SlideShare a Scribd company logo
© OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 1
Brühl, 2023-06-20
Fabian Hardt
ADVANCED OBSERVABILITY & SECURITY
FOR YOUR KUBERNETES WITH A MODERN SERVICE MESH
© OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 2
WHY SERVICE MESH?
01
KUMA
02
CONCLUSION
04
DEMO
03
© OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 6
WHY SERVICE MESH?
01
© OPITZ CONSULTING 2023 / Öffentlich
TREND TOWARDS DISTRIBUTED APPLICATION ARCHITECTURES
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 7
Centralized
STATIC
ON-PREM
MONOLITH
VIRTUAL MACHINES
MANUAL CHANGE PROCESS
Decentralized
DYNAMIC
CLOUD / MULTI-CLOUD
MICROSERVICES / SERVERLESS
CONTAINERS, KUBERNETES
AUTOMATED CI/CD TOOL CHAIN
# Services & APIs
CONTROL AND VISIBILITY
© OPITZ CONSULTING 2023 / Öffentlich
INCREASED COMPLEXITY AND COGNITIVE LOAD ON DEVS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 8
Security Security
Logging Logging
Security
Tracing
Metrics Routing
Metrics Tracing
Application
AuthN/
Z
Rate-Limiting
Routing
Caching
Organization
Application
AuthN/
Z
Versioning
Versioning
Rate-Limiting
© OPITZ CONSULTING 2023 / Öffentlich
WHAT’S A SERVICE MESH?
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 10
 Efficient implementation of cross-cutting
concerns with respect to service integration
challenges
 Everything is a service!
 Cloud-native apps deployed to Kubernetes
 Non Cloud-native workloads
 Should be independent of
 Architecture (e.g. Monolithic or µService)
 Platform (e.g. VMs, Containers, Kubernetes)
Dedicated infrastructure layer that makes
service-to-service communication more
reliable, secure and observable
© OPITZ CONSULTING 2023 / Öffentlich
E2E SERVICE CONNECTIVITY WITH GATEWAY AND MESH
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 12
 Increased Developer experience
 Consistent security
 Seamless observability
 Reliable connectivity
 Resilience
 Flexibility
GW DP
CLIENT
PUBLIC TRAFFIC
GW DP
MESH CP
MESH 1 MESH 2
© OPITZ CONSULTING 2023 / Öffentlich
SERVICE-MESH IMPLEMENTATIONS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 13
 Kuma
 Istio
 Consul
 Linkerd
 GlooMesh
© OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 14
KUMA
02
© OPITZ CONSULTING 2023 / Öffentlich
KUMA INTRODUCTION
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 15
 Initially invented by Kong and donated to CNCF in 2020
 Provides a modern distributed Control Plane
 Completely Envoy-based Data Plane proxies
 Platform agnostic open-source control plane for Service Mesh
 Hence Kuma is
 Universal
 Simple
 Scalable
 Flexible deployment options
 Standalone deployment
 Multi-Zone deployment
Source: https://tinyurl.com/xb57bhx5
© OPITZ CONSULTING 2023 / Öffentlich
KUMA STANDALONE ARCHITECTURE
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 16
© OPITZ CONSULTING 2023 / Öffentlich
KUMA MULTI-CLUSTER ARCHITECTURE
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 17
 One mesh can be deployed over multiple clusters (=> Zone)
 All traffic enters cluster over zone ingress
 One Remote (Zone) Control Plane in each cluster
© OPITZ CONSULTING 2023 / Öffentlich
KUMA NETWORKING / INIT-CONTAINER
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 18
 Injected to Pod and started individually before Data Plane
 Configures iptables / network routing
© OPITZ CONSULTING 2023 / Öffentlich
KUMA NETWORKING / CNI
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 19
 Installed as DaemonSet on all Nodes
 Injects label on Pods - k8s.v1.cni.cncf.io/networks: kuma-cni
 CNI enables Transparent Proxying – redirects all traffic through Data Plane
© OPITZ CONSULTING 2023 / Öffentlich
SERVICE MESH DNS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 20
 Local DNS resolution directly in Data Plane (Envoy)
 Names are not resolvable in complete cluster, just inside service mesh (Envoy)
