►
From YouTube: What Envoy Hears When Istio Speaks
Description
#IstioCon2021
Presented at IstioCon 2021 by Rob Salmond.
Istio listens to Kubernetes and speaks to Envoy. We will explore these conversations and learn to understand what’s being said.
A
What
you're
going
to
see
is
some
material.
I
has
adapted
from
training
material
that
I
produced
for
my
colleagues
at
the
cart
labs.
It
includes
a
lot
of
original
diagrams
and
information,
but
I've
also
borrowed
liberally
from
the
istio
community
diagrams
from
youtube
talks.
I
watch
blog
posts.
Things
like
that.
I
have
tried
my
best
to
attribute
all
of
them.
A
If
I
fail
to
say
out
loud
what
I've
attributed
the
actual
sources
from
this
material,
it
will
be
in
the
speaker
notes
and
I'm
going
to
provide
the
link
to
the
deck
at
the
end.
So
you
can
follow
up
on
any
of
that
interesting
stuff
because
lots
of
deep
depth
in
those
resources
for
any
topics
you
might
be
interested
in.
I'm
also
going
to
try
to
unravel
some
issue
and
envoy
terminology
as
we
go
along.
A
But
if
I
do
use
a
term
you're
not
familiar
with
feel
free
to
pm
me
in
the
slack
or
find
me
another
way,
and
I
can
try
to
explain
that.
The
only
assumption
I
have
is
that
you
have
a
pretty
good
understanding
of
kubernetes
already
and
kubernetes
sort
of
vanilla,
kubernetes
networking
and
from
there
we'll
get
into
how
sdo
works.
So
this
is
me
frequently
seen
wearing
unusual
hats
on
the
internet.
I'm
not
an
istio
maintainer,
just
a
long
time
user.
A
The
I
joined
this
organization,
the
car
labs
a
little
over
two
years
ago.
We
had
production
istio
in
place
when
I
joined
it
was
my
first
experience
with
it.
So
so
my
all
my
everything
comes
today,
just
just
from
you
know,
hard-earned
shin
banging
on
on
rough
edges,
and
things
of
you
know
the
wisdom
of
production
as
they
call
it.
So
if
I
say
something
today,
that's
not
true.
A
That's
totally
on
me
and
me
failing
to
understand
something.
I
really
look
forward
to
being
corrected
by
people
watching
who
who
understand
stuff
and
maybe
better
than
I
do,
and
I
provide
the
twitter
link,
not
because
you
should
follow
me
because
for
me,
twitter's
just
the
pillow
that
I
scream
into
it's
mostly
be
swearing
at
the
cloud,
but
I
will
tweet
a
link
to
this
deck
afterwards
and
you
can
find
those
links.
A
I
mentioned
okay
today
we're
going
to
talk
about
these
four
subjects
a
little
bit
about
what
istiod
is
and
how
it
interacts
with
kubernetes
and
envoy
talk
briefly
about
exactly
what
envoy
is,
although
we've
already
heard
some
of
that
today.
So
hopefully
we
can
buzz
right
through
that
we're
going
to
go
deep
into
how
envoy
works
and
we're
gonna
at
the
end,
we'll
take
a
brief
sort
of
high-level
tour
of
what
an
istio-generated
envoy,
config
actually
looks
like,
and
it's
pretty
beefy
okay.
A
I
think
it
was
mentioned
already
in
one
of
the
talks
today
that
actually
it
was
like
during
the
opening
statements
I
think,
somebody's
talking
about
originally
getting
with
matt
from
lyft
and
talking
about
you
know
how
to
program
this
proxy
that
they
released,
and
if
you
actually
go
to
the
envoy
proxy
github
org,
you
can
find
a
project
called
the
go
control
plane,
which
is
sort
of
the
canonical
way
to
control
envoy
proxies,
which
is
what
histod
is
sort
of
built
on
top
of
other
names
that
you
will
hear
for
seod
floating
around
the
community
because
of
the
sort
of
winding
path
that
it
has
taken
to
where
it
is
today,
you'll
sometimes
hear
it
referred
to
as
pilot
or
discovery
or
the
issue
discovery
service
kind
of
just
leftover
names
that
people
use
in
github
issues
and
things.
A
So
if
you
see
that
that's
what
they're
talking
about
this
is
a
dramatic
oversimplification
of
the
architecture.
I've
got
a
link
here
in
the
notes.
That'll.
