►
From YouTube: Istio April Meetup/ WASM filters for data observability
Description
#Istio #Data #CloudNative
In this video, the complete meetup that includes the talk given by Nilesh and David is included. Their talk describes how they built a custom filter using web assembly and demonstrate its application for sampling service traffic, mapping dependencies, detecting schema changes, enabling anomaly detection and more.
A
Thanks
for
inviting
us,
we
are
layer
9.
We
have
been
working
on
data
observability
using
steel
as
our
foundation,
so
we
are
very
happy
to
be
here
telling
you
what
you
have
done.
We
have
used
webassembly
as
a
core
technology
to
do
a
lot
of
these
things
that
we're
doing
so
we'd
love
to
share
our
experiences
that
building
webassembly
filter.
A
A
A
But
you
know
by
kind
of
looking
at
data
itself,
we
can
actually
draw.
You
know
much
deeper
insights
into
what's
happening.
For
instance,
services
often
have
logical
endpoints,
so
everything
all
the
dashboards
that
you
see
in
stu
could
become
a
lot
more
powerful
if
you
can
actually
split
them
by
endpoints.
That
does
require
us
to
understand.
A
A
We
should
be
able
to
look
at
what
kind
of
authorization
is
present
and
what
are
the
api
keys?
Are
they
being
rotated?
Are
they
shared
between
environments?
So
we
can
understand
authorization
in
a
much
deeper
level.
Now,
endpoints
have
you
know
schemas?
They
have
specifications
in
terms
of
what
kind
of
requests
they
accept.
What
kind
of
responses
they
give.
A
So
we
should
be
able
to
look
construct
your
entire
api
and
down
to
the
to
the
field
level
and
understand
the
types
and
be
able
to
kind
of
detect
when
those
change
you
know
people
are
very
interested
in
understanding
services
from
privacy
and
security
point
of
view,
so
understanding
like
looking
at
data
plane.
You
know
we
want
to
actually
look
at
what
kind
of
sensitive
data
is
present
in
each
field
and
be
able
to
tag
your
end
points
and
services
with
what
kind
of
data
are
they
exchanging?
A
A
B
Thank
you,
nilesh
and
I'll
be
calling
on
nalesh
to
change
the
slides,
because
if
you
try
to
change
who
shares
the
screen,
clearly
it's
20
21.
We
can't
do
it
so
this
slide
saying
we
need
to
capture
the
data.
So
the
natural
istio
extension
point
is
an
envoy
filter
for
us,
because
we
do
care
about
things
like
the
http
request
body.
B
We
care
about
tcp
as
well.
So
if
you're
talking
to
kafko
layer9
wants
to
see
what
did
you
write
to
kafka?
What
did
you
just
read
from
kafka
and
if
you're
going
to
have
a
an
envoy
filter
webassembly
is
you
know
exciting,
because
it's
shiny
and
new?
It's
not
generally
available.
It's
my
understanding
still
so
many
times
along
the
way
we
felt
like
we
might
be
the
first
people
trying
to
really
put
an
assembly
script.
Web
assembly
filter
in
production
assembly
script
was
the
second
language.
B
We
chose
the
beauty
of
webassembly.
You
can
write
in
any
language.
You
want,
except
not
really,
but
you
know
a
few
years
from
now.
Maybe
any
language
you
want
right
now,
probably
tiny
go
rust,
c,
plus
plus
and
assembly
script,
because
if
you
choose
a
language
other
than
those
you're
going
to
write
your
own
proxy
runtime,
so
your
web
assembly.
B
B
So
when
you
compare
webassembly
to
lua,
which
is
the
first
thing
we
tried
before
webassembly
in
envoy
in
istio,
existed
in
lua
you're,
going
to
have
more
trouble
saying
complex
things
because
of
the
language
lua
and
the
libraries
available
to
you
and
blue
is
a
little
a
different
way
to
think
about
filters.
It's
not
the
way.
An
envoy
filter,
implementer
from
the
c
plus
plus
native
c
plus
plus
world,
would
think
about
it.
It's
a
little
different
and
it's
going
to
be
http.
B
B
B
Lua
is
you
know
the
first
thing
people
tried
and
apparently
they
didn't
like
it,
because
now
there's
web
assembly,
it
just
seems
like
a
kind
of
a
dead
end.