 Resolves “.mesh“ address to pre-defined service mesh IP address
 IP in other zone / cluster is routed over Kuma Zone Ingress
© OPITZ CONSULTING 2023 / Öffentlich
ZONE EGRESS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 21
 Special Data Plane instance – like Zone Ingress
 All outgoing traffic is routed through this instance
 Usage of External Services just possible with deployed Zone Egress in the future
© OPITZ CONSULTING 2023 / Öffentlich
INTEGRATION OF LEGACY WORKLOAD
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 22
 Integration of vm and bare metal workload
 Local Data Plane instance connecting to Control Plane
 Seamless and secure commuication between vm and Kubernetes workload
© OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 23
DEMO
03
© OPITZ CONSULTING 2023 / Öffentlich
ARCHITECTURE OVERVIEW
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 24
© OPITZ CONSULTING 2023 / Öffentlich
ANALYZING AND MONITORING THE DATA
Advanced Observability & Security for your Kubernetes with a modern Service Mesh
 Using Grafana Stack to create a 360-degree view
 Component usage:
 Visualization: Grafana
 Logging: Loki (Log Shipping: FluentD / FluentBit / Promtail)
 Metrics: Prometheus
 Tracing: Jaeger or Tempo
 Alerting: Prometheus Alert Manager
 Operating models
 Self-managed (e.g. on-prem)
 Grafana SaaS offering
25
© OPITZ CONSULTING 2023 / Öffentlich
ARCHITECTURE OBSERVABILITY
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 26
© OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 27
DEMO
© OPITZ CONSULTING 2023 / Öffentlich
ASPECTS COVERED
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 28
 Mesh Management (Kuma UI)
 Managing Apps within the Mesh
 Locality Awareness
 Advanced Routing
 Security
 Mesh observability
 Metrics
 Logs
 Traces
© OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 29
CONCLUSION
04
© OPITZ CONSULTING 2023 / Öffentlich
SERVICE MESH BENEFITS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 30
 Zero-trust security
 mTLS, Traffic Permissions
 Increased Developers productivity
 Crosscutting concerns (AuthN & AuthZ, …)
 Self-service network management
 Multi-Tenancy over multiple clouds
 Reliable connectivity
 Circuit Breaker, Traffic Routes, …
 Observability
 Metrics, Tracing, Logs
© OPITZ CONSULTING 2023 / Öffentlich
KEY TAKEAWAYS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 31
 Service Mesh is essential to build and managing multi-cloud apps efficiently
 Kuma as mesh implementation provides
 Agnostic approach (independent of architecture or platform)
 Modern, flexible architecture supporting hybrid, multi-cloud scenarios
 Multi-zone
 Multi-cluster
 Multi-mesh
 Seamless CI / CD integration (GitOps)
 Intuitive design
 Spanning a mesh over multiple clusters and clouds can be done easily
© OPITZ CONSULTING 2023 / Öffentlich
MATERIALS
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 32
 Demo Source: https://github.com/KongChampions/kuma-multi-zone-mesh
 Kuma docs: https://kuma.io/docs/2.2.x/
 Kuma Counter Demo: https://github.com/kumahq/kuma-counter-demo
 Kuma introduction – Meetup recording “Service integration made easy with OpenSource Kuma”:
https://www.youtube.com/watch?v=f3GeuKzYrsA&t=1s
 Demo “Service integration made easy with OpenSource Kuma”:
https://github.com/svenbernhardt/service-integration-made-easy
 Kong / Kuma and friends (k3d)– https://github.com/FabianHardt/k3d-bootstrap-cluster
© OPITZ CONSULTING 2023 / Öffentlich
Advanced Observability & Security for your Kubernetes with a modern Service Mesh 33
Q & A
https://opitzcloud.canto.global/b/H0EMG
© OPITZ CONSULTING 2023 / Öffentlich
KONTAKT
Modern Data Stack - Einführung - TDWI Community Talk 34
Fabian Hardt
Solution Architect
Fabian.Hardt@opitz-consulting.com
https://twitter.com/fabian_hardt
https://www.xing.com/profile/Fabian_Hardt
https://www.linkedin.com/in/fabian-hardt

