Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Service Mesh on Kubernetes with Istio


Published on

The concept of service mesh is one of the new technologies that have grown up around the container and micro-service model over the last couple of years, and Istio is the latest entry into this space. As Istio was recently included as an incubated project in the CNCF, many companies are now looking to it to provide a set of key functions to accelerate their micro-service application management model. Istio enables bi-directional authentication and security of service communication via TLS based authentication and encryption, and at the same time is able to capture application level communication statistics, improving the application development team's visibility into the otherwise difficult to track communication patterns. In this way, Istio acts like an application level network, riding across the underlying capabilities of Kubernetes CNI based networks and network policy. We will implement Istio on a GKE kubernetes cluster, and instrument a simple application to get better insight into how Istio provides its capabilities.
Speaker Bio:
With over 20 years of experience as a systems reliability engineer, and a focus on automating not only application deployments but the underlying infrastructure as well, Robert Starmer brings a wealth of knowledge to the full application enablement stack. He has applied this knowledge in fields from high-performance computing to high-frequency trading environments, and everything in between. Robert also holds patents in network, data center, and application performance and scale enhancements. He is a Founder and the CTO at Kumulus Technologies, a DevOps, Systems Reliability Engineering and cloud computing consultancy. Additionally, Robert is an incurable photography nerd and has been known to stay up until dawn in remote locations to capture celestial time-lapses.

