - IXP Automation Made Easy

Pier Carlo Chiodi

Castoro / RubyKaigi2010

Toshiyuki Terashita

This document discusses Castoro, a distributed storage grid system built with Ruby. Castoro uses a peer-to-peer architecture with multicast replication to store files across multiple servers. It provides a client library and gateway/peer components. The author compares Castoro to similar systems like MogileFS and kumofs, and describes how Castoro has been used to provide storage for a photo sharing website. Implementation details and lessons learned about building such a large Ruby system are also shared.

Summit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - Nokia

OPNFV

Quic Tools Presentation

kmunro1973

QUICTools is a toolkit for Quantel's Q System that provides media management, movement, and integration workflow solutions. It has a vast range of media management functions like browsing, searching, and editing metadata for clips across multiple Quantel servers and zones. It can also move media between file shares, FTP servers and Power Portals. Additionally, QUICTools has an open architecture that allows custom workflows to be added for integration tasks and provides APIs for developers.

Learn how to build decentralized and serverless html5 applications with embar...

Alessandro Confetti

Codemotion, Amsterdam 09/05/2018 Do you have an idea for a startup and don't want to pay for scaling it up? Forget about bandwidth problems, servers to install and pay for, with the power of IPFS, DAT and the blockchain. In this talk, we will explore how to build an HTML5 DAPP (distributed application) with EmbarkJS, and figure out how to rethink servers, storage, messaging, data and payments in a distributed and decentralised way with the help of Ethereum's smart contracts, IPFS and DAT distributed storage. Discover more at http://blog.zigolab.it

Kubernetes at Datadog Scale - Ara Pulido

PROIDEA

Kubernetes networking is complex with several components including pod networking, service networking, and DNS. Pod networking requires assigning each pod a unique IP and enabling communication between pods using CNI plugins like Flannel or Calico which implement overlay networking. Service networking is done via kube-proxy using either iptables or IPVS mode, with IPVS being more scalable. DNS lookups are handled by CoreDNS to map service names to cluster IPs. Overall, Kubernetes networking takes work to understand but the ecosystem adapts quickly to issues.

"Developing a multicurrency, multisignature wallet" by Alex Melville

ICOVO

Zero cloud adrian_otto

Data Con LA

DOD 2016 - Kamil Szczygieł - Patching 100 OpenStack Compute Nodes with Zero-d...

PROIDEA

YouTube: https://www.youtube.com/watch?v=OsgNn-D9KFc&index=15&list=PLnKL6-WWWE_VtIMfNLW3N3RGuCUcQkDMl Undisclosed vulnerabilities are very serious threat to the cloud security. Once the flaw leaks to the public information, the risk of attacks increases dramatically. In our talk we will go through case study of patching 100 OpenStack compute nodes consisting of 4000 virtual machines with zero-day patch within 16 hours. We will talk about the challenges we have encountered, how we faced them and we will answer the most important question – did we make it within 16 hours.

An introduction to MQTT - Pub / Sub for the masses

Dominik Obermaier

The Life of a Packet III - Service Mesh London

Matt Turner

This document summarizes the life of a packet traveling through a service mesh. It begins with an overview of service meshes and Istio. It then details the various components involved in routing a request through proxies like Envoy, including the control plane (Istiod), configuration distribution, routing rules, and telemetry collection. It discusses container networking, pod networking, and sidecar injection. Finally, it explores ongoing developments like eBPF-based acceleration and "ambient mesh" approaches.

The Life of a Packet through Istio III

Matt Turner

Fully updated and revised! Istio is a service mesh for Kubernetes that offers advanced networking features. It provides intelligent routing, resiliency, and security features, so that service authors don't have to keep re-implementing them. This talk explores the details of how it all works under the hood, by following one brave request in from the internet and through the mesh. This talk will guide Istio newbies through its capabilities and features, while bringing experienced users up-to-date with the many design changes that have happened in the last few years since I presented the first version.

