Sudheendra Murthy
Cloud Infrastructure @ eBay
San Francisco, California, United States
Actions
Sudheendra is a Principal Engineer and Cloud Architect in the Cloud Infrastructure group at eBay. He has more than 14 years of experience in cloud technologies including Kubernetes, Micro-segmentation, SDN, OpenStack and designing highly scalable and performant systems.
Area of Expertise
Topics
Istio at scale: How eBay is building a massive multitenant service mesh using Istio
Managing a service mesh that spans hundreds of thousands of containers across the globe is no easy feat. At high scale, achieving fast configuration convergence time to thousands of proxies, while limiting the CPU & memory utilization of control-plane & proxies is a challenging problem. This talk describes eBay's initial journey into building a scalable service mesh that provides the traffic management, load-balancing, security and observability features at scale leveraging Istio. The talk presents the federated design to manage configuration across multiple meshes in different availability zones, multiple trust domains to support workloads in different environment. The talk shares results from the extensive control-plane scale and performance tests to establish the efficacy of the design to support the massive scale, provides insights into the breaking limits of Istio control-plane and sidecar proxy and finally provides best practices & recommendations to operate Istio at scale.
Catch Me If You Can! Scalable Enforcement of Layer 4 Network Policy at Layer 7 with Cilium and Istio
eBay ranks amongst the most visited e-commerce sites, and efficient L4 load-balancing coupled with service mesh is key to handling planet scale traffic. Reusing HTTP connections reduces latencies by multiplexing client requests over existing connections between Istio ingress gateway and server pods. However, this introduces a unique security challenge where client requests not allowed by L4 policy can bypass policy enforcement due to connection reuse. The alternative solution of enforcing L4 policies at the gateway does not scale, so we need a new approach.
In this talk, Sudhi will describe eBay's new high-scale traffic ingress architecture built with Cilium XDP L4 load balancer & Istio mesh, and show how L4 identities are sent end-to-end over shared connections. Vinay will discuss innovative ways to enforce L4 network policies at L7, address security hurdles such as root access for BPF map lookup, show how to strike a balance between security & low latency, and conclude with a demo.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top