Published in: Software
  • Be the first to comment

Service Mesh on Kubernetes with Istio

  1. 1. © 2017 Kumulus Technologies@rstarmer Service Mesh on Kubernetes With Istio
  2. 2. © 2017 Kumulus Technologies Who are we? Robert Starmer: @rstarmer CTO/Founder of Kumulus Technologies OpenStack Ops contributor since 2012 Supporting Cloud enablement for Enterprise OpenStack, Kubernetes, BareMetal to App CD Kumulus Technologies: @kumulustech Systems consultants supporting cloud migration & integration Kumulus Tech Newsletter: Five Minutes of Cloud:
  3. 3. © 2017 Kumulus Technologies Use the following account to create your course account: @rstarmer Access Course Resources
  4. 4. © 2017 Kumulus Technologies@rstarmer Agenda Microservices, Kubernetes and Istio ● Microservices ● Kubernetes ● Istio ● Service Mesh ● Mutual TLS (security) ● Routing ● Tracing/Metrics ● Fault Injection ● Lab - Get Kubernetes, Istio, Launch an App ● Lab - Routing
  5. 5. © 2017 Kumulus Technologies@rstarmer Microservices (Day 2 Operations) Microservices are small nuggets of function, and that sounds like it could be simple, but as complexity grows, successful operations require: ● Visibility (Observability) ● Monitoring ● Metrics ● Tracing ● Traffic management ● Policy Enforcement ● Security ● Resilience and efficiency A service mesh (an application network for services) can provide the above.
  6. 6. © 2017 Kumulus Technologies@rstarmer Kubernetes kubectl, ajax, etc etcd node devops user scheduler controller manager service proxy API server kubelet Kubernetes provides an infrastructure management service node
  7. 7. © 2017 Kumulus Technologies@rstarmer Istio Architecture Pod svcB Envoy Pod svcA Envoy Service A Service B Mixer Istio-AuthPilot TLS Certs to EnvoysConfig Data to Envoys Control Plane REST API HTTP, gRPC, TCP with/out TLS HTTP, gRPC, TCP with/out TLS Policy Checks, Telemetry
  8. 8. © 2017 Kumulus Technologies@rstarmer Istio Istio is a service mesh (microservices platform) providing: ● Observability ● Monitoring ● Metrics ● Tracing ● Traffic Management ● Policy ● Security ● Service Mesh Kubernetes “native” via platform adapter plugins - also plugs into Mesos, Cloud Foundry, …
  9. 9. © 2017 Kumulus Technologies@rstarmer Istio - Pilot Control plane for distributed Envoy instances Configures Istio deployment and pushes out configuration to other system components System of Record for Service Mesh Routing and resiliency rules Exposes API for service discovery, load balancing, routing tables Envoy Envoy Envoy PilotPlatform Adapter Abstract Model Envoy API Rules API Kubernetes CloudFoundry Mesos ...
  10. 10. © 2017 Kumulus Technologies@rstarmer Envoy Proxy Out of process load balancer: - High performance server/small memory footprint HTTP/2 and GRCP support: - Transparent HTTP/1.1 to HTTP/2 proxy. APIs for Config Management: - Configuration management via API alone Advanced Load Balancing: - Retries, Circuit Breaking, Health Checks, Rate Limits Observability - L7 visibility, distributed flow tracing In Istio: - Envoy container is injected with istioctl kube-inject or kubernetes initializer - Controls pod ingress/egress routing - Config is via API from Pilot Example Application Envoy Ingress Envoy
  11. 11. © 2017 Kumulus Technologies@rstarmer Istio - Mixer Attribute processor that controls the runtime behavior of mesh-attached services Envoy generates attributes Mixer then generates calls to backend infrastructure through adapters Handlers provide integration for 3rd party tools (Prometheus, Grafana, custom tools, …) All of these “Istio” pieces are expressed as Kubernetes custom resources (CRDs) Infrastructure Backends Envoy Service Mixer I
  12. 12. © 2017 Kumulus Technologies@rstarmer Mutual TLS Available by default, but not required When enabled, provides automatic service-to-service encryption Istio has a built in CA that watches for k8s service accounts and creates certificate keypair secrets in k8s Secrets are automatically mounted when pod is created Pilot generates appropriate Envoy config and deploys it End-to-end mTLS session generated for each connection.
  13. 13. © 2017 Kumulus Technologies@rstarmer Ingress/Egress Istio assumes that all traffic entering/exiting the service mesh transits through Envoy proxies. Deploying the Envoy proxy in front of services, operators can conduct A/B testing, deploy canary services, etc. for user-facing services. Routing traffic to external web services (e.g video service API) via the sidecar Envoy allows operators to add failure recovery features (e.g.timeouts, retries, circuit breakers, etc.) and obtain detailed metrics on the connections to these services. Pod svcB Envoy Pod svcA Envoy Service A Service B Envoy Ingress Envoy (Ingress controller in k8s) Pod
  14. 14. © 2017 Kumulus Technologies@rstarmer Pod Pilot Request Routing - Service Versions Pod svcB.1 Envoy Pod svcB.0 Envoy Version: v1.0, production Version: v1.1.alpha, staging Pod Envoy svcA Rules API ServiceA ServiceB
  15. 15. © 2017 Kumulus Technologies@rstarmer Service Observability/Visibility Monitoring & tracing should not be an afterthought Ideally a monitoring/tracing system should provide: ● Metrics without instrumenting apps ● Consistent metrics across fleet ● Trace flow of requests across services ● Portable across metric backend providers Istio adapters seamlessly integrate a number of tools: Prometheus - gathers metrics from Istio Mixer Grafana - produces dashboards from Prometheus metrics Service Graph - generates visualizations of dependencies between services. Zipkin - distributed tracing
  16. 16. © 2017 Kumulus Technologies@rstarmer Application/service Resilience with Istio As the number of microservices increase, failure is expected (inevitable?). Fault- tolerance is applications is (should be) a requirement. Istio provides fault tolerance/resilience with no impact on application code. Istio provides multiple, built-in features to provide fault tolerance: Timeouts, Retries with timeout budget, Circuit breakers, Health checks AZ-aware load balancing w/ automatic failover Control connection pool size and request load Systematic fault injection
  17. 17. © 2017 Kumulus Technologies@rstarmer Istio Lab Istio on Kubernetes
  18. 18. © 2017 Kumulus Technologies@rstarmer Example Microservice Application with Istio Product Page Reviews-v1 Reviews-v2 Reviews-v3 Details Ratingsrequests Envoy Envoy Envoy Envoy Envoy Envoy Ingress Envoy Running an application with Istio requires no changes to the app itself. We simply need to configure and run the services in an Istio-enabled environment, with Envoy sidecars injected alongside each service.
  19. 19. © 2017 Kumulus Technologies@rstarmer Get Started - Deploy Kubernetes Easiest approach: Launch in the cloud GKE Azure AWS with Kops Or, launch on your own hardware Vagrant/Ansible (kubespray) Kubeadm/Minikube