Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, January 2019)

1. Do you need a Service Mesh? @mt165pro Istio: An Introduction Matt Turner @mt165 mt165.co.uk DevSecOps London January 2019

2. Istio: an introduction @mt165 Objectives Learn how a packet traverses an Istio/Envoy/Kubernetes system See how the control plane is involved in that process Build a useful mental model for reasoning about, and debugging Istio

3. Istio: an introduction @mt165 Prerequisites Basic networking knowledge Intermediate Kubernetes knowledge An understanding of what Istio is and does

4. Istio: an introduction @mt165

5. Istio: an introduction @mt165 Service AIngress

6. Istio: an introduction @mt165 Service A

7. Istio: an introduction @mt165 Envoy SvcA Service A

8. Istio: an introduction @mt165 “Containers” nginx nginx supervisord mnt uts pid user ipc net

9. Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net logger fluentd mnt uts

10. Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net logger fluentd mnt uts 192.168.0.42 eth0 lo sockets iptables routes

11. Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net logger fluentd mnt uts 192.168.0.42 eth0 lo sockets iptables routes :8080/tcp

12. Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net proxy envoy mnt uts 192.168.0.42 eth0 lo sockets iptables routes :8080/tcp

13. Istio: an introduction @mt165 Sidecar Injection pid user ipc net 192.168.0.42 eth0 lo sockets iptables routes

14. Istio: an introduction @mt165 Sidecar Injection pid user ipc net 192.168.0.42 eth0 lo sockets iptables routes alpine sysctl -w kernel.core_pattern=...

15. Istio: an introduction @mt165 Sidecar Injection pid user ipc net 192.168.0.42 eth0 lo sockets iptables routes istio/proxy_init /usr/local/bin/prepare_proxy.sh -p 15001 -u 1337

16. Istio: an introduction @mt165 Sidecar Injection nginx nginx mnt uts pid user ipc net istio/proxy envoy mnt uts 192.168.0.42 eth0 lo sockets iptables routes :15001/tcp

17. Istio: an introduction @mt165 Envoy SvcA Service A

18. Istio: an introduction @mt165 Envoy SvcA Service A ? ? ?

19. Istio: an introduction @mt165 Services $ kubectl get service -o wide service-b NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service-b ClusterIP 10.98.84.169 <none> 80/TCP 90s app=service-b

20. Istio: an introduction @mt165 Service DNS exposure $ dig service-b.default.svc.cluster.local. ;; ANSWER SECTION: service-b.default.svc.cluster.local. 5 IN A 10.98.84.169

21. Istio: an introduction @mt165 Pods $ kubectl get pods -o wide | grep service-b service-b-644856485c-4rk88 1/1 Running 0 7m46s 10.32.0.4 kind-1-control-plane <none> service-b-644856485c-dc2zv 1/1 Running 0 7m46s 10.32.0.6 kind-1-control-plane <none> service-b-644856485c-gr75k 1/1 Running 0 7m46s 10.32.0.5 kind-1-control-plane <none>

22. Istio: an introduction @mt165 Endpoints $ kubectl get endpoints service-b NAME ENDPOINTS AGE service-b 10.32.0.4:8080,10.32.0.5:8080,10.32.0.6:8080 8m55s

23. Istio: an introduction @mt165 Endpoints $ kubectl get endpoints service-b -o yaml ... subsets: - addresses: - ip: 10.32.0.4 nodeName: kind-1-control-plane targetRef: kind: Pod … ports: - name: http port: 8080 protocol: TCP

24. Istio: an introduction @mt165 Envoy SvcA Pilot Control Plane API Service A Config to Envoys

25. Istio: an introduction @mt165 Envoy SvcA Pilot Control Plane API Service A Config to Envoys k8s consul zk Data plane API

26. Istio, the packet’s-eye view @mt165 Pilot ● Ingress Routing ● Traffic Mirroring ● Traffic Shifting ● Canary Deployments ● Circuit Breaking ● Fault Injection

27. Istio: an introduction @mt165 Envoy SvcA Pilot Control Plane API Service A Service B Config to Envoys

28. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys Policy checks, Telemetry

29. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys prom ES REPORT CHECK RBAC Rate limit Mixer fat client Mixer fat client

30. Istio: an introduction @mt165 Mixer ● Check ○ ACLs / Authorization ○ Rate Limiting ● Report ○ Logs ○ Metrics ○ Tracing

31. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys Policy checks, Telemetry

32. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry

33. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry

34. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry API Serveretcd kubectl

35. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry Envoy Envoy Envoy Envoy Envoy Envoy Envoy Envoy Ingress Egress

36. Istio: an introduction @mt165 Recap We learned: ● How a packet traverses an Istio/Envoy/Kubernetes system ● What control plane calls are made in that process ● A useful mental model for reasoning about, and debugging Istio

37. Do you need a Service Mesh? @mt165pro Thanks! @mt165

Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, January 2019)

Michael Man

Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, January 2019)