![[WSO2Con Asia 2018] Architecting for Container-native Environments](https://cdn.slidesharecdn.com/ss_thumbnails/v2-wso2con2018-architectingforcontainernativeenvironments-180810085834-thumbnail.jpg?width=640&height=640&fit=bounds)
Advanced Observability & Security
- 1. © OPITZ CONSULTING2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 1 Brühl, 2023-06-20 Fabian Hardt ADVANCED OBSERVABILITY & SECURITY FOR YOUR KUBERNETES WITH A MODERN SERVICE MESH
- 2. © OPITZ CONSULTING2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 2 WHY SERVICE MESH? 01 KUMA 02 CONCLUSION 04 DEMO 03
- 3. © OPITZ CONSULTING2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 6 WHY SERVICE MESH? 01
- 4. © OPITZ CONSULTING2023 / Öffentlich TREND TOWARDS DISTRIBUTED APPLICATION ARCHITECTURES Advanced Observability & Security for your Kubernetes with a modern Service Mesh 7 Centralized STATIC ON-PREM MONOLITH VIRTUAL MACHINES MANUAL CHANGE PROCESS Decentralized DYNAMIC CLOUD / MULTI-CLOUD MICROSERVICES / SERVERLESS CONTAINERS, KUBERNETES AUTOMATED CI/CD TOOL CHAIN # Services & APIs CONTROL AND VISIBILITY
- 5. © OPITZ CONSULTING2023 / Öffentlich INCREASED COMPLEXITY AND COGNITIVE LOAD ON DEVS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 8 Security Security Logging Logging Security Tracing Metrics Routing Metrics Tracing Application AuthN/ Z Rate-Limiting Routing Caching Organization Application AuthN/ Z Versioning Versioning Rate-Limiting
- 6. © OPITZ CONSULTING2023 / Öffentlich WHAT’S A SERVICE MESH? Advanced Observability & Security for your Kubernetes with a modern Service Mesh 10 Efficient implementation of cross-cutting concerns with respect to service integration challenges Everything is a service! Cloud-native apps deployed to Kubernetes Non Cloud-native workloads Should be independent of Architecture (e.g. Monolithic or µService) Platform (e.g. VMs, Containers, Kubernetes) Dedicated infrastructure layer that makes service-to-service communication more reliable, secure and observable
- 7. © OPITZ CONSULTING2023 / Öffentlich E2E SERVICE CONNECTIVITY WITH GATEWAY AND MESH Advanced Observability & Security for your Kubernetes with a modern Service Mesh 12 Increased Developer experience Consistent security Seamless observability Reliable connectivity Resilience Flexibility GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2
- 8. © OPITZ CONSULTING2023 / Öffentlich SERVICE-MESH IMPLEMENTATIONS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 13 Kuma Istio Consul Linkerd GlooMesh
- 9. © OPITZ CONSULTING2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 14 KUMA 02
- 10. © OPITZ CONSULTING2023 / Öffentlich KUMA INTRODUCTION Advanced Observability & Security for your Kubernetes with a modern Service Mesh 15 Initially invented by Kong and donated to CNCF in 2020 Provides a modern distributed Control Plane Completely Envoy-based Data Plane proxies Platform agnostic open-source control plane for Service Mesh Hence Kuma is Universal Simple Scalable Flexible deployment options Standalone deployment Multi-Zone deployment Source: https://tinyurl.com/xb57bhx5
- 11. © OPITZ CONSULTING2023 / Öffentlich KUMA STANDALONE ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 16
- 12. © OPITZ CONSULTING2023 / Öffentlich KUMA MULTI-CLUSTER ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 17 One mesh can be deployed over multiple clusters (=> Zone) All traffic enters cluster over zone ingress One Remote (Zone) Control Plane in each cluster
- 13. © OPITZ CONSULTING2023 / Öffentlich KUMA NETWORKING / INIT-CONTAINER Advanced Observability & Security for your Kubernetes with a modern Service Mesh 18 Injected to Pod and started individually before Data Plane Configures iptables / network routing
- 14. © OPITZ CONSULTING2023 / Öffentlich KUMA NETWORKING / CNI Advanced Observability & Security for your Kubernetes with a modern Service Mesh 19 Installed as DaemonSet on all Nodes Injects label on Pods - k8s.v1.cni.cncf.io/networks: kuma-cni CNI enables Transparent Proxying – redirects all traffic through Data Plane
- 15. © OPITZ CONSULTING2023 / Öffentlich SERVICE MESH DNS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 20 Local DNS resolution directly in Data Plane (Envoy) Names are not resolvable in complete cluster, just inside service mesh (Envoy) Resolves “.mesh“ address to pre-defined service mesh IP address IP in other zone / cluster is routed over Kuma Zone Ingress
