SlideShare a Scribd company logo
1 of 30
Download to read offline
qaware.de
Service Mesh: Pain & Gain
Experiences from a client project
Markus Zimmermann
markus.zimmermann@qaware.de
@markus_zm
What to expect from this talk?
1. Short story on how we integrated a service mesh in a client project
a. Why and how did we integrate the service mesh?
b. Which problems did we have?
c. What did we learn?
2. Recommendations for your projects
a. When to use a service mesh?
b. Which service mesh?
c. Which alternatives to a service mesh do I have?
3. Future of the service mesh
History of the integration
The time without a service mesh
QAware | 4
New requirements disrupt the paradise
QAware | 5
Canary
Deployment Secure
communication
via mTLS
How does a service mesh help here?
QAware | 6
How does it help with Canary Deployments?
QAware | 7
Example with Linkerd + Flagger
How does it help with mTLS?
QAware | 8
Example with Istio
How does it help with Network Observability?
QAware | 9
Example with Istio
Comparison with the help of an Architecture Decision Record
QAware | 10
Linkerd
Istio
How do I securely integrate it?
QAware | 11
1. Test in Staging first
2.Make your Ingress Controller / API Gateway ready
3. Make it Production Ready using HA Mode and
adapting Resource Usage
4. Roll it out via blue/green cluster deployment
Party now?
QAware | 12
New Problems arise…
QAware | 13
Our E2E Test broke sporadically
IOException while doing request to <url>
javax.net.ssl.SSLException: Couldn't
kickstart handshaking
Lengthy network debugging with
Wireshark without result
Solution -> disable HTTP/2 upgrade
More problems…
QAware | 14
■ Setting the right memory requests to avoid
downtimes
■ Some features like tap did not work for a long
time
■ New versions come with breaking changes
■ Problems with CNI -> forced to change to
insecure proxy init
Lessons Learned
QAware | 15
■ Long test phase important and doing a safe roll
out
■ Use Production Runbook from Linkerd
https://buoyant.io/runbook/linkerd-runbook
■ Plan for problems with enough time buffer
■ LINUX network understanding needed!
Despite problems the advantages outweigh
Recommendations for your projects
Should I use a service mesh?
QAware | 17
■ Layer 7 Traffic Management
– Examples Circuit Breaking, Canary Releases, Retries,
Failovers
■ mTLS transparent for application
■ Zero-Trust Networking
– L7 Policies with Access Control, Rate Limiting
■ Netzwerk and Service Observability
Which Service Mesh?
QAware | 18
Service Mesh Comparison - servicemesh.es
For me it’s either one of these two:
QAware | 19
Istio
But which one now?
QAware | 20
■ Both are used in production by many companies
■ Linkerd is simpler but has less features in terms of traffic
management and zero trust networking
■ Similar in terms of network/service observability
If you need the extra features use Istio!
But it does not need to be a service mesh -
Network Security
QAware | 21
■ Network Layer encryption in Network Plugin z.B. Weave
Net
■ Bring your own certificates using Cert Manager
■ eBPF-based network plugin + Service Mesh = Cilium Mesh
What is this magic eBPF?
QAware | 22
https://ebpf.io/what-is-ebpf/
But it does not need to be a service mesh -
Observability
QAware | 23
■ eBPF based observability
– Cilium
• Network Observability with Hubble
– Security Observability with Cilium Tetragon, Aqua Tracee,
Falco
– Continuous Tracing/Profiling
• Pixie
• Parca
• Pyroscope (now Grafana)
■ Auto-instrumentation with Open Telemetry operator
■ Tracing as Shared library in all applications
Future of the service mesh
Istio as Sidecar Service Mesh
QAware | 25
https://istio.io/latest/blog/2022/introducing-ambient-mesh/
Sidecar Service Mesh
Istio Ambient Mesh: Node-proxy Service Mesh
QAware | 26
Node-proxy Service Mesh
https://istio.io/latest/blog/2022/introducing-ambient-mesh/
Sidecar Service Mesh vs Node-proxy Service Mesh
QAware | 27
Sidecar Service Mesh Node-proxy Service Mesh
Configuration Distributed Centralized
Advantages ● Clear security boundary
● Mirrors consumption of App
● Ease of maintenance
● More efficient with resource-
hungry proxy
● No integration in every Pod
needed, less resource usage
overall
Disavantages ● Resource Overhead
● Netzwerk Overhead due to
additional hops
● Overhead on the node
● Lack of resource optimization
granularity
● Security - Confused deputy
Problem on host level
● Failure domain - single point of
failure
Service Mesh Overview
QAware | 28
■ Node-proxy Service Mesh
– Cilium Service Mesh - eBPF-based
– Ambient Mesh in Istio - eBPF possible
■ Sidecar Service Mesh (most popular)
– Linkerd
– Istio
Trend towards Managed Service Mesh
QAware | 29
■ GKE → Anthos Service Mesh (Istio-based)
■ AKS → Istio & Open Service Mesh
■ EKS → App Mesh (Envoy-based Amazon developed mesh)
qaware.de
QAware GmbH Mainz
Rheinstraße 4 C
55116 Mainz
Tel. +49 6131 21569-0
info@qaware.de
twitter.com/qaware
linkedin.com/company/qaware-gmbh
xing.com/companies/qawaregmbh
slideshare.net/qaware
github.com/qaware
Q&A