More Related Content

Similar to Advanced Observability & Security

End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
NETSCOUT
 
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeInnovate everywhere - SUSE edge
Innovate everywhere - SUSE edge
SUSE
 
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
Cisco Canada
 
Designing IBM MQ deployments for the cloud generation
Designing IBM MQ deployments for the cloud generationDesigning IBM MQ deployments for the cloud generation
Designing IBM MQ deployments for the cloud generation
David Ware
 
Declarative observability management for Microservice architectures
Declarative observability management for Microservice architecturesDeclarative observability management for Microservice architectures
Declarative observability management for Microservice architectures
Sven Bernhardt
 
Multiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on KubernetesMultiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on Kubernetes
Janos Matyas
 
Modernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Modernizing Application Deployments with HashiCorp Consul on Microsoft AzureModernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Modernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Mitchell Pronschinske
 
Towards secure vehicular clouds
Towards secure vehicular cloudsTowards secure vehicular clouds
Towards secure vehicular clouds
durgeshkumarshukla
 
Edge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different PiecesEdge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different Pieces
Cloudify Community
 
Deploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load BalancingDeploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load Balancing
Avi Networks
 
Integration architectures based on Microservices, APIs and events
Integration architectures based on Microservices,  APIs and eventsIntegration architectures based on Microservices,  APIs and events
Integration architectures based on Microservices, APIs and events
Sven Bernhardt
 
Acronym Soup – NFV, SDN, OVN and VNF
Acronym Soup – NFV, SDN, OVN and VNFAcronym Soup – NFV, SDN, OVN and VNF
Acronym Soup – NFV, SDN, OVN and VNF
Emulex Corporation
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays
 
Kong Mesh入門編
Kong Mesh入門編Kong Mesh入門編
Kong Mesh入門編
WenhanShi1
 
Necos keynote ii_mobislice
Necos keynote ii_mobisliceNecos keynote ii_mobislice
Necos keynote ii_mobislice
Augusto Neto
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OS
Matt Leming
 
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
NETSCOUT
 
Speed5G Workshop London presentation of 5G Monarch
Speed5G Workshop London presentation of 5G MonarchSpeed5G Workshop London presentation of 5G Monarch
Speed5G Workshop London presentation of 5G Monarch
Klaus Moessner
 
Mobile Edge Computing
Mobile Edge ComputingMobile Edge Computing
Mobile Edge Computing
M2M Alliance e.V.
 
Presentation cloud, the whole offer
Presentation   cloud, the whole offerPresentation   cloud, the whole offer
Presentation cloud, the whole offer
xKinAnx
 

Similar to Advanced Observability & Security (20)

End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
 
Innovate everywhere - SUSE edge
Innovate everywhere - SUSE edgeInnovate everywhere - SUSE edge
Innovate everywhere - SUSE edge
 
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
The Hitch-Hikers Guide to Data Centre Virtualization and Workload Consolidation:
 
Designing IBM MQ deployments for the cloud generation
Designing IBM MQ deployments for the cloud generationDesigning IBM MQ deployments for the cloud generation
Designing IBM MQ deployments for the cloud generation
 
Declarative observability management for Microservice architectures
Declarative observability management for Microservice architecturesDeclarative observability management for Microservice architectures
Declarative observability management for Microservice architectures
 
Multiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on KubernetesMultiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on Kubernetes
 
Modernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Modernizing Application Deployments with HashiCorp Consul on Microsoft AzureModernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Modernizing Application Deployments with HashiCorp Consul on Microsoft Azure
 
Towards secure vehicular clouds
Towards secure vehicular cloudsTowards secure vehicular clouds
Towards secure vehicular clouds
 
Edge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different PiecesEdge Computing: A Unified Infrastructure for all the Different Pieces
Edge Computing: A Unified Infrastructure for all the Different Pieces
 
Deploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load BalancingDeploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load Balancing
 
Integration architectures based on Microservices, APIs and events
Integration architectures based on Microservices,  APIs and eventsIntegration architectures based on Microservices,  APIs and events
Integration architectures based on Microservices, APIs and events
 
Acronym Soup – NFV, SDN, OVN and VNF
Acronym Soup – NFV, SDN, OVN and VNFAcronym Soup – NFV, SDN, OVN and VNF
Acronym Soup – NFV, SDN, OVN and VNF
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
 
Kong Mesh入門編
Kong Mesh入門編Kong Mesh入門編
Kong Mesh入門編
 
Necos keynote ii_mobislice
Necos keynote ii_mobisliceNecos keynote ii_mobislice
Necos keynote ii_mobislice
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OS
 
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...End to End Application Visibility and Troubleshooting Across the Virtual Clou...
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
 