Take
you
to
a
more
complete
description
of
that,
but
we're
going
to
talk
about
a
couple
of
these
components
today
and
specifically:
well:
okay,
so
there's
you
know
that
does
more
than
just
that,
so
there's
lots
of
logic
in
this
dod
now
we'll
get
to
some
of
that
in
a
second
we're
also
going
to
skip
citadel
completely
there.
You
know
this.
A
This
is
the
component
that
handles
circuit
signing
if
you're
very
interested
in
that
topic.
There's
a
talk
tomorrow
that
looks
like
it's
going
to
cover
that
stuff
called
know
your
peers
by
alex
von
boxel.
I
think
that's
where
you'll
find
excuse
me
a
deeper
discussion
of
these
things,
but
for
now
we're
going
to
talk
about
gallium
pilot
and
we'll
start
with
galley.
A
So
what
I
would
consider
the
core
function
of
sdod
to
be
is
to
read
from
kubernetes
and
write
to
envoy
it's.
You
know,
sort
of
a
one-way
pipe
in
general
and
if
you
deign
to
read
the
istio
docs,
which
you
should,
what
you'll
find
is
that
it
says
very
clearly
quote:
istio
does
not
provide
service
discovery.
End
quote:
I
don't
know
who
wrote
that
and
if
they're
here
today,
maybe
they
can
explain
to
me
what
that
means,
because
one
of
the
things
that
gali
does
is
it
discovers
services
in
kubernetes.
A
A
A
So
this
would
be
something
like
google
has
a
project
called
traffic
director,
but
you
can
imagine
a
scenario
where
you
know
managed
service
can
reach
into
your
cluster
and
say
like
oh,
that
managed
redis
instance.
You
just
launched
it's
now,
reachable
from
inside
the
service
mesh
and
it
would
be
doable
achievable
through
this
mechanism
and
sort
of
taking
over
this
service
discovery
sdod
to
see
what
it
has
discovered
when
it
wasn't
doing
service
discovery.
You
can
port
forward
to
this
port
here
and
check
out
this
endpoint
and
then
inside
of
there's.
A
A
Okay
beyond
service
discovery,
galley
also
serves
web
hook
requests.
Now,
we've
there's
been
a
little
conversation
about
how
istio
leverages
kubernetes
web
hooks
to
provide
some
of
the
services
that
it
does
so
I'll.
Just
sort
of
skim
through
this
briefly,
but
basically
the
two
primary
types
of
web
hook
that
are
utilized
are
the
mutating
and
validating
web
hooks.
So
there's
a
mutating
web
hook
which
is
utilized
to
deliver
the
pod
injection.
A
So
what
happens?
Is
you
or
something
operating
on
your
behalf
will
say
to
the
kubernetes
api?
Please
create
a
pod
when
that
happens,
the
web
hook
configuration
causes
kubernetes
api
to
fire,
a
request
over
to
galley,
saying
here's
the
pod
I'm
about
to
create
it
will
then
munch
the
yaml
hand
it
back,
and
when
it's
done
now,
that
pod
will
have
a
sidecar
and
a
container
and
so
forth
attached
to
it
and
same
thing
for
the
validating
web
hook,
that's
used
for,
if
you
you
know,
cuddle
apply
some.
A
A
This
is
the
specification
which
tells
kubernetes
how
to
execute
the
web
hook.
So
in
this
case,
you
can
see
that
anytime,
these
api
objects
are
either
created
or
updated.
It's
going
to
cause
a
payload
to
be
posted
to
a
service
of
this
name
in
the
namespace
of
this
name
at
this
uri
and
same
thing
for
pod
creation.
This
is
how
the
web
hook
is
configured
so
pretty
straightforward,
kubernetes
crd
setup,
one
interesting
side.
Note
the
istio
cuddle,
cli
pronunciation.
A
These
two
catalyst
cli
actually
duplicates
not
duplicates
but
reuses
a
lot
of
the
logic
for
the
pod
munching.
So
if
you're
curious
about
what
is
exactly
going
to
happen
to
your
pod
spec,
when
you,
when
this
weapon
is
executed,
you
can
test
it
using
the
command
like
this,
and
the
pod
injection
is
actually
quite
configurable.
So
you
can
use
this
to
tweak
to
test
your
tweaks
to
the
pod
injection
logic
and
run
it
all
completely
offline.
A
So
you
can
just
make
sure
it's
going
to
work
before
you
put
it
up
in
the
cluster
okay.