More Related Content

Similar to Service Mesh Pain & Gain. Experiences from a client project.

PLNOG15: NFV: Lessons learned from production deployments and current observa...
PLNOG15: NFV: Lessons learned from production deployments and current observa...PLNOG15: NFV: Lessons learned from production deployments and current observa...
PLNOG15: NFV: Lessons learned from production deployments and current observa...PROIDEA
 
Cloudify 4.6 highlights webinar
Cloudify 4.6 highlights webinarCloudify 4.6 highlights webinar
Cloudify 4.6 highlights webinarCloudify Community
 
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...apidays
 
Cloud Native DevOps
Cloud Native DevOpsCloud Native DevOps
Cloud Native DevOpsJim Bugwadia
 
The Future of Service Mesh
The Future of Service MeshThe Future of Service Mesh
The Future of Service MeshAll Things Open
 
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...WSO2
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMiki Lombardi
 
MuleSoft Surat Meetup#43 - Combine Service Mesh With Anypoint API Management ...
MuleSoft Surat Meetup#43 - Combine Service Mesh With Anypoint API Management ...MuleSoft Surat Meetup#43 - Combine Service Mesh With Anypoint API Management ...
MuleSoft Surat Meetup#43 - Combine Service Mesh With Anypoint API Management ...Jitendra Bafna
 
Openshift serverless Solution
Openshift serverless SolutionOpenshift serverless Solution
Openshift serverless SolutionRyan ZhangCheng
 
VMworld 2013: Cloud Service Automation with NSX and vCloud Automation Center
VMworld 2013: Cloud Service Automation with NSX and vCloud Automation Center VMworld 2013: Cloud Service Automation with NSX and vCloud Automation Center
VMworld 2013: Cloud Service Automation with NSX and vCloud Automation Center VMworld
 
The Future of Serverless
The Future of ServerlessThe Future of Serverless
The Future of ServerlessWSO2
 
VMworld 2013: Network Function Virtualization in the Cloud: Case for Enterpri...
VMworld 2013: Network Function Virtualization in the Cloud: Case for Enterpri...VMworld 2013: Network Function Virtualization in the Cloud: Case for Enterpri...
VMworld 2013: Network Function Virtualization in the Cloud: Case for Enterpri...VMworld
 
Citrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix Synergy 2014 - Syn231 Why cloud projects failCitrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix Synergy 2014 - Syn231 Why cloud projects failCitrix
 
Cloud Networking Presentation - WAN Summit - Ciaran Roche
Cloud Networking Presentation - WAN Summit - Ciaran RocheCloud Networking Presentation - WAN Summit - Ciaran Roche
Cloud Networking Presentation - WAN Summit - Ciaran RocheCiaran Roche
 
Radware bringing mission and performance critical applications to cloud sta...
Radware   bringing mission and performance critical applications to cloud sta...Radware   bringing mission and performance critical applications to cloud sta...
Radware bringing mission and performance critical applications to cloud sta...ShapeBlue
 
Modernizing Applications by Replacing F5 with the NGINX Application Delivery ...
Modernizing Applications by Replacing F5 with the NGINX Application Delivery ...Modernizing Applications by Replacing F5 with the NGINX Application Delivery ...
Modernizing Applications by Replacing F5 with the NGINX Application Delivery ...NGINX, Inc.
 