Speed5G Workshop London presentation of 5G Monarch
Speed5G Workshop London presentation of 5G MonarchSpeed5G Workshop London presentation of 5G Monarch
Speed5G Workshop London presentation of 5G Monarch
 
Mobile Edge Computing
Mobile Edge ComputingMobile Edge Computing
Mobile Edge Computing
 
Presentation cloud, the whole offer
Presentation   cloud, the whole offerPresentation   cloud, the whole offer
Presentation cloud, the whole offer
 

More from Fabian Hardt

Mit APIs auf der Überholspur zur produktorientierten Organisation
Mit APIs auf der Überholspur zur produktorientierten OrganisationMit APIs auf der Überholspur zur produktorientierten Organisation
Mit APIs auf der Überholspur zur produktorientierten Organisation
Fabian Hardt
 
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Fabian Hardt
 
Analytics meets Integration – Modern Development mit Data APIs
Analytics meets Integration – Modern Development mit Data APIsAnalytics meets Integration – Modern Development mit Data APIs
Analytics meets Integration – Modern Development mit Data APIs
Fabian Hardt
 
How Service Mesh Fits into the Modern Data Stack
How Service Mesh Fits into the Modern Data StackHow Service Mesh Fits into the Modern Data Stack
How Service Mesh Fits into the Modern Data Stack
Fabian Hardt
 
Modern Data Stack – Buzzword oder echter Game-Changer?
Modern Data Stack – Buzzword oder echter Game-Changer?Modern Data Stack – Buzzword oder echter Game-Changer?
Modern Data Stack – Buzzword oder echter Game-Changer?
Fabian Hardt
 
Persönliche Filmtipps mittels Recommender System und Chatbot
Persönliche Filmtipps mittels Recommender System und ChatbotPersönliche Filmtipps mittels Recommender System und Chatbot
Persönliche Filmtipps mittels Recommender System und Chatbot
Fabian Hardt
 
Automatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
Automatisierte Provisionierung einer Data Lab Umgebung für Data ScientistsAutomatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
Automatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
Fabian Hardt
 
Augmented Analytics mit Amazon Alexa
Augmented Analytics mit Amazon AlexaAugmented Analytics mit Amazon Alexa
Augmented Analytics mit Amazon Alexa
Fabian Hardt
 

More from Fabian Hardt (8)

Mit APIs auf der Überholspur zur produktorientierten Organisation
Mit APIs auf der Überholspur zur produktorientierten OrganisationMit APIs auf der Überholspur zur produktorientierten Organisation
Mit APIs auf der Überholspur zur produktorientierten Organisation
 
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
 
Analytics meets Integration – Modern Development mit Data APIs
Analytics meets Integration – Modern Development mit Data APIsAnalytics meets Integration – Modern Development mit Data APIs
Analytics meets Integration – Modern Development mit Data APIs
 
How Service Mesh Fits into the Modern Data Stack
How Service Mesh Fits into the Modern Data StackHow Service Mesh Fits into the Modern Data Stack
How Service Mesh Fits into the Modern Data Stack
 
Modern Data Stack – Buzzword oder echter Game-Changer?
Modern Data Stack – Buzzword oder echter Game-Changer?Modern Data Stack – Buzzword oder echter Game-Changer?
Modern Data Stack – Buzzword oder echter Game-Changer?
 
Persönliche Filmtipps mittels Recommender System und Chatbot
Persönliche Filmtipps mittels Recommender System und ChatbotPersönliche Filmtipps mittels Recommender System und Chatbot
Persönliche Filmtipps mittels Recommender System und Chatbot
 
Automatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
Automatisierte Provisionierung einer Data Lab Umgebung für Data ScientistsAutomatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
Automatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
 
Augmented Analytics mit Amazon Alexa
Augmented Analytics mit Amazon AlexaAugmented Analytics mit Amazon Alexa
Augmented Analytics mit Amazon Alexa
 

Recently uploaded

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 

Recently uploaded (20)

