Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Stop reinventing the wheel with Istio by Mete Atamel (Google)

200 views

Published on

#Codemotion Rome 2018 - Containers provide a consistent environment to run services. Kubernetes help us to manage and scale our container cluster. Good start for a loosely coupled microservices architecture but not enough. How do you control the flow of traffic & enforce policies between services? How do you visualize service dependencies & identify issues? How can you provide verifiable service identities, test for failures? You can implement your own custom solutions or you can rely on Istio, an open platform to connect, manage and secure microservices.

Published in: Technology
  • Be the first to comment

Stop reinventing the wheel with Istio by Mete Atamel (Google)

  1. 1. Confidential & Proprietary Stop reinventing the wheel with Istio Mete Atamel Developer Advocate at Google @meteatamel
  2. 2. Confidential & Proprietary Agenda 1. The need for Istio Containers, Kubernetes, Istio 2. What is Istio? Istio at the high level, setup 3. Building Blocks Envoy, Mixer, Pilot, Istio-Auth 4. Add-ons Grafana, Prometheus, Zipkin, ServiceGraph 5. Traffic Management Request Routing, Discovery & Load Balancing, Failure Recovery & Injection
  3. 3. The need for Istio Containers, Kubernetes, Istio
  4. 4. Confidential & Proprietary Code that solves a problem Make that code production ready (logging, tracing, auth, load balancing, etc) A way to package and run that code consistently on different environments A way to deploy (hopefully optimally) and manage that code Solving a problem with software
  5. 5. Confidential & Proprietary Code that solves a problem => You Make that code production ready => Istio A way to package and run that code consistently => Docker A way to deploy and manage that code => Kubernetes Solving a problem with software
  6. 6. Confidential & Proprietary What is a container? Lightweight Hermetically sealed Isolated Easily deployable Introspectable Composable Linux (or Windows) processes A lightweight way to virtualize applications
  7. 7. 7 Docker: Tooling for the masses FROM debian:latest RUN apt-get update RUN apt-get install -y nginx CMD [“nginx”,”-g”,”daemon off;”] EXPOSE 80 Docker is a container runtime and image format Dockerfile defines the dependencies, environment and the code to run Container is a consistent invocation of a Dockerfile
  8. 8. Confidential & Proprietary Containers are not enough Service Discovery Redundancy Scheduling Scaling up & down Rolling out & back Resiliency Config & Secrets Health Checks
  9. 9. Confidential & Proprietary Kubernetes Κυβερνήτης means “governor” in Greek • Manages container clusters • Inspired and informed by Google’s internal container system called Borg • Supports multiple cloud and bare-metal environments • 100% Open source, written in Go Manage applications, not machines
  10. 10. Confidential & Proprietary Microservices in Kubernetes world Service Pods Each pod containers one or more containers Nodes Role: frontend Role: frontend Role: frontend Role: frontend Replication controller Replicas: 3 Env: prod microservice labels Service communication channel Blueprint “pod template” Env: prod Env: prod Env: prod registry containers
  11. 11. Confidential & Proprietary Kubernetes is not enough either Dependency Visualisation Tracing Metrics Logging Circuit Breaking Service Identity & Auth Fault Injection Traffic Flow & Policies Failover
  12. 12. What is Istio? Istio at the high level, setup
  13. 13. Confidential & Proprietary Istio: High level goals Community maturing and gathering around common tools Decouple application code from underlying platform and policies
  14. 14. Confidential & Proprietary Istio Ιστιο means “sail”. An open platform to connect, manage, and secure microservices. ● Platform support: Kubernetes, Mesos, Cloud Foundry ● Observability: Metrics, logs, traces, dependency visualisation ● Service Identity & Security: Provide verifiable identity to services, service-to-service authentication ● Traffic Management: Dynamically control traffic between services, ingress/egress routing, fault injection ● Policy enforcement: Precondition checking, quota management between services
  15. 15. Confidential & Proprietary Istio: At the very high level Users Cloud SQL frontend pictures payments auth External Payment Processor