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshAaronLieberman5
 

Similar to Service Mesh Pain & Gain. Experiences from a client project. (20)

PLNOG15: NFV: Lessons learned from production deployments and current observa...
PLNOG15: NFV: Lessons learned from production deployments and current observa...PLNOG15: NFV: Lessons learned from production deployments and current observa...
PLNOG15: NFV: Lessons learned from production deployments and current observa...
 
Wavefront-by-VMware-April-2019
Wavefront-by-VMware-April-2019Wavefront-by-VMware-April-2019
Wavefront-by-VMware-April-2019
 
Cloudify 4.6 highlights webinar
Cloudify 4.6 highlights webinarCloudify 4.6 highlights webinar
Cloudify 4.6 highlights webinar
 
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
 
Cloud Native DevOps
Cloud Native DevOpsCloud Native DevOps
Cloud Native DevOps
 
The Future of Service Mesh
The Future of Service MeshThe Future of Service Mesh
The Future of Service Mesh
 
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - Plansoft
 
MuleSoft Surat Meetup#43 - Combine Service Mesh With Anypoint API Management ...
MuleSoft Surat Meetup#43 - Combine Service Mesh With Anypoint API Management ...MuleSoft Surat Meetup#43 - Combine Service Mesh With Anypoint API Management ...
MuleSoft Surat Meetup#43 - Combine Service Mesh With Anypoint API Management ...
 
Openshift serverless Solution
Openshift serverless SolutionOpenshift serverless Solution
Openshift serverless Solution
 
Wavefront presentation-May-2019
Wavefront presentation-May-2019Wavefront presentation-May-2019
Wavefront presentation-May-2019
 
VMworld 2013: Cloud Service Automation with NSX and vCloud Automation Center
VMworld 2013: Cloud Service Automation with NSX and vCloud Automation Center VMworld 2013: Cloud Service Automation with NSX and vCloud Automation Center
VMworld 2013: Cloud Service Automation with NSX and vCloud Automation Center
 
The Future of Serverless
The Future of ServerlessThe Future of Serverless
The Future of Serverless
 
VMworld 2013: Network Function Virtualization in the Cloud: Case for Enterpri...
VMworld 2013: Network Function Virtualization in the Cloud: Case for Enterpri...VMworld 2013: Network Function Virtualization in the Cloud: Case for Enterpri...
VMworld 2013: Network Function Virtualization in the Cloud: Case for Enterpri...
 
Citrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix Synergy 2014 - Syn231 Why cloud projects failCitrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix Synergy 2014 - Syn231 Why cloud projects fail
 
Cloud Networking Presentation - WAN Summit - Ciaran Roche
Cloud Networking Presentation - WAN Summit - Ciaran RocheCloud Networking Presentation - WAN Summit - Ciaran Roche
Cloud Networking Presentation - WAN Summit - Ciaran Roche
 
Radware bringing mission and performance critical applications to cloud sta...
Radware   bringing mission and performance critical applications to cloud sta...Radware   bringing mission and performance critical applications to cloud sta...
Radware bringing mission and performance critical applications to cloud sta...
 
TFI2014 Session I - State of SDN - Scott Sneddon
TFI2014 Session I - State of SDN - Scott SneddonTFI2014 Session I - State of SDN - Scott Sneddon
TFI2014 Session I - State of SDN - Scott Sneddon
 
Modernizing Applications by Replacing F5 with the NGINX Application Delivery ...
Modernizing Applications by Replacing F5 with the NGINX Application Delivery ...Modernizing Applications by Replacing F5 with the NGINX Application Delivery ...
Modernizing Applications by Replacing F5 with the NGINX Application Delivery ...
 
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service MeshExtending The Power Of Anypoint Platform Using Anypoint Service Mesh
Extending The Power Of Anypoint Platform Using Anypoint Service Mesh
 

More from QAware GmbH

50 Shades of K8s Autoscaling #JavaLand24.pdf
50 Shades of K8s Autoscaling #JavaLand24.pdf50 Shades of K8s Autoscaling #JavaLand24.pdf
50 Shades of K8s Autoscaling #JavaLand24.pdfQAware GmbH
 
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...QAware GmbH
 
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN MainzFully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN MainzQAware GmbH
 
Down the Ivory Tower towards Agile Architecture
Down the Ivory Tower towards Agile ArchitectureDown the Ivory Tower towards Agile Architecture
Down the Ivory Tower towards Agile ArchitectureQAware GmbH
 
"Mixed" Scrum-Teams – Die richtige Mischung macht's!
"Mixed" Scrum-Teams – Die richtige Mischung macht's!"Mixed" Scrum-Teams – Die richtige Mischung macht's!
"Mixed" Scrum-Teams – Die richtige Mischung macht's!QAware GmbH
 
