본 세션에서는 Pivotal이 추구하는 Any App, Every Cloud, One Platform 전략에 대하여 살펴보고, 이러한 전략이 마이크로 서비스와 같은 클라우드 네이티브 IT 환경을 구성하는데 어떻게 도움을 줄 수 있는지 살펴 봅니다. 특히 Kubernetes, Istio, Envoy 등의 다양한 오픈소스를 어떻게 활용하고 플랫폼에 흡수하여 운영할 수 있는지 살펴 봅니다.
4. Run modern apps Run containerized workloads Run scale-to-0 functions Ecosystem of Pivotal and
partner services
Multi-cloud
VMware Openstack AWS
Google
Cloud
Azure
Platform security Innovative engineering of extensive automation and go-fast-to-stay-safe approach
PAS
(Pivotal
Application Service)
PKS
(Pivotal
Container Service)
PFS
(Pivotal
Function Service)
Pivotal
Marketplace
Any App, Every Cloud, One Platform
Pivotal Platforms
5. Multi-cloud
VMware Openstack AWS
Google
Cloud
Azure
Platform security Innovative engineering of extensive automation and go-fast-to-stay-safe approach
PAS
(Pivotal
Application Service)
PKS
(Pivotal
Container Service)
PFS
(Pivotal
Function Service)
Pivotal
Marketplace
Pivotal Platforms
+
1. PAS on K8S
Pivotal Service Mesh
Pivotal Build Service
+
2. PBS/PSM on K8S
2012
2018
2019
13. Common Considerations with this Pattern
For Developers
Load balancing
Traffic management
Circuit breaking
Client-side retries
For Operators
Authorization and authentication
Security (policy)
Mutual TLS
Metrics and observability
Cross-datacenter failover
15. Istio
플랫폼 중립성 (Kubernetes, Cloud Foundry, Mesos)
Google, Pivotal, IBM, Lyft
Lightweight Sidecar (Envoy)
기대 효과
다양한 프로그래밍 언어의 Ployglot 지원
네트워크 Rule과 Policy를 플랫폼에서 관리 가능
개발자 입장에서는 추상화된 Layer
중앙화된 네트워크 모니터링이 가능
Sidecar를 플랫폼에서 관리하고, CVE 취약점이 모든
Sidecar에 적용
RBAC 기반의 네트워크 설정 관리
17. Service Mesh: Centralized Management of Sidecars
v1
v2
v3
v1
v2
v1
Proxy
CONTROL PLANE
End User
1
End User
2
Proxy
Envoy
18. Envoy is the Proxy, Istio is the Control Plane
Istio
Pilot
Mixer
Citadel
ControlPlaneAPI
Configure Envoys
Policy checks, telemetry
TLS certs to Envoys
Service A
Ingress
Envoy
Infra Load Bala
ncer
External Client
Sidecar
Envoy
Service B
Sidecar
Envoy
Service C
Ingress: external to service
aka North-South
Service to Service
aka East-West
Egress: service to external
21. Client
Load Balancer Load Balancer
PAS
Container
Sidecar
App
TCP RouterGorouter
Client
Load BalancerLoad Balancer
PAS
Container
Sidecar
App v1
Istio Ingress TCP RouterGorouter
Container
Sidecar
App v2
90% 10%
Now in PAS
22. K8s (PKS)
• 클러스터 생성 시마다 DNS 설정 및 Load
balancer 설정을 할 필요 없음
• Envoy를 이용하여 Ingress를 구현
• 멀티 클러스터를 엮어서 North-South
트래픽을 분배
• 각 클러스터의 마스터 노드로의 HTTP
Routing
• 각 클러스터에 위치한 Pod로의 라우팅을
위해 TCP Routing
• 일반 K8S 환경 및 PKS에서 모두 활용 가능
K8s (PKS)
Worker
Pod
Load Balancer
K8s API client (kubectl)
K8s (PKS)
Worker
Pod
API API
workload client
WorkerWorker
Mesh Ingress
(Envoy)
Mesh Control
Plane (Istio)
Service Mesh
23. Service Mesh: Roadmap
향후에는 PAS 클러스터 역시 지원
예정
PAS/PKS에 분포되어있는
Application에 대해 Cross-Cluster
분배가 가능
PAS
Diego Cell
Sidecar
App
K8s (PKS)
Load Balancer
K8s API client
(kubectl)
K8s (PKS)
Worker
App
Master
workload client
WorkerWorker
Mesh Ingress
(Envoy)
Mesh Control
Plane (Istio)
Cloud Controller
PAS API client (cf)
Service Mesh
24. Service Mesh Roadmap (cont.)
Service to Service (Container to Container)
Client-side load balancing, Timeouts, and Retries
mTLS by Default
Traffic Management
PAS
Container
Sidecar
App v1
Istio Ingress TCP RouterGorouter
Container
Sidecar
App v2
Service Mesh
No Complexity!
25. 2. PBS/PSM on PKS
Pivotal Build Service
Pivotal Service Mesh
Pivotal Container Service
28. Cloud Native Buildpacks (CNB) Bring Developer Productivity to K8s
Pluggable, modular tools that
translate source code into OCI
images.
Portability via the OCI standard
● Greater modularity
● Faster builds
● Run in local dev environments for
faster troubleshooting
● Developed in partnership with Heroku
● CNCF project
31. App
OS Packages
Node.js
Node.js App
FROM nodejs:latest
COPY myapp .
RUN npm install
…
FROM ubuntu:trusty
RUN wget http://nodejs.org/...
…
FROM scratch
…
RUN apt-get install openssl
32. App
OS Packages
Node.js
Node.js App
FROM nodejs:latest
COPY myapp .
RUN npm install
…
FROM ubuntu:trusty
RUN wget http://nodejs.org/...
…
FROM scratch
…
RUN apt-get install openssl