  16. 16. Confidential & Proprietary Istio: At the very high level Users Cloud SQL frontend pictures payments auth External Payment Processor proxy proxy proxy proxy ingress
  17. 17. 18 $ gcloud container clusters create hello-istio --enable-kubernetes-alpha --machine-type=n1-standard-2 --num-nodes=4 --no-enable-legacy-authorization --zone europe-west1-b Creating cluster hello-istio...done. Created [https://container.googleapis.com/v1/projects/dotnet-atamel/zones/europe-west1-b/clusters/hello-istio] NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS hello-istio europe-west1-b 1.7.12-gke.0 ALPHA 35.190.192.251 n1-standard-2 1.7.12-gke.0 4 RUNNING $ kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account) clusterrolebinding "cluster-admin-binding" created
  18. 18. Confidential & Proprietary Demo: Install Istio
  19. 19. Building Blocks Envoy, Mixer, Pilot, Istio-Auth
  20. 20. Confidential & Proprietary Istio Architecture Mixer Istio-Auth frontend payments proxy proxy Pilot Discovery & config data to Envoy sidecars TLS certs to Envoy sidecars Policy checks, telemetry Traffic transparently proxied — unaware of Envoy sidecars Control Plane HTTP/1.1, HTTP/2, gRPC with or without TLS
  21. 21. Confidential & Proprietary Envoy Proxy A high-performance proxy in C++, to mediate all inbound/outbound traffic ● Dynamic service discovery ● Load balancing, TLS termination ● HTTP/2 & gRPC proxying ● Circuit breakers, health checks, rich metrics Deployed as a sidecar to the relevant service in the same Kubernetes pod
  22. 22. Confidential & Proprietary Pilot Responsible for managing Envoy proxies in the service mesh. ● Service discovery for Envoy ● Traffic management capabilities for routing (A/B testing, canary deployments) ● Resiliency (timeouts, retries, circuit breakers) ● Converts high level routing rules into Envoy specific configurations and propogates them to sidecars at runtime
  23. 23. Confidential & Proprietary Pilot
  24. 24. Confidential & Proprietary Mixer 1. Precondition Checking. Enables callers to verify a number of preconditions before responding to an incoming request from a service consumer. 2. Quota Management. Enables services to allocate and free quota (eg. rate limits) 3. Telemetry Reporting. Enables services to report logging and monitoring
  25. 25. Confidential & Proprietary Istio-Auth 1. Provides each service with a strong identity 2. Provides service-to-service and end-user authentication using mutual TLS 3. Provides a key management system to automate key and certificate generation, distribution, rotation, and revocation
  26. 26. Confidential & Proprietary Demo: Deploy App
  27. 27. Add-ons Grafana, Prometheus, Zipkin, ServiceGraph
  28. 28. Confidential & Proprietary Grafana: Analytics and monitoring
  29. 29. Confidential & Proprietary Prometheus: Query metrics
  30. 30. Confidential & Proprietary Zipkin: Tracing
  31. 31. Confidential & Proprietary ServiceGraph
  32. 32. Confidential & Proprietary Demo: Install add-ons
  33. 33. Traffic Management Request Routing, Discovery & Load Balancing, Failure Recovery & Injection
  34. 34. Confidential & Proprietary Traffic Management Istio’s traffic management decouples traffic flow and infrastructure scaling Dynamic request routing for A/B testing, gradual rollouts, canary releases Discovery & load balancing across services Failure recovery using timeouts, retries, and circuit breakers Fault injection to test the compatibility of recovery policies across services
  35. 35. Confidential & Proprietary Request Routing
  36. 36. Confidential & Proprietary Discovery & Load Balancing
  37. 37. Confidential & Proprietary Failure Recovery Out-of-the-box opt-in failure recovery features: ● Timeouts ● Bounded retries with timeout budgets and variable jitter between retries ● Limits on number of concurrent connections ● Periodic health checks on each member of the load balancing pool ● Fine-grained circuit breakers (passive health checks) – applied per instance in the load balancing pool
  38. 38. Confidential & Proprietary Fault Injection Systematic fault injection to identify weaknesses in failure recovery policies ● HTTP/gRPC error codes ● Delay injection frontend movies proxy proxy stars proxy timeout: 100ms retries: 3 300ms timeout: 200ms retries: 2 400ms
  39. 39. Confidential & Proprietary Demo: Change routes
  40. 40. Confidential & Proprietary Demo: Cleanup
  41. 41. Confidential & Proprietary Thank you! Mete Atamel @meteatamel

×