- 16. © OPITZ CONSULTING2023 / Öffentlich ZONE EGRESS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 21 Special Data Plane instance – like Zone Ingress All outgoing traffic is routed through this instance Usage of External Services just possible with deployed Zone Egress in the future
- 17. © OPITZ CONSULTING2023 / Öffentlich INTEGRATION OF LEGACY WORKLOAD Advanced Observability & Security for your Kubernetes with a modern Service Mesh 22 Integration of vm and bare metal workload Local Data Plane instance connecting to Control Plane Seamless and secure commuication between vm and Kubernetes workload
- 18. © OPITZ CONSULTING2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 23 DEMO 03
- 19. © OPITZ CONSULTING2023 / Öffentlich ARCHITECTURE OVERVIEW Advanced Observability & Security for your Kubernetes with a modern Service Mesh 24
- 20. © OPITZ CONSULTING2023 / Öffentlich ANALYZING AND MONITORING THE DATA Advanced Observability & Security for your Kubernetes with a modern Service Mesh Using Grafana Stack to create a 360-degree view Component usage: Visualization: Grafana Logging: Loki (Log Shipping: FluentD / FluentBit / Promtail) Metrics: Prometheus Tracing: Jaeger or Tempo Alerting: Prometheus Alert Manager Operating models Self-managed (e.g. on-prem) Grafana SaaS offering 25
- 21. © OPITZ CONSULTING2023 / Öffentlich ARCHITECTURE OBSERVABILITY Advanced Observability & Security for your Kubernetes with a modern Service Mesh 26
- 22. © OPITZ CONSULTING2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 27 DEMO
- 23. © OPITZ CONSULTING2023 / Öffentlich ASPECTS COVERED Advanced Observability & Security for your Kubernetes with a modern Service Mesh 28 Mesh Management (Kuma UI) Managing Apps within the Mesh Locality Awareness Advanced Routing Security Mesh observability Metrics Logs Traces
- 24. © OPITZ CONSULTING2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 29 CONCLUSION 04
- 25. © OPITZ CONSULTING2023 / Öffentlich SERVICE MESH BENEFITS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 30 Zero-trust security mTLS, Traffic Permissions Increased Developers productivity Crosscutting concerns (AuthN & AuthZ, …) Self-service network management Multi-Tenancy over multiple clouds Reliable connectivity Circuit Breaker, Traffic Routes, … Observability Metrics, Tracing, Logs
- 26. © OPITZ CONSULTING2023 / Öffentlich KEY TAKEAWAYS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 31 Service Mesh is essential to build and managing multi-cloud apps efficiently Kuma as mesh implementation provides Agnostic approach (independent of architecture or platform) Modern, flexible architecture supporting hybrid, multi-cloud scenarios Multi-zone Multi-cluster Multi-mesh Seamless CI / CD integration (GitOps) Intuitive design Spanning a mesh over multiple clusters and clouds can be done easily
- 27. © OPITZ CONSULTING2023 / Öffentlich MATERIALS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 32 Demo Source: https://github.com/KongChampions/kuma-multi-zone-mesh Kuma docs: https://kuma.io/docs/2.2.x/ Kuma Counter Demo: https://github.com/kumahq/kuma-counter-demo Kuma introduction – Meetup recording “Service integration made easy with OpenSource Kuma”: https://www.youtube.com/watch?v=f3GeuKzYrsA&t=1s Demo “Service integration made easy with OpenSource Kuma”: https://github.com/svenbernhardt/service-integration-made-easy Kong / Kuma and friends (k3d)– https://github.com/FabianHardt/k3d-bootstrap-cluster
- 28. © OPITZ CONSULTING2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 33 Q & A https://opitzcloud.canto.global/b/H0EMG
- 29. © OPITZ CONSULTING2023 / Öffentlich KONTAKT Modern Data Stack - Einführung - TDWI Community Talk 34 Fabian Hardt Solution Architect Fabian.Hardt@opitz-consulting.com https://twitter.com/fabian_hardt https://www.xing.com/profile/Fabian_Hardt https://www.linkedin.com/in/fabian-hardt
Editor's Notes
- #6 Achtung: Hier muss!!!! Der Sprechtext sitzen, weil hier unser Angebot formuliert wird.
- #18 Pfeile
- #24 Global Control Plane (AKS, Fabian) Zone 1: OKE (Sven mit Data API) Zone 2: AKS (Fabian)
- #31 Reliable connectivity No longer Developer’s responsibility Consistent, declarative management at infrastructure level Self-service network management Developer defines communication rules (traffic permissions) No longer need to also involve network teams (firewall rules) Zero-trust security Secure communication via mTLS Automated certificate management Service Discovery