So
that's
gali,
talking
to
kubernetes
reading
from
kubernetes
understanding,
kubernetes
we'll
talk
a
little
bit
about
pilot
pilot
takes
the
services
discovered
by
galley,
and
so
do
that's
where
it
maintains
this
state
of
the
world
and
then
it
takes
that
information
and
uses
it
to
program
envoy.
A
Now.
This
is
a
slide
that
lifted
from
a
talk
given
by
niraj
potter,
who
spoke
earlier
and
john
howard
who's
going
to
speak.
Actually,
I
think
he
already
did,
but
he's
probably
going
to
speak
again
because
he's
everywhere
talk
called
debugging
your
debugging
tools
and
I've
got
a
link
for
that
as
well.
What
I
want
to
do,
it's
not
important
that
you
understand
everything
in
this
slide.
I
think
all
I
really
want
to
get
the
point
across
is
that
you
can
see
there's
this
very
linear
relationship
between
like
kubernetes
object,
envoy
thing.
A
A
This
is
lifted
from
matt
klein's,
an
envoy
internal,
steep
dive
presentation,
which
is
very
good.
You
give
it
all
over
the
place.
You
should
definitely
check
that
if
you
haven't
seen
it,
a
lot
of
stuff
isn't
important
for
our
needs
today.
What
you
can
tell
is
that
it's
thoroughly
buzzword
compliant
we're
going
to
get
into
a
couple
of
these
things
in
a
bit.
A
One
interesting
thing,
which
I
think
probably
I'll
mention
earlier,
is
that
istio
uses
a
fork
of
envoy.
Why
is
that?
Well,
that's
because
istio
adds
a
considerable
amount
of
functionality
to
envoy
and,
as
you
have
probably
already
heard
and
we'll
hear
more
of
this
week,
that
functionality
is
going
to
be
provided
through
webassembly
extensions,
as
opposed
to
compiled
in
static
extensions,
but
for
the
time
being,
most
of
the
stuff
that
istio
adds
to
envoy
is
actually
still
written
in
sort
of
static,
c,
plus
plus.
A
That
goes
through
this
webassembly
null
vm
thing
that
you'll
hear
about
later
this
week,
but
it
yeah
it's.
This
is
why
we
need
a
fork
and
eventually
the
fork
will
go
away.
You'll
be
able
to
do
this
dynamic
module
like
I'd
add
all
the
functionality
needs
dynamically,
but
until
then
we're
stuck
with
this
fork.
A
Incidentally,
john
again,
if
he
says
something
he's
probably
right
about
istio
anyway,
okay
terminology,
I
dislike
these
terms,
but
we
have
to
talk
about
them
because
they're
used
everywhere
in
envoy,
land
downstream
means
where
connections
come
from
and
upstream
means
where
connections
go
to.
So
this
is,
like
you
know,
clients
and
backend
services.
You
can
essentially
think
of
these,
as
I
I've
had
a
really
hard
time
getting
these
words
to
stick
in
my
head.
When
I
first
started,
I
find
drawing
your
network
diagram.
A
This
way
kind
of
helps
orient
the
those
words
in
my
head
anyway,
if
you
think
about
sort
of
the
idea
of
north
south
traffic.
So
in
this
from
this
proxy's
perspective,
you
know
here's
the
front
end
app
with
a
sidecar.
The
clients
are
downstream
and
the
back
end
is
upstream
and
then
from
this
proxy's
perspective,
the
front
end
is
downstream
and
some
other
back-end
services
is
upstream.
A
So
anyway,
I'm
gonna
say
that
a
bunch,
hopefully
that
settles
in
your
head.
I've
also
found
this
metaphor
helpful.
A
What
you
should
do
is
abandon
any
metaphor
that
uses
water,
because
the
stream
part
doesn't
make
any
sense
there,
but
hopefully
that
helps
and
then
the
other
important
terminology
that
we
need
to
talk
about
are
clusters
and
endpoints
and
listeners
and
routes
again.
These
are
all
first-class
envoy
constructs.
You
can
think
of
clusters
and
endpoints
as
basically
host
names
and
ip
addresses.
Cluster
is
an
unfortunate
name,
perhaps
because
we
spend
a
lot
of
time
talking
about
kubernetes
clusters
in
an
envoy
cluster
is
not
a
kubernetes
cluster
yeah,
it's
basically
a
hostname.