At
this
point,
no
one's
ever
gonna
put
tcp
support
into
lua,
because
there's
webassembly
it's
it's
the
way
you
would
do
it
from
scratch.
Next
slide.
B
B
If
you're
a
customer,
you
install
two
helm,
charts
one
for
the
envoy
filter,
one
for
the
layer,
9
service
and
to
make
that
call
at
first
in
lua
it
was
a
synchronous
call
which
was
highly
sub-optimal,
but
nowadays
the
the
call
is
asynchronous.
So
lua
gets
the
job
done
for
http
well
enough
for
us
and
we
have
a
filter
that
it
just
observes.
B
B
B
I
was
the
first
one
at
layer
9
to
try
webassembly
and
I
tried
c
plus
because
a
dozen
years
ago
I
was
very
good
at
c
plus
I
don't
know
rust,
I
know
go,
but
the
tiny
go
support
it's
like
well,
tiny
goes
not
really
go
and
it
just
people.
People
had
written
some
things
in
the
docs.
That
made
me
think
I
don't
want
to
do
this
in
production.
Not
really
I'll
use
c,
plus,
plus
battle
tested,
it'll
work,
and
it
will.
B
B
Once
once
you
could
figure
out
the
plumbing
to
get
the
web
assembly
by
code
to
envoy
envoy
would
crash
segmentation
fault
and
it
wouldn't
say
here's
the
problem.
With
your
c
plus
program,
here's
a
stack
trace
from
the
c
plus
plus
program.
You
wrote
it
would
give
you
a
stack
tricks
from
envoy
and
then
you'd
say
what
did
I
do
wrong?
B
B
We
want
more
customers,
not
fewer,
so
the
more
versions
of
istio
we
support
the
better
it
turns
out
at
the
time
you
the
very
latest
and
greatest
also
would
not
give
you
webassembly
back
traces.
So
you'd
have
to
hope
that
your
c
plus
envoy
back
trace
would
clue
you
in
as
to
what
you
did
wrong
next
slide.
B
B
Let's
say
we
passed
in
a
a
null
for
an
argument
to
this
function.
Envoy
would
crash
that
just
seemed
to
be
just
doesn't
matter
what
function
you
call
envoy's
just
going
to
crash,
but
eventually
he
made
it
work
for
an
http
call.
So
that's
the
rubicon.
For
us.
We
need
a
filter.
It
needs
to
make
an
http
or
grpc
call.
B
B
B
We
noticed
this
isn't
much.
Bytecode
c
was
generating
a
lot
more
bytecode
in
the
wasm
file,
so
assemblyscript
is
making
something
tiny
and
c
plus
was
a
docker
image
to
compile
it
ran
in
scriptin
and
who
knows
what
else
to
generate
the
webassembly
by
code
and
it
took
forever
and
long
enough
that
I
thought
well,
I'm
gonna
have
to
set
up
a
build
machine
for
this.
B
B
B
So
why
why
the
focus
on
1.5?
So
we
don't
need
to
do
much.
We
like
the
original
abi.
So
if
you
run
istio
1.5,
it's
got
a
different
webassembly
avi
than
istio
1.6,
which
is
different
than
1.9,
which
is
different
than
so
these
apis
they
are
versioned.
They
change
they're,
not
perfectly
versioned
and
they're,
not
very
well
documented.
So
you
have
to
basically
read
the
source
to
figure
out
what
has
changed
between
these
versions,
but
they
are
versioned,
but
we
we're
fine
with
0.1.0.
B
So
if
we
had
to
have
forks
of
our
program
for
different
istio
versions,
we
would
have
to
have
different
versions
of
the
proxy
runtime,
and
that
would
mean
different
versions
of
the
assembly.
Script,
compiler
and
so
we'd
probably
have
to
change
our
program
to
work
for
different
versions
of
the
compiler,
so
we'd,
like
universality
for
many
reasons,
next
slide.
B
So
this
is
about
assembly
scripts
runtime.
It
had
a
bunch
of
a
bunch
of
functions
for
tcp
udp.
The
the
network
filter
support
as
opposed
to
http
filter
support,
except
it
didn't
have
all
of
them
connected,
which
was
another
clue
for
us
like.
Maybe
we
are
the
very
first
people
trying
to
to
actually
put
an
assembly
script
web
assembly
filter
into
production.
B
It
only
took
a
dozen
lines
to
add
the
other
half
of
this
bridge
and
that's
been
merged
upstream,
and
things
are
good
unless
you
want
to
do
grpc.