What's hot

OAuth and STUN, TURN in WebRTC context RFC7635

Mihály Mészáros

Webrtc puzzle

Mihály Mészáros

The Concierge Paradigm

Gareth Brown

OVS Hardware Offload with TC Flower

Netronome

LF_OVS_17_LXC Linux Containers over Open vSwitch

LF_OpenvSwitch

Containers from scratch

J On The Beach

Sipwise rtpengine

Andreas Granig

Super-Charging Kamailio

Andreas Granig

Kubernetes Intro

Antonio Ojea Garcia

Metrics spark meetup

Steven Le Roux

Salottino MIX 2017 - ARouteServer - IXP Automation Made Easy

Pier Carlo Chiodi

Castoro / RubyKaigi2010

Toshiyuki Terashita

Summit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - Nokia

OPNFV

Quic Tools Presentation

kmunro1973

Learn how to build decentralized and serverless html5 applications with embar...

Alessandro Confetti

Kubernetes at Datadog Scale - Ara Pulido

PROIDEA

"Developing a multicurrency, multisignature wallet" by Alex Melville

ICOVO

Zero cloud adrian_otto

Data Con LA

DOD 2016 - Kamil Szczygieł - Patching 100 OpenStack Compute Nodes with Zero-d...

PROIDEA

An introduction to MQTT - Pub / Sub for the masses

Dominik Obermaier

What's hot (20)

OAuth and STUN, TURN in WebRTC context RFC7635

Webrtc puzzle

The Concierge Paradigm

OVS Hardware Offload with TC Flower

LF_OVS_17_LXC Linux Containers over Open vSwitch

Containers from scratch

Sipwise rtpengine

Super-Charging Kamailio

Kubernetes Intro

Metrics spark meetup

Salottino MIX 2017 - ARouteServer - IXP Automation Made Easy

Castoro / RubyKaigi2010

Summit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - Nokia

Quic Tools Presentation

Learn how to build decentralized and serverless html5 applications with embar...

Kubernetes at Datadog Scale - Ara Pulido

"Developing a multicurrency, multisignature wallet" by Alex Melville

Zero cloud adrian_otto

DOD 2016 - Kamil Szczygieł - Patching 100 OpenStack Compute Nodes with Zero-d...

An introduction to MQTT - Pub / Sub for the masses

Similar to The life of a packet through Istio

The Life of a Packet III - Service Mesh London

Matt Turner

The Life of a Packet through Istio III

Matt Turner

Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...

Michael Man

This document provides an overview of Istio and how it works. It discusses the key components of Istio including Envoy, Pilot, Mixer and Citadel. It explains how these components interact to route traffic between services, enforce policies and collect telemetry. The objectives are to learn how packets flow through an Istio mesh, understand the role of the control plane and build a mental model for debugging Istio.

Adding 1.21 Gigawatts to Applications with RabbitMQ (DPC 2015)

James Titcumb

As your application grows, you soon realise you need to break up your application into smaller chunks that talk to each other. You could just use web services to interact, or you could take a more robust approach and use the message broker RabbitMQ. In this talk, we will take a look at the techniques you can use to vastly enhance inter-application communication, learn about the core concepts of RabbitMQ, cover how you can scale different parts of your application separately, and modernise your development using a message-oriented architecture.

Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)

Andrew Randall

Polyglot, fault-tolerant event-driven programming with kafka, kubernetes and ...

Natan Silnitsky

At Wix, we have created a universal event-driven programming infrastructure on top of the Kafka message broker. This infra makes sure messages are eventually successfully consumed and produced no matter what failure it encounters. In this talk, you will learn about the features we introduced in order to make sure our distributed system can safely handle an ever growing message throughput in a fault tolerant manner. You will be introduced to such techniques as retry topics, local persistent queues, and cooperative fibers that help make your flows more resilient and performant. You will also learn how to make this infra work for all programming languages tech stacks with optimal resource manage using the power of Kubernetes and gRPC. When to use a client library, and when to deploy an external pod (DaemonSet) or even deploy a sidecar.

HTTP/3 over QUIC. All is new but still the same!

