More Related Content Similar to apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong (20) apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong2. 2023 SERIES OF EVENT
New York
May 16&17
Australia
October 11&12
Singapore
April 12&13
Helsinki & North
June 5&6
Paris
SEPTEMBER
London
November
15&16
June 28-30
SILICON VALLEY
March 14&15
Dubai & Middle East
February 22&23
3. THE CLOUDCONNECTIVITYCOMPANY
2
© Kong Inc.
- Sidecars are amazing you’ll see!
- It’s fun to understand how a service mesh works
- As a user it’s useful to understand how things work
- Learn how to troubleshoot and leverage some Kuma tools
Why this Talk?
8. THE CLOUDCONNECTIVITYCOMPANY
7
© Kong Inc.
- Simple security model
- Containers did a lot of work to achieve multi -tenancy
- Great failure isolation (you crash your sidecar, only your pod loses connectivity)
- Your sidecar scales like your app does
- Upgrading your sidecar is like upgrading your app , something you already do right?!
Why a sidecar?
For more: https://thenewstack.io/ebpf-or-not-sidecars-are-the-future-of-the-service-mesh/
10. THE CLOUDCONNECTIVITYCOMPANY
9
© Kong Inc.
- Envoy has a very complete admin api exposed on 127.0.0.1:9901
- Use kumactl or GUI to access it
- policies : list policies that apply to your dataplane
- config -dump: get the full envoy config dump
- stats: show stats of the proxy
- clusters: show information about envoy clusters and endpoints.
What happens under the hood
Inspecting your sidecar
11. THE CLOUDCONNECTIVITYCOMPANY
10
© Kong Inc.
- Control-plane issue a certificate per sidecar
- Sidecar info are added in the SAN of the cert as spiffe ids. .e.g:
spiffe://default/demo-app_kuma-demo_svc_5000
- Server leverages spiffe ids to identify clients
- Cert is renewed by the Control-plane before expiration
What happens under the hood
Mutual TLS and Certificate rotation
12. THE CLOUDCONNECTIVITYCOMPANY
11
© Kong Inc.
- Envoy will issue 1 certificate for each sidecar
- Control-plane regenerates when at 4/5 of the expiration time
- Envoy will use this new certificate
- Dataplane tags are added in the SAN of the cert as spiffe ids.
.e.g: spiffe://default/demo-app_kuma-demo_svc_5000
What happens under the hood
Mutual TLS and Certificate rotation
13. THE CLOUDCONNECTIVITYCOMPANY
12
© Kong Inc.
- Control-plane will issue new certificates using the
“enabledBacked” for all dataplanes
- All sidecars will have both CAs to allow clients with old and
new cert
- Once all sidecars are on the new CA you can delete the old
backend
What happens under the hood
CA Rotation is Almost as Easy
14. THE CLOUDCONNECTIVITYCOMPANY
13
© Kong Inc.
- Envoy will expose metrics on :5670
- The sidecar can also scrape your application metrics on :5000
- Application metrics and sidecar metrics are all exposed with a
common set of labels regardless of where they run
(kubernetes or elsewhere).
- No need to expose your application metrics port to scrape
metrics
What happens under the hood
How About Metrics?
15. THE CLOUDCONNECTIVITYCOMPANY
14
© Kong Inc.
- Whenever a pod is added/removed or goes unhealthy the CP recomputes the configuration of all of
the service’s clients
- All this usually happens in < 1 second
- Load balancing algorithm is configurable
What happens under the hood
Endpoint discovery / load balancing
16. THE CLOUDCONNECTIVITYCOMPANY
15
© Kong Inc.
- Exclude endpoints for some time if the failure rate
jumps over a threshold
- When setting it to 15% we see the endpoint that has
81%success won’t receive requests
What happens under the hood
Outlier detection
18. THE CLOUDCONNECTIVITYCOMPANY
17
© Kong Inc.
- When playing with endpoint health always set fail safe to
avoid ending with too few endpoints.
- In this case maxEjectionPercent does this. If less than 50%
of the endpoints are outliers consider no-one as an outlier
What happens under the hood
Avoiding Shooting Yourself in the Foot
19. THE CLOUDCONNECTIVITYCOMPANY
18
© Kong Inc.
- Sidecars implement complex algorithms
- Envoy is very mature so you can trust these algorithms
- Whenever evaluating the overhead of the mesh take into
account the features it brings
- Use kumactl inspect (or the UI) to figure out how things work
What happens under the hood
Conclusion