Grpc
is
still
not
good,
because
the
the
original
abis
for
grpc
they
sort
of
require
that
your
program
can
create
and
manipulate
protocol
buffers
which,
if
you're
in
assembly
script,
no,
you
can't
unless
you
write
your
own
protocol.
Buffer
library
and
assembly.
Script
was
written
by
the
same
person
who
wrote
the
most
popular
javascript
protocol
buffer
library
and
that
person
has
not
written
anything
for
assembly
script.
B
So
you
know
maybe
it's
impossible.
It's
not
it'd
be
a
lot
of
work,
so
it
doesn't
exist.
So
if
you
want
to
do
grpc,
you
should
probably
use
c
plus-
maybe
you
can
do
it
in
bruss?
Maybe
you
can
do
it
in
tiny
go.
I
wouldn't
do
it
in
assembly
script,
because
you'd
have
to
write
your
own
support
for
that,
but
tcp.
It
works
very
well.
Next
slide.
B
So
when
we,
when
it
was
working
for
the
easy
cases,
it
was
time
to
see,
you
know:
okay,
let's
shake
all
the
bugs
out.
So
let's
load
test
it.
Let's,
let's
stress
test
it.
Let's
chaos
engineer:
let's
try
to
break
it,
so
you
do
things
like
take
down
the
layer.
9
service,
just
it
doesn't
exist
on
the
cluster
right
now
make
an
http
call
to
it.
What
happens?
B
B
So
we
got
to
a
point
eventually
where
we
like
it.
We
like
it
a
lot
it
does.
You
know
we
carefully
monitor
our
test
beds
for
crashes
and
it
doesn't
crash.
It
hasn't,
crashed
in
a
long
time,
but
this
was
a
painful
process
in
part,
because
when
you
have
a
crash,
you
don't
have
a
back
trace
from
your
language,
because
we're
doing
this
work
before
the
back
traces
for
webassembly
existed,
which
I
think
was
histo
1.9.
B
B
B
Yeah,
this
will
definitely
be
easier
in
the
future.
My
hope
is
that
in
the
future,
not
so
many
segmentation
faults
and
instead
the
virtual
machine
essentially
gets
deleted.
If,
if
your
program
does
something
that
upsets
one
of
these
functions,
you
can
call
like.
Please
start
an
http
call
next
slide.
B
So
once
you
have
your
line
numbers
and
your
c
plus
plus
on
voice
deck
trace,
just
just
to
figure
out
exactly
the
source
code,
I
was
looking
at
well.
That
definitely
depends
on
the
istio
version
right
so
for
1.5.
I
think
they
were
using
github.com
envoy,
which,
if
you
look
at
it
today,
the
blurb
about
it
says
this
is
just
for
developers
for
some
testing.
But
I
think
it
was
like
the
real
repository
for
cutting
the
releases
of
1.5
and
1.6.
B
So
nowadays,
in
modern
code,
it's
in
proxy
wasm
cpphost
is
a
repository
that
has
much
of
the
interesting
code,
and
so
just
figuring
out,
like
the
right
set
of
code.
To
look
at
is
a
challenge,
and
if
you
want
to
build
your
own
binary
so
that
you
can
really
really
get
to
the
bottom
of
that
crash,
so
that
maybe
you
could,
you
know,
make
make
envoy
hardened
against
this,
submit
a
pull
request.
Like
that's
a
lot
of
work
next
slide.
B
And
then
a
function
that
didn't
segmentation
fault
but
returned
essentially
like
not
found
when
it
should
have
found
something
we
just
wanted
to
get
some
properties
and
if
you
read
the
documentation
for
that,
you'd
probably
be
surprised
to
learn
that
in
webassembly
you
have
to
insert
some
null
characters
in
your
strings
to
dig
into
protocol
buffers.
So
if
there's
nested
messages
like
a
nus
b,
which
nests
c
then
you're
going
to
need
a
null
b
null
c,
and
so
even
the
things
that
you
can
do
with
it.
B
Oh
yeah
and
after
we
thought
it
was
finally
it
stopped
crashing
it
does.
What
we
want.
Can
we
release
it?
Can
we
ask
customers
to
run
this
even
at
that
point?
It's
like
well,
we've
invested
significant
time
and
we
still
may
not
may
not
be
able
to
release
this
until
a
future
istio
version,
because
we've
got
a
memory
leak.