Daniel Stenberg

HTTP/3 is the designated name for the coming next version of the protocol that is currently under development within the QUIC working group in the IETF. HTTP/3 is designed to improve in areas where HTTP/2 still has some shortcomings, primarily by changing the transport layer. HTTP/3 is the first major protocol to step away from TCP and instead it uses QUIC. Daniel Stenberg does a presentation about HTTP/3 and QUIC. Why the new protocols are deemed necessary, how they work, how they change how things are sent over the network and what some of the coming deployment challenges will be.

SDN Training - Open daylight installation + example with mininet

SAMeh Zaghloul

This document provides instructions for installing OpenDaylight and Floodlight SDN controllers along with Mininet and examples of using them. It explains how to download a VM with all three pre-installed, how to start the controllers and Mininet, and walk through examples of using the Simple Forwarding application in OpenDaylight to install flows and enable hosts to ping each other. It also provides links to sample Floodlight and QoS applications.

HTTP/3 is next generation HTTP

Daniel Stenberg

Mininet Basics

Eueung Mulyana

This document provides an overview of Mininet, including getting started instructions, examples of usage, and tutorials on OpenFlow and MiniNAM. It outlines how to import a pre-made Mininet VM, configure access via SSH, test connectivity using ping and Wireshark, explore the included examples and topologies, add manual flow entries, capture and inspect OpenFlow packets, start an OpenFlow controller, and benchmark kernel-space versus user-space switches. Notes are also provided on using xterm, tcpdump, and ARP with Mininet hosts.

Http3 fullstackfest-2019

Daniel Stenberg

Daniel Stenberg gave a presentation on the evolution of HTTP from versions 1 to 2 to the upcoming version 3. He explained the problems with HTTP/1 and how HTTP/2 aimed to address these by using a single TCP connection with multiple streams. However, middleboxes in the internet slow the adoption of upgrades. QUIC was developed as a new transport protocol to run over UDP and enable always-encrypted connections with fewer head-of-line blocking problems. HTTP/3 defines how HTTP can be run over QUIC, providing features like independent streams and faster handshakes while keeping the basic request-response model of HTTP the same. Several challenges around implementations and tooling remain before HTTP/3 is widely adopted.

tit

Christian Heinrich

The document describes TCP Input Text (tit), a tool used in the reconnaissance phase of penetration testing to enumerate fully qualified domain names (FQDNs) and TCP ports. It implements the Google SOAP and Bing search APIs. The tool outputs plug-ins including CSV files for FQDNs, TCP ports, and Maltego transforms. The roadmap includes adding support for the Bing API v2 and merging tit-google-soap and tit-bing. Future versions may include output plugins for web proxies and translation.

Hands-on VeriFast with STM32 microcontroller @ Nagoya

Kiwamu Okabe

This document describes setting up a development environment for working with the ChibiOS/RT real-time operating system and STM32 microcontrollers using the VeriFast verification tool on Windows or macOS systems. It provides instructions for installing necessary software packages like Git, GCC, CMake and VeriFast as well as downloading customized ChibiOS/RT source code for building sample applications and verifying them using VeriFast.

Troubleshooting common oslo.messaging and RabbitMQ issues

Michael Klishin

This document discusses common issues with oslo.messaging and RabbitMQ and how to diagnose and resolve them. It provides an overview of oslo.messaging and how it uses RabbitMQ for RPC calls and notifications. Examples are given of where timeouts could occur in RPC calls. Methods for debugging include enabling debug logging, examining RabbitMQ queues and connections, and correlating logs from services. Specific issues covered include RAM usage, unresponsive nodes, rejected TCP connections, TLS connection failures, and high latency. General tips emphasized are using tools to gather data and consulting log files.

Polyglot, Fault Tolerant Event-Driven Programming with Kafka, Kubernetes and ...

Natan Silnitsky

Kubernetes Architecture and Introduction – Paris Kubernetes Meetup

Stefan Schimanski

The document provides an overview of Kubernetes architecture and introduces how to deploy Kubernetes clusters on different platforms like Mesosphere's DCOS, Google Container Engine, and Mesos/Docker. It discusses the core components of Kubernetes including the API server, scheduler, controller manager and kubelet. It also demonstrates how to interact with Kubernetes using kubectl and view cluster state.

Are we really ready to turn off IPv4?

