Istio

见我的另一本开源书：《Istio & Envoy 内幕》

• Istio mTLS
  • Istio mTLS 自动识别说明(Smartness Explained)
    • Introduction
    • Environment details
    • Scenario 1, no sidecars on either side
    • Scenario 2, non-injected client to injected and non-injected services
      • Why is Istio/envoy allowing plain text?
      • Enable STRICT mode
        • STRICT mode filter chains
      • FilterChain matching
        • ALPN
          • How client sidecar adds Istio-defined ALPNs in the TLS client hello message
            • http traffic
            • tcp traffic
      • Switch back to PERMISSIVE mode
        • PERMISSIVE mode filter chains
    • Scenario 3 i.e injected client talking to injected and non-injected servers
      • Injected client to injected sever
      • Injected client to non-injected sever
    • Summary
  • Understanding Istio’s Secure Naming
    • Certificates
    • Istio Mutual TLS Authentication
    • Example
      • What all happens at data path?
        • DNS Resolution
        • mTLS Handshake with resolved address
        • DNS Spoofing
        • Secure Naming to rescue
    • What about SAN validation for non-mesh services
    • Summary
• Metadata Exchange
  • HTTP
    • Goal
    • Design Proposed Work
    • Stateless approach
      • HTTP header size considerations
  • TCP
    • TCP MX
      • metadata exchange plugin
        • Metadata exchange plugin introduction
      • TCP MX 设计文档
        • 内部实现细节
  • Ref
    • metadata exchange plugin
      • Metadata exchange plugin Introduction
        • Stats plugin
          • For HTTP, HTTP/2, and GRPC traffic the proxy generates the following metrics
          • For TCP traffic the proxy generates the following metrics
      • Feature gaps between Mixer-based telemetry and Telemetry V2
• Istio ALPN
  • Protocol sniffing
    • Background
    • Objective
    • Overview
      • Protocol sniffing for inbound listener
        • Filter chains
        • Get ALPN
        • Alternatives Considered
  • Other
    • istio-alpn-upstream
      • ALPN 名字
        • TCP ALPN
        • HTTP ALPN
    • Istio ALPN Issues
• Istio Gateway TCP Keepalive
  • socket opts
    • socket 级别的 opts 列表：
    • TCP 级别的 opts 列表
    • Linux 的协议列表
    • Linux 的默认的参数值
  • 常见 Load Balancer / TLS proxy 的行为
    • 自动 keepalive load balancer 的两端
    • 偷偷关闭连接
  • 相关的 Envoy 配置资料

Design Doc Links

Design Doc Links

This doc tracks the design doc links in order to facilitate Istio design docs discovery. To avoid confusion, only approved docs or the docs with wide impact in Istio’s roadmap can be listed here.

It’s each developer’s own responsibility to add doc links here.

Nebulous Future

• Mesh TroubleShooting RFC introduced a trouble shooting API to allow us make sidecar out of the pod.

• Kernel Offloads for Istio and Envoy

• Istio Authentication rev2, JWT

• Istio Transport Security

• Istio Authentication rev2, mTLS

• Simpler Istio, istiod

Release 1.4

• Istio Auto mTLS, addresses the common UX pain for configuring DestinationRule.TLSSettings in order to opt-in Istio mutual TLS.

• Isito Authorization v2 Beta policy, is focused on evolving authorization policy to workload based selector, rather service based model, with other UX improvements.

• Better Default Networking, Protocol Sniffing, enables protocol sniffing for inbound listeners and HTTP2.

• Istio Operator Architecture, explains how the new Istio operator works, in replace of the Helm. The original design doc can be found here

• Istio Metadata Exchange for MixerV2 under mTLS, implementation notes

Release 1.3

• Better Default Networks, explains the mechanism to how to reduce the UX overhead of declaring service port name explicitly.

Release 1.1

• Sidecar, TODO: link

Observability

• Understanding TCP telemetry collection
  • TCP attributes
• Access Log
  • Pod Level enable access log