B
The
memory
leak,
if
you,
if
you
just
you
know,
do
the
harshest
load
test
you
can
and
hammer
envoy
again
and
again
then
in
something
like
a
few
minutes,
it
would
go
a
gigabyte
of
memory
up
which
is
not
good,
so
the
webassembly
virtual
machine
in
istio.
Today,
it's
all
v8
and
there's
no
way
to
customize
anything
about
the
memory
there's.
Also,
if
you
have
a
memory
leak,
one
proven
solution
is
we'll
just
restart
the
program
every
now
and
then
you
know
every
monday.
B
We
need
to
restart
this
service
because
it
has
a
memory
leak.
Well,
you
can't
do
that
because
there's
no
abi
for
quit.
I
quit
I
give
up.
So
your
filter
is
going
to
run
until
the
envoy
filter.
Kubernetes
object
is
removed
or
changes
so
even
doing
something
like
reverse
uptime,
which
sounds
like
a
fancy
way
of
avoiding
solving
the
real
problem.
B
B
So
we
we
already
had
a
fork
of
the
proxy
run
time
for
assembly
script,
so
we
just
updated
it
to
use
a
a
bleeding-edge
version
of
the
assembly
script
compiler
that
had
an
entirely
new
garbage
collection
system,
or
so
it
seemed
from
the
docs
it
didn't
take
many.
It
was
just
a
few
lines
of
changes
to
the
proxy
runtime
to
use
that
no
more
memory
leak.
B
B
B
So
when
we
were
first
getting
into
web
assembly
for
envoy
there
was
the
solo.I
o
had
wasmey
w-a-s-m-e,
which
had
a
kubernetes
operator
that
would
help
you
deploy
your
bytecode
and
we
were
hoping
to
avoid
that
because
that's
another
thing,
another
dependency.
Another
thing
you
have
to
ask
customers
to
install
another
company.
You
have
to
ask
them
to
trust.
B
B
B
But
since
our
web
assembly
by
code
is
less
than
a
megabyte,
that'll
fit
in
kubernetes,
so
we
just
in
line
it.
That's.
It
seems
to
work
pretty
well
no
extra
dependencies,
but
we
we
do.
We
look
forward
to
the
future
where,
where
the
envoy
proxy
can
just
grab
it
on
every
every
version
of
istio
that
we
care
about,
which
is
probably
like
every
version
of
istio
after
1.4
next
slide.
B
So
testing
your
webassembly
program
depends
on
your
language.
If
you're
in
rust,
rust
has
webassembly
in
the
blood
there's
a
core
rust
team
all
about
web
assembly,
I'm
sure
it's
very
easy
to
test
your
web
assembly
program.
The
only
problem
is
you're
going
to
have
to
mimic
envoy
all
these
abis.
How
do
they
work?
How
does
how
does
envoy
call
into
your
filter?
B
B
B
Ga
is
generally
general
availability.
Someone
please
correct
me
if
I'm
wrong,
but
I
don't
think
we're
we're
there
yet
and
part
of
that
might
be
because
of
the
edit
compile
segf
cry
cycle.
I
hope
that's
part
of
it.
I
hope
that
envoy,
just
soldiers
on
and
politely
deletes
a
virtual
machine
which
gets
to
fail
closed
or
is
it
called
fail
open
anyway,
there's
a
setting
where
you
can
say
my
webassembly
filter.
B
The
malicious
webassembly
byte
code-
this
I
was
reading
a
github
issue
where
an
istio
or
envoy
developer
was
saying
well
in
the
future.
We
want
to
support.
We
want
you
to
be
able
to
run
even
malicious
web
assembly
without
having
to
worry
about
it,
and
I,
when
I
read
that
I
was
like
oh,
I
hope
I
hope
I
hope
I
hope
this
is
right,
because
right
now,
benevolent
programs,
edit
compile
segfault
cry.
B
So
if
you
can,
if
in
the
future,
you
can
handle
even
malicious
web
assembly,
then
that
bodes
well
for
trying.
You
know
to
write
your
own
benevolent
envoy
filters,
and
I
will
say
nowadays,
if
you're
using
the
latest
istio,
then
yes,
you
get
your
back
traces
from
your
assembly
script
program
or
from
your
rust
program
or
time
you
go
depending
on
their
language's
runtime,
but
hopefully
in
all
all
languages.