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 

Advanced Observability & Security

  • 1. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 1 Brühl, 2023-06-20 Fabian Hardt ADVANCED OBSERVABILITY & SECURITY FOR YOUR KUBERNETES WITH A MODERN SERVICE MESH
  • 2. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 2 WHY SERVICE MESH? 01 KUMA 02 CONCLUSION 04 DEMO 03
  • 3. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 6 WHY SERVICE MESH? 01
  • 4. © OPITZ CONSULTING 2023 / Öffentlich TREND TOWARDS DISTRIBUTED APPLICATION ARCHITECTURES Advanced Observability & Security for your Kubernetes with a modern Service Mesh 7 Centralized STATIC ON-PREM MONOLITH VIRTUAL MACHINES MANUAL CHANGE PROCESS Decentralized DYNAMIC CLOUD / MULTI-CLOUD MICROSERVICES / SERVERLESS CONTAINERS, KUBERNETES AUTOMATED CI/CD TOOL CHAIN # Services & APIs CONTROL AND VISIBILITY
  • 5. © OPITZ CONSULTING 2023 / Öffentlich INCREASED COMPLEXITY AND COGNITIVE LOAD ON DEVS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 8 Security Security Logging Logging Security Tracing Metrics Routing Metrics Tracing Application AuthN/ Z Rate-Limiting Routing Caching Organization Application AuthN/ Z Versioning Versioning Rate-Limiting
  • 6. © OPITZ CONSULTING 2023 / Öffentlich WHAT’S A SERVICE MESH? Advanced Observability & Security for your Kubernetes with a modern Service Mesh 10  Efficient implementation of cross-cutting concerns with respect to service integration challenges  Everything is a service!  Cloud-native apps deployed to Kubernetes  Non Cloud-native workloads  Should be independent of  Architecture (e.g. Monolithic or µService)  Platform (e.g. VMs, Containers, Kubernetes) Dedicated infrastructure layer that makes service-to-service communication more reliable, secure and observable
  • 7. © OPITZ CONSULTING 2023 / Öffentlich E2E SERVICE CONNECTIVITY WITH GATEWAY AND MESH Advanced Observability & Security for your Kubernetes with a modern Service Mesh 12  Increased Developer experience  Consistent security  Seamless observability  Reliable connectivity  Resilience  Flexibility GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2
  • 8. © OPITZ CONSULTING 2023 / Öffentlich SERVICE-MESH IMPLEMENTATIONS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 13  Kuma  Istio  Consul  Linkerd  GlooMesh
  • 9. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 14 KUMA 02
  • 10. © OPITZ CONSULTING 2023 / Öffentlich KUMA INTRODUCTION Advanced Observability & Security for your Kubernetes with a modern Service Mesh 15  Initially invented by Kong and donated to CNCF in 2020  Provides a modern distributed Control Plane  Completely Envoy-based Data Plane proxies  Platform agnostic open-source control plane for Service Mesh  Hence Kuma is  Universal  Simple  Scalable  Flexible deployment options  Standalone deployment  Multi-Zone deployment Source: https://tinyurl.com/xb57bhx5
  • 11. © OPITZ CONSULTING 2023 / Öffentlich KUMA STANDALONE ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 16
  • 12. © OPITZ CONSULTING 2023 / Öffentlich KUMA MULTI-CLUSTER ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 17  One mesh can be deployed over multiple clusters (=> Zone)  All traffic enters cluster over zone ingress  One Remote (Zone) Control Plane in each cluster
  • 13. © OPITZ CONSULTING 2023 / Öffentlich KUMA NETWORKING / INIT-CONTAINER Advanced Observability & Security for your Kubernetes with a modern Service Mesh 18  Injected to Pod and started individually before Data Plane  Configures iptables / network routing
  • 14. © OPITZ CONSULTING 2023 / Öffentlich KUMA NETWORKING / CNI Advanced Observability & Security for your Kubernetes with a modern Service Mesh 19  Installed as DaemonSet on all Nodes  Injects label on Pods - k8s.v1.cni.cncf.io/networks: kuma-cni  CNI enables Transparent Proxying – redirects all traffic through Data Plane
  • 15. © OPITZ CONSULTING 2023 / Öffentlich SERVICE MESH DNS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 20  Local DNS resolution directly in Data Plane (Envoy)  Names are not resolvable in complete cluster, just inside service mesh (Envoy)  Resolves “.mesh“ address to pre-defined service mesh IP address  IP in other zone / cluster is routed over Kuma Zone Ingress