A
A
As
you
can
see,
they
don't
comply
to
sort
of
normal,
looking
dns
host
names
that
you
might
be
familiar
with,
but
yeah
these
are
all
totally
valid
and
then
listeners
and
routes
basically
describe
sort
of
you
know
what
to
listen
to
and
what
to
do
with
it
and
and
where
to
send
it
right
so
where
to
send
it.
So
so
what
listen
to
that
is
usually
going
to
be
like
an
ip
and
a
port
for
tcp
and
udp
traffic?
A
It
could
also
be
a
path
for
unix
domain
socket
and
then
the
listener
is
also
going
to
configure.
A
A
If
the
uri
is
that
it
goes
to
this
service
things
like
that,
it's
your
sort
of
basic,
you
know
nginx
type,
stuff,
okay,
so
with
those
terms
in
mind,
now
we're
going
to
look
into
how
they
function,
I
lifted
this
diagram
from
directly
from
the
envoy
blog
from
a
post
called
how
to
write
envoy
filters
like
a
ninja
which
I've
got
linked
here
as
well,
but
this
is
sort
of
to
give
you
a
sense
of
of
what
I'm
talking
about
when
I'm
talking
about
the
filter
chain.
A
Now
I'm
going
to
use
and
that's
sort
of
an
abstract
metaphor
here
and
hopefully
most
of
the
folks
remember
familiar
with
some
basic
python.
What
we're
looking
at
here
is
a
fully
functioned
python
web
application
very
simple
one
and
we're
just
going
to
sort
of
use
this
method
as
a
mental
model
to
think
about
a
filter
chain.
So
in
this
case
you
know,
in
order
for
this
web
app
to
function,
you
have
to
define
a
function
that
complies
to
the
reference
function.
Signature.
A
A
You've
got
a
functioning
web
app
and
you
can
run
this
web
app
like
we're
doing
down
here
and
send
a
simple
web
request
in
and
get
a
response
back,
and
you
can
imagine
that
when
you're
running
this
python
process
somewhere
between
you
know
sending
this
extremely
simple
client
request
and
executing
the
the
python
logic
some
extra
processing
had
to
happen.
A
You
know
somebody
had
to
decode
a
tcp
byte
stream,
recognize
that
it's
http
like
decode,
that
into
http
and
then
turn
it
into
python
data
types
that
are
suitable
for
you
know,
calling
a
function,
and
so
so,
if
you're
going
to
do
that
in
an
envoy
filter
chain,
it
might
look
something
like
this.
You
know
you
start
by
reading
a
rob
block
of
tcp
bytes.
A
You
know
trying
to
interpret
them
as
http,
and
then
you
know
converting
them
into
into
python
data
types
and
then
maybe
calling
some
link
function
now
now
you
know
there
are
no,
I
don't
think
anyone's
doing
android
filters
like
that,
but
you
know
this
is
a.
This
is
what
you're
looking
at
here
is
the
simplest
possible
onboard
filter
chain
which
is
an
empty
one,
and
the
default
behavior
of
an
empty
filter
chain
is
to
close
the
connection,
and
so
a
chain
that
goes
nowhere.
A
An
empty
chain
is,
is
how
outbound
traffic
policy
is
enforced.
You'll
you'll
wind
up
with
an
envoy
listener
that
has
an
empty
filter
chain,
and
that's
it.
The
connection
just
gets
dropped.
I
think
in
practice.
Actually
it's
not
empty
empty.
I
think
the
stats
filter
is
always
there
to
provide
those
nice
metrics
that
you
see
in
cali
and
prometheus
and
things
but
yeah
as
long
as
if
the
chain,
if
the
end
of
the
chain
isn't
a
outbound
connection
somewhere,
then
it
just
gets
closed.
A
So
this
we've
got
just
an
example
here
to
think
about
of
us
of
a
source
and
destination
app.
You
know,
you've
got
some
source,
apps
got
a
couple
of
pods
in
it
got
a
destination
kubernetes
service
you're
going
to
send
a
request
to,
and
we
know
that
you
know
this
service
is
going
to
get
discovered
by
galley
right.
We've
already
talked
about
galleys
out
there
looking
for
services
and
when
it
finds
a
service
like
this
one,
it's
going
to
produce
a
filter
chain.
A
That
looks
something
like
this,
so
it's
got
a
listener
that
matches
the
service
vip
and
it's
got
a
single,
a
link
in
the
filter
chain,
which
is
just
the
tcp
proxy
filter
and
all
it
does
it's
just
a
dumb.
