| ▲ | p_l 3 hours ago |
| Doing it well IMO requires not deploying everything as sidecar but maybe, maybe, deploying it as shared node service. In fact pretty sure I've read a write up from Alibaba? on huge wins in performance due to moving Istio out of sidecar and into shared node service. |
|
| ▲ | cyberpunk an hour ago | parent [-] |
| Sure, cilium is also much faster than istio. But I guess it depends on your workload. We don't care all that much about performance vs compliance (non-hft finance transactional stuff) and I think we're doing things reasonably well. :} |
| |
| ▲ | p_l 26 minutes ago | parent [-] | | I didn't mean replace istio with cilium, I meant running the proxy and routing operations as shared part per node instead of per pod | | |
| ▲ | cyberpunk 10 minutes ago | parent [-] | | How does that even work with envoy? The magic sauce behind istio is that every connection is terminated using iptables into the envoy process (sidecar), and istiod spaffs envoy configurations around the place based on your vs/dr/pas/access controls etc. I suppose you could have a giant envoy and have all the proxy-configs all mashed together but I really don't see any benefit to it? I can't even find documentation that says it's possible.. | | |
| ▲ | p_l a minute ago | parent [-] | | Couldn't check all details yet, but from quick recap: It's called ambient mode, and uses separate L4 and L7 processing on ways that would be familiar to people who dealt with virtual network functions - and neither l4 nor l7 parts require sidecar |
|
|
|