So
that's
nice,
I
actually
don't
know
the
next
slide.
A
Thank
you
chandler,
I
think
web
assembly.
It
was
hard
work,
but
we
felt
it
was
totally
worth
it.
We
now
love
web
assembly.
We
have
stood
on
the
shoulders
of
some
pretty
great
communities
around
istio
on
y
and
solo.
So
now
we
were
able
to
actually
kind
of
get
to
the
point
where
we're
happy
shipping
this
for
customers
who
are
running
it.
A
So
this
is
our
ui,
so
we
have
webassembly
filter
that
ships
samples
to
our
local
data
processing
pods,
which
kind
of
convert
those
into
some
metadata
and
that
powers
our
dashboard.
So
this
is
the
end
result
of
it.
We
have
our
own
sandbox,
showing
bunch
of
services
right
now,
you're,
just
seeing
a
list
of
all
the
services
in
our
cluster.
A
I
mean
this
so
far
might
look
very
similar
to
a
dashboard
you
might
see
on
istu.
There
are
a
couple
of
differences.
I
would
point
out.
One
is
that
a
lot
of
our
customers
want
some
kind
of
cataloging
capabilities
where
they
can
actually
curate
a
lot
of
content
around
this
people
who
tag
their
services
with
teams
and
owners
ad
run
books.
Wiki
pages
basically
use
some
kind
of
central
database
to
get
all
kinds
of
information
in
about
the
services.
A
Here
you
can
see
a
ci
integration
that
tells
us
when
was
a
service
last
deployed,
and
we
also
get
in
you
know,
alerts
events
from
tools
like
your
sentry
and
cage
duty
and
other
kind
of
devops
tools.
You
might
be
using
just
get
like
a
central
place
where
you
can
see
all
your
problems
in
your
services
from
multiple
tools.
A
This
is
kind
of
the
same
view
graphically
which
is
basically
clearly,
except
that
this
kind
of
like
plugs
into
some
of
our
detailed
views
like
in
the
future.
If
kiali
has
an
api
that
lets
us
actually
build
applications
on
top
of
it,
we'd
love
to
you
know,
bank,
on
those,
but
for
today
we
have
something
that
displays
this
that
can
hook
up
to
the
rest
of
our
app.
A
The
other
difference
here
is,
you
would
see.
So
since
we
look
at
the
data
layer,
we
can
actually
go
slightly
deeper
in
terms
of
understanding
dependencies
like
here,
you
are
seeing
a
service,
that's
writing
to
a
specific
kafka,
topic,
product
payment
action
and
then
someone
else
reading
from
it.
So
a
lot
of
these
asynchronous
dependencies
through
either
cache
caches
or
queues
or
or
even
databases,
we're
able
to
kind
of
highlight
those
based
on
understanding
the
data.
A
A
lot
of
our
customers
have
have
dependency
graphs,
which
are
you
know,
pretty
much
driven
through
asynchronous
computations,
and
they
you
know
they
really
want
this
kind
of
dependency
graph.
That
can
take
you
through
some
of
your
asynchronous
edges
as
well,
and
then
we
highlight
services
where
any
of
the
you
know,
our
own
system
or
third
party
integrations
might
indicate
an
alert.
So
let
me
actually
go
deeper
into
a
service.
A
And
now
here
you
would
start
seeing
kind
of
the
differences
in
terms
of
how
detailed
we
can
go
in
terms
of
observability.
So,
first
you
will
notice
endpoints,
and
there
are
current
points
that
we
have
discovered
based
on
some
clustering
of
all
the
requests
and
responses,
including
an
endpoint
that
has
some
kind
of
url
pattern,
and
then
we
are
able
to
kind
of
show
throughputs
and
latencies
segmented
by
your
endpoints.
A
A
A
What
responses
it
gives
and
what
are
the
structure
of
the
responses
we
are
able
to
actually
go
and
look
at
metrics
around
each
data
element.
Here.
There's
one
element,
that's
red
and
if
I
look
at
it,
there's
a
uniqueness
metric,
so
emails
very
kind
of
generally
pretty
unique
and
then
it
has
dropped
down
to
zero,
which
means
you
know
you
are
basically
seeing
the
exact
same
email.
It
probably
means
it's
like
null
or
empty
string,
and
we
detect
this
this
anomaly
at
a
data
level
which
you're
flagging
out.