You
know
carbon
copy,
the
bite's
over
in
this
direction,
kind
of
thing,
and
it's
going
to
send
it
to
a
specific
envoy
cluster.
If
you
know
it's
like
a
host
name,
that
represents
some
back
number
of
back
end
that
are
capable
of
servicing
the
request.
A
So
this
is
what
that
same.
Filter
chain
looks
like
in
an
actual
envoy
configuration
and
you
can.
You
can
get
envoy
any
sidecar
to
to
display
this
stuff
for
you
by
using
the
istio
cuddle
config
command,
you
can
ask
for
other
current
listeners
routes,
etc.
That
are
configured,
and
so
you
can
see.
This
is
again
the
listener
name.
Tcp
proxy
is
the
only
link
in
this
chain
and
there's
the
outbound
destination
cluster.
A
A
This
is
why
you
go
and
go
out
and
spend
big
money
on
istio,
because
you
get
all
this
visibility
and
so
even
for
a
simple
tcp
proxy
you're
always
going
to
see
this
in
here
and
then,
incidentally,
if
you're
looking
at
your
istiometrics
and
when
you
see
cx
as
a
suffix
like
underscore
cx
as
a
suffix
on
a
metric
name,
that
means
connection,
which
means
that
the
statistic
was
generated
by
the
tcp
stats
filter.
A
And
if
you
see
rq,
that
means
request,
which
means
the
statistic
was
generated
by
the
http
stats
filter,
which
gives
you
which
understands
http
and
gives
you
a
little
more
fidelity
there.
A
Okay
now
I've
said
the
word
extension
a
couple
times
I
may
have
said
plug-in,
but
you'll
find
in
envoy,
and
you
know
in
slack
and
github
and
so
forth,
people
will
sort
of
use
the
words
extension
and
plug-in
interchangeably
to
describe
basically
any
of
the
code
that
go
hooks
into
envoy
to
expand
its
functionality.
A
And
while
it's
true
that
all
all
of
the
filters
in
the
filter
chain
that
we're
talking
about
are
extensions,
not
all
extensions
are
filters
or
filters
or
they're
extensions
that
do
all
kinds
of
other
things.
Now.
This
is
just
some
of
the
things:
the
istio
functionality,
that's
I
shouldn't
say
not
just
issue
but
also
envoy
functionality.
That's
provided
by
extensions
that
have
nothing
to
do
with
being
part
of
the
filter
chain.
A
So
when
I
think
of
the
data
plane,
I
think
of
just
that
filter
chain-
that's
that
is
the
heart
of
the
filter
chain.
So
so
these
are
the
types
of
filters
that
that
can
be
assembled
to
compose
a
chain,
and
there
are
more
than
these.
These
are
just
sort
of
the
core
ones
that
we
talk
about
so
listener
filters
always
executed.
A
First,
they
typically
are
going
to
inspect
an
incoming
connection
and
try
to
determine
some
learn
something
about
what
the
nature
of
that
connection
and
then
attach
a
little
bit
of
metadata
to
inside
of
you
know,
istio
memory
or
the
sidecar
memory.
A
I
should
say
about
what
it's
found
so
typically,
this
looks
like
checking
to
see
if
it's
tls,
if
it's
tls,
then
that
you
know
this
look,
a
boolean
gets
said:
you're
checking
to
see
if
it's
http,
that
sort
of
thing
and
then
usually
what
that
means
is
that
a
particular
network
filter
winds
up
processing
that
connection
based
on
what's
discovered
by
the
listener
filter.
A
Now
network
filters
tend
to
be
layer,
7
aware
so
you're
going
to
find
network
filters
out
there
for
redis
kafka
things
like
that.
Typically,
a
network
filter
is
going
to
implement
some
kind
of
layer.
7
features
usually
something
like
application,
aware:
connection,
pooling
or
smart
routing.
Something
like
that,
and
if
you
think
about
I
mean
you
could
implement
an
entire
network
service
right
in
the
network.
Filter
actually-
and
in
fact,
envoy
comes
with
a
couple
of
them.
A
There's
an
echo
filter
and
http
direct
response
filter
that
you
can
program
to
say
if
request
comes
to
slash,
foo
return,
a
500
or
something
like
that.
I
mean
technically
that's
a
complete
service
and
then
just
because
http
is
so
important
in
the
modern
web.