APNIC

K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる

JUNICHI YOSHISE

Securing & Enforcing Network Policy and Encryption with Weave Net

Luke Marsden

Scaling Push Messaging for Millions of Devices @Netflix

C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2oA2uI5. Susheel Aroskar talks about Zuul Push, a scalable push notification service that handles millions of "always-on" persistent connections from all the Netflix apps running. He covers the design of the Zuul Push server and reviews the design details of the back-end message routing infrastructure that lets any Netflix microservice push notifications to any connected client. Filmed at qconnewyork.com. Susheel Aroskar works as a software engineer on the Cloud Gateway team at Netflix, which develops and operates Zuul, an API gateway that fronts all of the Netflix cloud traffic and handles more than 100 billion requests/day. Prior to Zuul, he worked on Netflix CDN's control plane in the cloud, which is responsible for steering more than a third of all North American peak evening internet traffic.

Similar to The life of a packet through Istio (20)

The Life of a Packet III - Service Mesh London

The Life of a Packet through Istio III

Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...

Adding 1.21 Gigawatts to Applications with RabbitMQ (DPC 2015)

Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)

Polyglot, fault-tolerant event-driven programming with kafka, kubernetes and ...

HTTP/3 over QUIC. All is new but still the same!

SDN Training - Open daylight installation + example with mininet

HTTP/3 is next generation HTTP

Mininet Basics

Http3 fullstackfest-2019

tit

Hands-on VeriFast with STM32 microcontroller @ Nagoya

Troubleshooting common oslo.messaging and RabbitMQ issues

Polyglot, Fault Tolerant Event-Driven Programming with Kafka, Kubernetes and ...

Kubernetes Architecture and Introduction – Paris Kubernetes Meetup

Are we really ready to turn off IPv4?

K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる

Securing & Enforcing Network Policy and Encryption with Weave Net

Scaling Push Messaging for Millions of Devices @Netflix

More from Matt Turner

Automated Cloud-Native Incident Response with Kubernetes and Service Mesh

Matt Turner

Security incident response is a well-understood operation, with established best practices like the MITRE Att&ck Framework and the Lockheed Martin Kill Chain. Tooling to aid and automate incident response exists, but not all of it is applicable to cloud-native platforms. For example, playbook apps are generally applicable, but the steps to move compromised workloads to an isolated forensics network are platform-specific, and new implementations are needed for the cloud-native world. In this talk, Matt and Francesco will * Recap incident response 101 * Introduce some cloud-native tech including Kubernetes, Istio, and GitOps * Show an Operator built by Matt for dynamically adding complex layer-7 traffic rules in response to changes in the environment, which will be used as part of the demo * Walk you through a response to a log4shell attack against a workload in a k8s cluster: sensor alert, SIEM analysis, IRP automation (honeypots, isolation), building the IoC, and killing the attack.

apiserver-Only "Clusters" for fun and profit

Matt Turner

This document discusses deploying Kubernetes clusters without most of the Kubernetes control plane for lightweight operations. It recaps how the Kubernetes control plane works, introduces the idea of using only certain minimal parts of it, and describes a prototype built that uses less of the control plane. The document concludes by hoping this inspires others to adopt their pattern or build an even more minimal version, and provides contact information for the presenters.

Istio + SPIRE for cross-domain traffic trust in hybrid-cloud scenarios

Matt Turner

Most large organisations today have their applications in data centers and in different clouds. Each of these are operated by different business units and often are owned and operated by 3P, partners, acquired companies, vendor operated etc and thus they operate with different levels of trust. How to ensure secure communications between all these applications with different level of trust boundaries and yet maintain agility in access and compliance in runtime is what this talk will cover.

Why Is Istio That Shape?

Matt Turner

In this session, Matt will look at Istio, a Service Mesh, but no prior knowledge of Istio or the space is needed. Istio is a “smart network” comprising traffic switches and controllers. It’s had about four different architectures over time, and we’ll look at what problem each solved, and the challenges that eventually led to it being changed. We’ll talk about how the different approaches each optimised performance, scalability, and redundancy. We’ll explore analogies between the shapes of Istio and common patterns - three-tier web apps, big network routers, etc - and how Istio’s lessons are broadly applicable.