  • 16. © OPITZ CONSULTING 2023 / Öffentlich ZONE EGRESS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 21  Special Data Plane instance – like Zone Ingress  All outgoing traffic is routed through this instance  Usage of External Services just possible with deployed Zone Egress in the future
  • 17. © OPITZ CONSULTING 2023 / Öffentlich INTEGRATION OF LEGACY WORKLOAD Advanced Observability & Security for your Kubernetes with a modern Service Mesh 22  Integration of vm and bare metal workload  Local Data Plane instance connecting to Control Plane  Seamless and secure commuication between vm and Kubernetes workload
  • 18. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 23 DEMO 03
  • 19. © OPITZ CONSULTING 2023 / Öffentlich ARCHITECTURE OVERVIEW Advanced Observability & Security for your Kubernetes with a modern Service Mesh 24
  • 20. © OPITZ CONSULTING 2023 / Öffentlich ANALYZING AND MONITORING THE DATA Advanced Observability & Security for your Kubernetes with a modern Service Mesh  Using Grafana Stack to create a 360-degree view  Component usage:  Visualization: Grafana  Logging: Loki (Log Shipping: FluentD / FluentBit / Promtail)  Metrics: Prometheus  Tracing: Jaeger or Tempo  Alerting: Prometheus Alert Manager  Operating models  Self-managed (e.g. on-prem)  Grafana SaaS offering 25
  • 21. © OPITZ CONSULTING 2023 / Öffentlich ARCHITECTURE OBSERVABILITY Advanced Observability & Security for your Kubernetes with a modern Service Mesh 26
  • 22. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 27 DEMO
  • 23. © OPITZ CONSULTING 2023 / Öffentlich ASPECTS COVERED Advanced Observability & Security for your Kubernetes with a modern Service Mesh 28  Mesh Management (Kuma UI)  Managing Apps within the Mesh  Locality Awareness  Advanced Routing  Security  Mesh observability  Metrics  Logs  Traces
  • 24. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 29 CONCLUSION 04
  • 25. © OPITZ CONSULTING 2023 / Öffentlich SERVICE MESH BENEFITS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 30  Zero-trust security  mTLS, Traffic Permissions  Increased Developers productivity  Crosscutting concerns (AuthN & AuthZ, …)  Self-service network management  Multi-Tenancy over multiple clouds  Reliable connectivity  Circuit Breaker, Traffic Routes, …  Observability  Metrics, Tracing, Logs
  • 26. © OPITZ CONSULTING 2023 / Öffentlich KEY TAKEAWAYS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 31  Service Mesh is essential to build and managing multi-cloud apps efficiently  Kuma as mesh implementation provides  Agnostic approach (independent of architecture or platform)  Modern, flexible architecture supporting hybrid, multi-cloud scenarios  Multi-zone  Multi-cluster  Multi-mesh  Seamless CI / CD integration (GitOps)  Intuitive design  Spanning a mesh over multiple clusters and clouds can be done easily
  • 27. © OPITZ CONSULTING 2023 / Öffentlich MATERIALS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 32  Demo Source: https://github.com/KongChampions/kuma-multi-zone-mesh  Kuma docs: https://kuma.io/docs/2.2.x/  Kuma Counter Demo: https://github.com/kumahq/kuma-counter-demo  Kuma introduction – Meetup recording “Service integration made easy with OpenSource Kuma”: https://www.youtube.com/watch?v=f3GeuKzYrsA&t=1s  Demo “Service integration made easy with OpenSource Kuma”: https://github.com/svenbernhardt/service-integration-made-easy  Kong / Kuma and friends (k3d)– https://github.com/FabianHardt/k3d-bootstrap-cluster
  • 28. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 33 Q & A https://opitzcloud.canto.global/b/H0EMG
  • 29. © OPITZ CONSULTING 2023 / Öffentlich KONTAKT Modern Data Stack - Einführung - TDWI Community Talk 34 Fabian Hardt Solution Architect Fabian.Hardt@opitz-consulting.com https://twitter.com/fabian_hardt https://www.xing.com/profile/Fabian_Hardt https://www.linkedin.com/in/fabian-hardt

Editor's Notes

  1. Achtung: Hier muss!!!! Der Sprechtext sitzen, weil hier unser Angebot formuliert wird.
  2. Pfeile
  3. Global Control Plane (AKS, Fabian) Zone 1: OKE (Sven mit Data API) Zone 2: AKS (Fabian)
  4. Reliable connectivity No longer Developer’s responsibility Consistent, declarative management at infrastructure level Self-service network management Developer defines communication rules (traffic permissions) No longer need to also involve network teams (firewall rules) Zero-trust security Secure communication via mTLS Automated certificate management Service Discovery