Service Mesh# Envoy Network Filter Taming a Network Filter Lifecycle of a Network Filter Practical Applications Gatekeeping Collecting Protocol-specific Stats Feeding Protocol-specific Metadata Reshaping Traffic Protocol-specific Routing and Load Balancing Native Envoy extensions (C++) vs WebAssembly Conclusion TCP Proxy TCP Proxy TCP Proxy Configuration Dynamic cluster selection Routing to a subset of hosts Statistics TCP Proxy(proto) Envoy Socket backlog Istio Istio mTLS Istio mTLS 自动识别说明(Smartness Explained) Introduction Environment details Scenario 1, no sidecars on either side Scenario 2, non-injected client to injected and non-injected services Why is Istio/envoy allowing plain text? Enable STRICT mode STRICT mode filter chains FilterChain matching ALPN How client sidecar adds Istio-defined ALPNs in the TLS client hello message http traffic tcp traffic Switch back to PERMISSIVE mode PERMISSIVE mode filter chains Scenario 3 i.e injected client talking to injected and non-injected servers Injected client to injected sever Injected client to non-injected sever Summary Understanding Istio’s Secure Naming Certificates Istio Mutual TLS Authentication Example What all happens at data path? DNS Resolution mTLS Handshake with resolved address DNS Spoofing Secure Naming to rescue What about SAN validation for non-mesh services Summary Metadata Exchange HTTP Goal Design Proposed Work Stateless approach HTTP header size considerations TCP TCP MX metadata exchange plugin Metadata exchange plugin introduction TCP MX 设计文档 内部实现细节 Ref metadata exchange plugin Metadata exchange plugin Introduction Stats plugin For HTTP, HTTP/2, and GRPC traffic the proxy generates the following metrics For TCP traffic the proxy generates the following metrics Feature gaps between Mixer-based telemetry and Telemetry V2 Istio ALPN Protocol sniffing Background Objective Overview Protocol sniffing for inbound listener Filter chains Get ALPN Alternatives Considered Other istio-alpn-upstream ALPN 名字 TCP ALPN HTTP ALPN Istio ALPN Issues Istio Gateway TCP Keepalive socket opts socket 级别的 opts 列表: TCP 级别的 opts 列表 Linux 的协议列表 Linux 的默认的参数值 常见 Load Balancer / TLS proxy 的行为 自动 keepalive load balancer 的两端 偷偷关闭连接 相关的 Envoy 配置资料 Design Doc Links Nebulous Future Release 1.4 Release 1.3 Release 1.1 Observability Understanding TCP telemetry collection TCP attributes Access Log Pod Level enable access log