Dynamically Testing Individual Microservice Releases In Production

Matt Turner

A lot of us test new versions of services in our Production environment, since it’s the best way to get representative, reliable results. If the new service is “on the edge” of the topology then hitting it is easy, as the test clients can directly call it. But if it’s in the middle of a chain of services, then calling the current versions of all of them, except one beta version in the middle of the chain, is the dream. This kind of advanced traffic control is possible with a Service Mesh like Istio. But the configuration needed to enable this for all versions of all services is complex and error-prone. In this session Matt will show you how to use an Operator which auto-generates the necessary config. We’ll see how just deploying a new version results in all the necessary config for sophisticated “override-based testing”. Matt will walk through the technique, the underlying config, and the operator that generates it from Deployments.

Gateway APIs, Envoy Gateway, and API Gateways

Matt Turner

Up until now, Ingress routes into K8s clusters have been defined by the Ingress kind, or by vendor-specific CRDs. Neither of these were satisfactory, so a new set of built-in k8s APIs was developed - the Gateway API. In this talk, Matt will cover the motivation for a new API, its design, and show some examples of its use. He’ll then also cover implimentations of it today and in the future, and talk about the exciting merging of several of the existing ingress controllers into one new de facto standard - Envoy Gateway.

Cloud-Native Progressive Delivery

Matt Turner

An Introduction to Bazel

Matt Turner

What is a Service Mesh and what can it do for your Microservices

Matt Turner

e’ll explore what a service mesh is and what it can do for your microservices. Are the claims of observability, resiliency, and WAF features real? Are they useful during development, production, or both? Using pictures and demos, we’ll find out! This session will also briefly cover how a service mesh works, giving us a mental model with which to explore and evaluate after the talk. Matt will show a simple installation and demo, giving us all the knowledge to go home and try for ourself.

Debugging an RBAC Problem in Istio

Matt Turner

The document provides a walk-through for debugging RBAC problems in Istio. It discusses the importance of observability and controllability when debugging. Some techniques discussed include examining Envoy logs and traffic dumps to understand the system, using permissive RBAC to change things incrementally, following the request pipeline, and doing guess-and-check testing to hone in on the problem. The presentation emphasizes taking a methodical approach and not panicking to eventually solve RBAC issues in Istio.

Software Networking and Interfaces on Linux

Matt Turner

These are the days of VMs, containers, and service meshes. The network, for a long time the sysadmin’s mysterious domain, is now at the fore-front: providing overlays, security features, and headaches. It’s vital to be able to understand what’s going on under the hood of a cloud-native platform if you ever hope to debug it, but do you know a TAP from a TUN, let alone an ipvlanL3? This talk will take you through all the network interface types on modern linux, from good old eth0 to the vEths used by Docker and the tunnels used by Calico.

Do You Need a Service Mesh? @ London Devops, January 2019

Matt Turner

Bash is Testing

Matt Turner

Everyone says they’re coding in Rust these days, but they’re not. Every system has some bash-flavoured blu-tack hiding in the corners. But how well do you know this arcane, abstruse, annoying programming language? In 5 minutes, I’ll educate, entertain, and inform you about a core part of the bash language - the simple conditional statement. This irreverent and funny talk, while yes, insulting bash quite a lot, will hopefully provide a whole bunch of “oh, that’s why it does that” moments too.

Fluency

Matt Turner

An Introduction to User Space Filesystem Development

Matt Turner

This document provides an introduction to developing userspace filesystems using FUSE (Filesystem in Userspace). It discusses why filesystems are important in organizing data, and how FUSE allows filesystem development to occur in userspace rather than kernelspace. FUSE uses a POSIX-like API to handle filesystem operations and provides both high-level and low-level interfaces. The high-level interface is simpler but the low-level interface provides more control and potential performance benefits. Debugging, testing, and ensuring good performance of FUSE filesystems are also covered.

More from Matt Turner (15)

Automated Cloud-Native Incident Response with Kubernetes and Service Mesh

apiserver-Only "Clusters" for fun and profit

Istio + SPIRE for cross-domain traffic trust in hybrid-cloud scenarios

Why Is Istio That Shape?