Make Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform EngineeringMake Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform EngineeringQAware GmbH
 
Der Tod der Testpyramide? – Frontend-Testing mit Playwright
Der Tod der Testpyramide? – Frontend-Testing mit PlaywrightDer Tod der Testpyramide? – Frontend-Testing mit Playwright
Der Tod der Testpyramide? – Frontend-Testing mit PlaywrightQAware GmbH
 
Was kommt nach den SPAs
Was kommt nach den SPAsWas kommt nach den SPAs
Was kommt nach den SPAsQAware GmbH
 
Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo QAware GmbH
 
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
 Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See... Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...QAware GmbH
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster QAware GmbH
 
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.QAware GmbH
 
Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!QAware GmbH
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s AutoscalingQAware GmbH
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPQAware GmbH
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s AutoscalingQAware GmbH
 
Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.QAware GmbH
 
Per Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API GatewaysPer Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API GatewaysQAware GmbH
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster QAware GmbH
 
How to speed up Spring Integration Tests
How to speed up Spring Integration TestsHow to speed up Spring Integration Tests
How to speed up Spring Integration TestsQAware GmbH
 

More from QAware GmbH (20)

50 Shades of K8s Autoscaling #JavaLand24.pdf
50 Shades of K8s Autoscaling #JavaLand24.pdf50 Shades of K8s Autoscaling #JavaLand24.pdf
50 Shades of K8s Autoscaling #JavaLand24.pdf
 
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
 
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN MainzFully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
 
Down the Ivory Tower towards Agile Architecture
Down the Ivory Tower towards Agile ArchitectureDown the Ivory Tower towards Agile Architecture
Down the Ivory Tower towards Agile Architecture
 
"Mixed" Scrum-Teams – Die richtige Mischung macht's!
"Mixed" Scrum-Teams – Die richtige Mischung macht's!"Mixed" Scrum-Teams – Die richtige Mischung macht's!
"Mixed" Scrum-Teams – Die richtige Mischung macht's!
 
Make Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform EngineeringMake Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform Engineering
 
Der Tod der Testpyramide? – Frontend-Testing mit Playwright
Der Tod der Testpyramide? – Frontend-Testing mit PlaywrightDer Tod der Testpyramide? – Frontend-Testing mit Playwright
Der Tod der Testpyramide? – Frontend-Testing mit Playwright
 
Was kommt nach den SPAs
Was kommt nach den SPAsWas kommt nach den SPAs
Was kommt nach den SPAs
 
Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo
 
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
 Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See... Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
 
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
 
Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling
 
Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.
 
Per Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API GatewaysPer Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API Gateways
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
 
How to speed up Spring Integration Tests
How to speed up Spring Integration TestsHow to speed up Spring Integration Tests
How to speed up Spring Integration Tests
 

Recently uploaded

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...CloudMetic
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 
Sourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerSourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerWave PLM
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...naitiksharma1124
 
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...Marko Lohert
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationElement34
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfDeskTrack
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersEmilyJiang23
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionMohammed Fazuluddin
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024MulesoftMunichMeetup
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationHelp Desk Migration
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfQ-Advise
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 

Recently uploaded (20)

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
Sourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerSourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing Manufacturer
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...
Reinforcement Learning – a Rewards Based Approach to Machine Learning - Marko...
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java Developers
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 

Service Mesh Pain & Gain. Experiences from a client project.