There's
a
whole
subcategory
of
network
filter.
That's
just
http
filters,
so
the
h,
the
http
network
filter,
is
called
the
http
connection.
Manager
you'll
frequently
see
this
shortened
to
just
hcm
and
http
connection
manager
then
has
many
other
filters
that
can
hang
off
of
that
to
provide
http
functionality.
A
A
A
Then
we
start
providing
our
http
value.
You
know
we're
collecting
http
stats,
we're
you
know,
injecting
headers
and
stuff
like
that.
Now
it's
worth
pointing
out
the
the
http
router
filter
filter
needs
to
be
present.
Otherwise
the
request
doesn't
go
anywhere,
so
it's
usually
the
last
one
in
the
filter
chain
and
then
once
the
request
gets
routed
well,
that
little
red
arrow
there
is
actually
doing
a
lot
of
heavy
lifting.
So
we're
going
to
take
a
quick
diversion
to
just
talk
about
how
requests
actually
get
routed.
A
Now
this
diagram
also
lifted
from
matt
klein's
envoy
internal
steep
dive,
talk
which
again
linked
here.
Please
go
watch
it.
You
will
learn
things,
there's
a
lot
more
going
on
here
than
we're
going
to
talk
about,
but
so
far
with
the
little
filter
diagram
that
I
showed.
We
have
traversed
this
much
of
the
path.
A
So,
keeping
in
mind
that
you
know
cluster
means
hostname
and
upstream
means:
where
connections
go
once
a
routing
decision
has
been
made
by
some
filter,
either
tcp
or
http.
That
filter
is
then
going
to
ask
the
cluster
manager
for
connection
to
an
upstream
service,
and
that's
that's
sort
of
this
component
here.
So
there's
a
manager
for
all
these
envoy
constructs
the
cluster
manager
handles
you
know
things
like
knowing
which
endpoints
are
healthy
and
doing
load,
balancing
and
connection
pooling
and
those
sorts
of
things.
There's
an
alternate
diagram
lifted
from
the
envoy
docs.
A
Just
to
give
you
a
different
visual
representation
of
how
the
managers
relate
to
clusters
and
listeners
that
they're
responsible
for
okay.
So
with
that
little
red
arrow
covered,
there's
one
more
filter
abstraction
worth
talking
about
before
we
move
on,
and
that
is
the
this
thing
called
the
filter
chain
match
the
filter
chain
match
basically
allows
you
to
make
choice
about
which
filters
are
going
to
be
applied.
Based
on
what
the
listener
filters
discover
and
so
remember
we
talked
about
listening
filters.
A
You
know
doing
some
sort
of
test
and
reporting
back
and
then
once
they've
extracted
some
information
about
an
inbound
connection.
You
can
use
the
filter
chain
match
to
test
those
properties
that
were
discovered
by
the
listener
filters
and
then
go
down
one
of
several
arbitrary
paths.
A
So,
for
example,
if
you
determine
that
the
incoming
connection
is
http
because
the
listener
the
http
listener
filter
to
determine
that's
true,
then
you
can
pass
it
off
to
the
http
connection
manager
and
then
do
your
http
routing
and
so
forth,
and
if
you
can't
determine
that
it's
http,
it's
probably
safe
to
just
treat
it
as
tcp.
So
that's
the
default
and
then
router
to
an
stream
cluster,
and
this
is
what
that
looks
like
in
an
actual
envoy
config.
So
here
you've
got
this
listener.
A
This
one's
listening
on
this
1510
and
you
can
see
the
filter
chain
matches
here
and
basically
it
says
if
this
happens
to
be
http
one
one
point
one
or
two,
then
we're
gonna
apply
the
filters
found
in
this
list,
and
this
is
the
the
empty
match
condition
you
know
if
the
any
other
connection.
Essentially,
that
is
not
these
things.
We're
gonna
apply
the
filters
found
in
this
filter
chain
here
and
to
be
clear.
A
You
know,
I'm
really
wanna
just
connect
these
sort
of
abstract
ideas
to
the
concrete
envoy,
configs
you're
gonna
find
because
sooner
or
later,
you're
gonna
find
yourself
dumping
on
voice
and
looking
at
them
and
scratching
your
head,
and
hopefully
this
will.
This
will
help
with
that
exercise.