Dynamically Testing Individual Microservice Releases In Production

Gateway APIs, Envoy Gateway, and API Gateways

Cloud-Native Progressive Delivery

An Introduction to Bazel

What is a Service Mesh and what can it do for your Microservices

Debugging an RBAC Problem in Istio

Software Networking and Interfaces on Linux

Do You Need a Service Mesh? @ London Devops, January 2019

Bash is Testing

Fluency

An Introduction to User Space Filesystem Development

Recently uploaded

Building Production Ready Search Pipelines with Spark and Milvus

Zilliz

“I’m still / I’m still / Chaining from the Block”

Claudio Di Ciccio

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Speck&Tech

ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune. Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile. BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).

Mind map of terminologies used in context of Generative AI

Kumud Singh

GraphRAG for Life Science to increase LLM accuracy

Tomaz Bratanic

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Taking AI to the Next Level in Manufacturing.pdf

ssuserfac0301

Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as: 1. How quickly AI is being implemented in manufacturing. 2. Which barriers stand in the way of AI adoption. 3. How data quality and governance form the backbone of AI. 4. Organizational processes and structures that may inhibit effective AI adoption. 6. Ideas and approaches to help build your organization's AI strategy.

Full-RAG: A modern architecture for hyper-personalization

Zilliz

Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Programming Foundation Models with DSPy - Meetup Slides

Zilliz

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

IndexBug

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

Infrastructure Challenges in Scaling RAG with Custom AI models

Zilliz

Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx

SitimaJohn

Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.

Generating privacy-protected synthetic data using Secludy and Milvus

Zilliz

During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.

Recently uploaded (20)

Building Production Ready Search Pipelines with Spark and Milvus

“I’m still / I’m still / Chaining from the Block”

June Patch Tuesday

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Mind map of terminologies used in context of Generative AI

GraphRAG for Life Science to increase LLM accuracy

20240609 QFM020 Irresponsible AI Reading List May 2024

Removing Uninteresting Bytes in Software Fuzzing

Taking AI to the Next Level in Manufacturing.pdf

Full-RAG: A modern architecture for hyper-personalization

20240607 QFM018 Elixir Reading List May 2024

Programming Foundation Models with DSPy - Meetup Slides

Artificial Intelligence for XMLDevelopment

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

Video Streaming: Then, Now, and in the Future

Infrastructure Challenges in Scaling RAG with Custom AI models

Microsoft - Power Platform_G.Aspiotis.pdf

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx

Generating privacy-protected synthetic data using Secludy and Milvus

The life of a packet through Istio

1. through Istio The Life of a Packet Matt Turner @mt165pro mt165.co.uk Cloud Native London September 2018

2. Outline ● How a packet traverses an Istio / Envoy / Kubernetes system ● What control plane calls are made in that process ● Hopefully a useful mental model for reasoning about, and debugging Istio

3. The life of a packet through Istio @mt165pro

4. The life of a packet through Istio @mt165pro

5. The life of a packet through Istio @mt165pro API Serveretcd istioctl

6. The life of a packet through Istio @mt165pro ClusterIP envoyenvoyenvoyenvoyenvoy Load Balancer NodePort *.example.com INGRESS iptables ClusterIP

7. The life of a packet through Istio @mt165pro

8. The life of a packet through Istio @mt165pro

9. The life of a packet through Istio @mt165pro “Containers” nginx net ipc user pid uts mnt supervisord nginx

10. The life of a packet through Istio @mt165pro Kubernetes Pods net ipc user uts fluentd pid uts mnt nginx nginx mnt supervisord logger

11. The life of a packet through Istio @mt165pro Kubernetes Pods nginx net ipc user fluentd pid uts mnt 192.168.0.42 eth0 lo sockets iptables routes fluentd uts mnt nginx nginx supervisord logger

12. The life of a packet through Istio @mt165pro Kubernetes Pods nginx net ipc user uts mnt fluentd pid uts mnt eth0 lo sockets iptables routes :8080/tcp nginx fluentd nginx supervisord logger 192.168.0.42

