Intel Distribution of Istio 939939
Istio uses Envoy as sidecar to handle secure connections and intercept traffic. Depending on use cases, when an Istio Ingress Gateway must handle a large number of incoming TLS and secure service-to-service connections through sidecar proxies, the load on Envoy increases. The potential performance depends on many factors, such as size of the cpuset on which Envoy is running, incoming traffic patterns, and key size. These factors can impact Envoy serving many new incoming TLS requests. To achieve performance improvements and accelerated handshakes, a new CryptoMb feature was introduced in Envoy 1.20 and Istio 1.14.
Prometheus data source includes Istiod and Envoy metric to visualize CryptoMb features. Grafana visualizes all important data of CryptoMb such as buckets utilization, envoy listener requests, envoy listener handshakes, current envoy TLS connections. In addition, the dashboard includes cpu and memory utilization graphs for Istio Ingress Gateway and Kubernetes Nodes. More info about cryptomb is in Istio documentation: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#PrivateKeyProvider-CryptoMb
Used Metrics 1414
envoy_listener_cryptomb_rsa_queue_sizes_bucket
envoy_listener_cryptomb_rsa_queue_sizes_count
envoy_listener_ssl_handshake
envoy_server_total_connections
-
container_memory_usage_bytes
-
container_memory_working_set_bytes
-
container_cpu_system_seconds_total
-
container_cpu_user_seconds_total
-
container_cpu_usage_seconds_total
-
node_memory_MemTotal_bytes
-
node_memory_MemFree_bytes
-
node_memory_Cached_bytes
-
node_memory_Buffers_bytes
-
node_cpu_seconds_total