A
How
does
it
actually
end
up
in
the
envoy
process
in
the
same
pod,
instead
of
actually
being
routed
out
through
the
network
interface
to
where
it's
supposed
to
be
going?
Well,
if
you've
been
around
kubernetes
for
four
seconds,
you'll
know
that
everything
is
done
with
ip
tables,
and
this
is
how
we
do
this
here
too.
So
this
is
a
dump
of
all
of
the
iptables
rules
from
inside
of
a
pod
with
an
istio
sidecar.
A
These
have
all
been
added
as
part
of
the
sidecar
injection
process
by
in
the
knit
container
and
that
logic
for
that
lives
inside
of
a
command
called
pilot
agent.
You
can
find
in
the
repo.
It
also
does
a
bunch
of
other
useful
stuff.
A
A
So
basically,
what
we
see
here
is
that
we're
telling
any
outbound
connection
coming
out
of
this
pod
to
pass
through
that
particular
ip
tables
chain.
The
whole
chain
is
out
here,
but
the
most
of
it
is
not
important.
All
we're
really
saying
is
that
anything
that
goes
basically
anything
not
everything,
but
basically
anything
that
comes
out
of
this
pod
needs
to
pass
through
this
one
chain
and
that
chain
is
going
to
redirect
it
to
localhost
15001,
and
the
same
thing
is
actually
done
for
traffic
coming
into
this
pod
on
15006.
A
And
what
that
means
is
that
you
can
pop
into
a
sidecar
pod,
yeah
pop
into
a
pod
and
look
and
dump
the
listing
processes
from
that
sidecar,
and
what
you'll
find
is
that
there's
actually
only
two
ports
listening
for
all
of
this
traffic,
I
mean
a
couple:
other
sort
of
maintenance
ports
like
debug,
port
and
statsport,
and
things
like
that,
but
fifteen
thousand
and
one
fifteen
thousand
six.
A
This
is
the
only
place
that
data
plane
traffic
is
passing
through,
and
this
is
sort
of
the
sort
of
secret
of
an
envoy
listener
that
you
don't
see
documented
really
well
anywhere,
is
that
most
of
them
are
logical.
Most
of
them
don't
actually
open
ports.
A
So
the
way
this
will
fit
together
is
that
you've
got
your
source
app.
You
know
it
shoots.
A
laser
out.
Tcp
shaped
laser
bounces
off
an
ip
table's
mirror
goes
into
an
actually
open
port
on
this
virtual
outbound
makes
its
way
into
a
filter
chain,
gets
processed,
and
then
the
pass-through
cluster
which
is
sort
of
the
default
destination
for
a
lot
of
traffic
that
hasn't
been
matched
yet.
A
Has
this
option
called
original
dst,
which
uses
iptable's
kernel
magic
that
I
don't
understand
to
recover
the
original
destination
port
and
ip
address
for
this
request
after
it
has
been
rewritten
by
iptables
iptables
has
hidden
it
somewhere
and
allows
it
to
be
recovered.
So
so
he
starts
out
with
a
destination
ip
import
here
gets
rewritten
by
ip
tables
to
this,
but
by
the
time
it
pops
out
this
end,
it's
actually
been
restored,
and
so
what
that
means
is
that
now
envoy
can
look
through
the
entire
collection
of
listeners.
A
You
know
this
huge
list
of
all
these
other
services
in
the
cluster
and
see
any
of
these
match,
and
if
it
finds
one
that
matches
the
characteristics
of
the
now
restored
port
and
ip,
then
it
can
use
that
as
a
match
and
execute
the
pass.
The
filter
chain
pass
the
connection
to
that
filter
chain.
A
Okay,
okay,
so
with
that
bit
of
sort
of
how
envoy
functions
taken
care
of
we're
going
to
move
on
to
talking
about
how
the
envoy
configuration
looks
and,
like
I
said
I
do
this,
because
you
know
eventually,
sooner
or
later,
you're
gonna
have
to
dump
a
sidecar
config
and
have
a
look
at
it
and
it's
a
little
bit
daunting.
So
I
saw
this
screenshot
from
a
screencast
from
the
solo.io
folks,
particularly
this
fella
yuval
who's
going
to
be
speaking
here
as
well.
This
week
he
and
adit
who
you
saw
speaking
earlier.
A
Can
we
talk
about
wasn't
filters?
I
guarantee
you
will
learn
something
from
them:
they're,
very
smart
people.
I've
got
a
link
to
this
as
well
in
the
notes
and
he's
absolutely
right
in
this
talk.