  • 1. qaware.de Service Mesh: Pain & Gain Experiences from a client project Markus Zimmermann markus.zimmermann@qaware.de @markus_zm
  • 2. What to expect from this talk? 1. Short story on how we integrated a service mesh in a client project a. Why and how did we integrate the service mesh? b. Which problems did we have? c. What did we learn? 2. Recommendations for your projects a. When to use a service mesh? b. Which service mesh? c. Which alternatives to a service mesh do I have? 3. Future of the service mesh
  • 3. History of the integration
  • 4. The time without a service mesh QAware | 4
  • 5. New requirements disrupt the paradise QAware | 5 Canary Deployment Secure communication via mTLS
  • 6. How does a service mesh help here? QAware | 6
  • 7. How does it help with Canary Deployments? QAware | 7 Example with Linkerd + Flagger
  • 8. How does it help with mTLS? QAware | 8 Example with Istio
  • 9. How does it help with Network Observability? QAware | 9 Example with Istio
  • 10. Comparison with the help of an Architecture Decision Record QAware | 10 Linkerd Istio
  • 11. How do I securely integrate it? QAware | 11 1. Test in Staging first 2.Make your Ingress Controller / API Gateway ready 3. Make it Production Ready using HA Mode and adapting Resource Usage 4. Roll it out via blue/green cluster deployment
  • 13. New Problems arise… QAware | 13 Our E2E Test broke sporadically IOException while doing request to <url> javax.net.ssl.SSLException: Couldn't kickstart handshaking Lengthy network debugging with Wireshark without result Solution -> disable HTTP/2 upgrade
  • 14. More problems… QAware | 14 ■ Setting the right memory requests to avoid downtimes ■ Some features like tap did not work for a long time ■ New versions come with breaking changes ■ Problems with CNI -> forced to change to insecure proxy init
  • 15. Lessons Learned QAware | 15 ■ Long test phase important and doing a safe roll out ■ Use Production Runbook from Linkerd https://buoyant.io/runbook/linkerd-runbook ■ Plan for problems with enough time buffer ■ LINUX network understanding needed! Despite problems the advantages outweigh
  • 17. Should I use a service mesh? QAware | 17 ■ Layer 7 Traffic Management – Examples Circuit Breaking, Canary Releases, Retries, Failovers ■ mTLS transparent for application ■ Zero-Trust Networking – L7 Policies with Access Control, Rate Limiting ■ Netzwerk and Service Observability
  • 18. Which Service Mesh? QAware | 18 Service Mesh Comparison - servicemesh.es
  • 19. For me it’s either one of these two: QAware | 19 Istio
  • 20. But which one now? QAware | 20 ■ Both are used in production by many companies ■ Linkerd is simpler but has less features in terms of traffic management and zero trust networking ■ Similar in terms of network/service observability If you need the extra features use Istio!
  • 21. But it does not need to be a service mesh - Network Security QAware | 21 ■ Network Layer encryption in Network Plugin z.B. Weave Net ■ Bring your own certificates using Cert Manager ■ eBPF-based network plugin + Service Mesh = Cilium Mesh
  • 22. What is this magic eBPF? QAware | 22 https://ebpf.io/what-is-ebpf/
  • 23. But it does not need to be a service mesh - Observability QAware | 23 ■ eBPF based observability – Cilium • Network Observability with Hubble – Security Observability with Cilium Tetragon, Aqua Tracee, Falco – Continuous Tracing/Profiling • Pixie • Parca • Pyroscope (now Grafana) ■ Auto-instrumentation with Open Telemetry operator ■ Tracing as Shared library in all applications
  • 24. Future of the service mesh
  • 25. Istio as Sidecar Service Mesh QAware | 25 https://istio.io/latest/blog/2022/introducing-ambient-mesh/ Sidecar Service Mesh
  • 26. Istio Ambient Mesh: Node-proxy Service Mesh QAware | 26 Node-proxy Service Mesh https://istio.io/latest/blog/2022/introducing-ambient-mesh/
  • 27. Sidecar Service Mesh vs Node-proxy Service Mesh QAware | 27 Sidecar Service Mesh Node-proxy Service Mesh Configuration Distributed Centralized Advantages ● Clear security boundary ● Mirrors consumption of App ● Ease of maintenance ● More efficient with resource- hungry proxy ● No integration in every Pod needed, less resource usage overall Disavantages ● Resource Overhead ● Netzwerk Overhead due to additional hops ● Overhead on the node ● Lack of resource optimization granularity ● Security - Confused deputy Problem on host level ● Failure domain - single point of failure
  • 28. Service Mesh Overview QAware | 28 ■ Node-proxy Service Mesh – Cilium Service Mesh - eBPF-based – Ambient Mesh in Istio - eBPF possible ■ Sidecar Service Mesh (most popular) – Linkerd – Istio
  • 29. Trend towards Managed Service Mesh QAware | 29 ■ GKE → Anthos Service Mesh (Istio-based) ■ AKS → Istio & Open Service Mesh ■ EKS → App Mesh (Envoy-based Amazon developed mesh)
  • 30. qaware.de QAware GmbH Mainz Rheinstraße 4 C 55116 Mainz Tel. +49 6131 21569-0 info@qaware.de twitter.com/qaware linkedin.com/company/qaware-gmbh xing.com/companies/qawaregmbh slideshare.net/qaware github.com/qaware Q&A