13. The life of a packet through Istio @mt165pro Kubernetes Pods nginx net ipc user uts mnt envoy pid uts mnt eth0 lo sockets iptables routes :8080/tcp nginx nginx 192.168.0.42

14. The life of a packet through Istio @mt165pro Sidecar Injection net ipc user eth0 lo sockets iptables routes 192.168.0.42

15. The life of a packet through Istio @mt165pro k8s consul zk Data plane API

16. The life of a packet through Istio @mt165pro Sidecar Injection alpine net ipc user eth0 lo sockets iptables routes sysctl -w kernel.core_pattern=... 192.168.0.42

17. The life of a packet through Istio @mt165pro Sidecar Injection istio/proxy_init net ipc user eth0 lo sockets iptables routes /usr/local/bin/prepare_proxy.sh -p 15001 -u 1337 192.168.0.42

18. The life of a packet through Istio @mt165pro Sidecar Injection net ipc user pid uts mnt istio/proxy pid uts mnt eth0 lo sockets iptables routes :15001/tcp nginx envoy nginx 192.168.0.42

19. The life of a packet through Istio @mt165pro

20. The life of a packet through Istio @mt165pro ? ? ?

21. The life of a packet through Istio @mt165pro Services $ kubectl get services -o wide | grep httpbin httpbin NodePort 10.0.0.244 <none> 80:30082/TCP 16m app=httpbin

22. The life of a packet through Istio @mt165pro Service DNS exposure # dig httpbin.default.svc.cluster.local httpbin.default.svc.cluster.local. 23 IN A 10.0.0.244

23. The life of a packet through Istio @mt165pro Pods $ kubectl get pods -o wide | grep httpbin httpbin-76ddd74666-2m6ds 1/1 Running 0 16m 172.17.0.13 minikube httpbin-76ddd74666-ls66n 1/1 Running 0 16m 172.17.0.12 minikube httpbin-76ddd74666-x5ql2 1/1 Running 0 16m 172.17.0.5 minikube

24. The life of a packet through Istio @mt165pro Endpoints $ kubectl get endpoints | grep httpbin httpbin 172.17.0.12:8000,172.17.0.13:8000,172.17.0.5:8000 21m

25. The life of a packet through Istio @mt165pro Endpoints $ kubectl get endpoints httpbin -o yaml apiVersion: v1 kind: Endpoints … subsets: - addresses: - ip: 172.17.0.12 nodeName: minikube targetRef: kind: Pod … ports: - name: http port: 8000 protocol: TCP

26. The life of a packet through Istio @mt165pro

27. The life of a packet through Istio @mt165pro IP 5-tuple (src_addr, src_port, dst_addr, dst_port, proto)

28. The life of a packet through Istio @mt165pro IP Router Architecture Interrupt Kernel module User process DATA PLANE CONTROL PLANE OSPF ARPBGP STP Router Information Base Forwarding Information Base

29. The life of a packet through Istio @mt165pro IP Router Architecture Interrupt Kernel module User process DATA PLANE CONTROL PLANE OSPF ARPBGP STP Router Information Base Forwarding Information Base PILOT MIXER ENVOY

30. The life of a packet through Istio @mt165pro Mixer Mixer Fat Client sysdig datadog REPORT CHECK Custom auth Custom classifier Mixer Fat Client

31. The life of a packet through Istio @mt165pro

32. The life of a packet through Istio @mt165pro

33. The life of a packet through Istio @mt165pro

34. The life of a packet through Istio @mt165pro

35. The life of a packet through Istio @mt165pro kittenz.com envoyenvoyenvoyenvoyenvoy EGRESS

36. Conclusion / Recap ● A packet traverses ○ Cloud ○ Kubernetes ○ Istio Ingress ○ The Pod construct ○ Envoy ○ Application ○ mTLS tunnel ○ Egress ● Pilot pre-programmes Envoys for Service Discovery ● Mixer sits on the hot path for real-time Policy ● Citadel issues certificates for mTLS

37. Thanks @mt165pro

The life of a packet through Istio

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The life of a packet through Istio

Similar to The life of a packet through Istio (20)

More from Matt Turner

More from Matt Turner (15)

Recently uploaded

Recently uploaded (20)

The life of a packet through Istio