He
even
though
youtube
flubbed
the
transcription
envoy
config,
is
not
meant
for
human
consumption.
It's
not
it's
not
fit
for
men
or
beast,
mostly
machines.
Now
this
is
a
full
complete
envoy
config,
I
pulled
it
right
out
of
the
envoy.
Docs
seems
like
it
could
be
reasonable.
A
However,
this
is
an
envoy
config
that
istio
generated
in
an
otherwise
completely
empty
cluster.
Now
I
managed
to
pack
this
mere
90
kilobytes
of
json
into
2.5
megabytes
of
png.
So
I
could
like
show
you
this
high
level
view.
We
are
absolutely
not
going
to
go
drill
down
to
what
these
lines
mean,
I'm
just
going
to
give
you
a
high
level
overview
of
sort
of
the
10
000
foot
view.
A
A
This
is
the,
and
this
is
where
that
comes
from
up
here.
You've
got
things
about
the
the
node
in
this
case.
It's
just
a
pod
so
like
what
is
the
pod
name?
What
cluster
version
is
it
and
so
forth
here?
This
is
all
extension
and
this
initialization
boilerplate,
so
all
those
extensions
we
talked
about
the
ones
that
could
be
filters
or
not
filters
or
extending
istio
in
some
way.
A
This
is
all
initialized
here
down
here:
we're
bootstrapping,
prometheus
metrics
and
the
health
check,
endpoints,
we're
setting
up
local
clusters
and
then
we're
talking
about
envoy
clusters.
So
these
are
like
places
that
you
can
send
a
request
to,
in
this
case,
they're
the
local
prometheus
endpoint
that
provides
the
metrics
how
to
find
sdod
and
how
to
find
zipkin
for
if
you're
tracing
here
we're
bootstrapping,
metrics
and
logging
and
the
tracing
configuration,
and
that's
it-
that's
bootstrap
out
of
the
way
so
forget
about
that
in
here.
A
All
it
is,
is
a
list
of
clusters
and,
like
I
said,
I
pulled
this
envoy
config
out
of
an
otherwise
empty
gke
cluster.
So
this
is
just
like
you
know
the
default
kubernetes
services
that
gali
discovered
out
of
a
mostly
empty
cluster.
So
it's
like
you,
know,
kubernetes
master,
like
the
api
server.
Whatever
else
is
in
there
shows
up
in
this
big
list.
This
is
all
we
have
been
pushed
down
by
seod,
so
forget
about
that
list
of
clusters.
A
Okay,
now
we're
into
listeners.
This
is
probably
where
you're
going
to
want
to
look
if
you
wind
up
with
a
istio
config
that
doesn't
doing
what
you
think
it's
going
to,
we
thought
it
would
do.
This
is
the
part
where
you're
actually
going
to
want
to
scroll
past
all
that
other
stuff
and
look
here,
because
this
is
where
things
like
routing
matches
are
going
to
happen.
Like
checking
headers
checking,
uris
things
like
that.
A
We
also
have
routes
down
here
as
well
as
listeners.
These
are
both
the
static
and
dynamic
routes
and,
like
I
said,
those
things
that
are
places
that
you
could
send
an
hdb
request
if
it
matched
some
characteristics
and
then
finally,
you
can
have
secrets,
so
these
would
be
the
mtls
certificates
for
mutual
like
in
in
mesh
traffic,
and
if
you
happen
to
be
looking
at
the
ingress
gateway,
you'll
find
your
client
terminating
secrets
there
as
well.
A
A
You
know:
that's
it,
the
you
can
skip
over
almost
all
of
it
when
you're,
when
you're
debugging,
even
though
it
looks
pretty
intimidating
so
now,
there's
this
little
block
that
isn't
colored
in
this
is
a
magic
piece
of
bootstrap
that
basically
tells
envoy.
Now
that
you've
started
up.
Where
do
you
go
for
more
information?
And
basically
this
is
telling
envoy
go
talk
to
sdod
for
all
the
important
things
that
it's
that
gal
is
discovering.
A
A
Okay,
so
that's
envoy
config,
I'm
going
to
park
it
right
there.
I
know
that
was
a
lot.
So
here's
some
cute
pictures
to
soothe
the
spirit,
and
I
genuinely
hope
I
didn't
make
too
many
grievous
errors,
and
I
genuinely
hope
people
learned
a
new
thing.