apidays Paris 2022 - APIs the next 10 years: Software, Society, Sovereignty, Sustainability December 14, 15 & 16, 2022 The Magic of Service Mesh: Everything Your Sidecar Does for You Charly Molter, Engineering Manager at Kong ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/ Deep dive into the API industry with our reports: https://www.apidays.global/industry-reports/ Subscribe to our global newsletter: https://apidays.typeform.com/to/i1MPEW

1. THE CLOUDCONNECTIVITYCOMPANY
1
© Kong Inc.
THE CLOUD
CONNECTIVITYCOMPANY
Charly Molter
ApiDays Paris- DECEMBER 2022
The Magic of Service Mesh
What your sidecar does for You

2. 2023 SERIES OF EVENT
New York
May 16&17
Australia
October 11&12
Singapore
April 12&13
Helsinki & North
June 5&6
Paris
SEPTEMBER
London
November
15&16
June 28-30
SILICON VALLEY
March 14&15
Dubai & Middle East
February 22&23

3. THE CLOUDCONNECTIVITYCOMPANY
2
© Kong Inc.
- Sidecars are amazing you’ll see!
- It’s fun to understand how a service mesh works
- As a user it’s useful to understand how things work
- Learn how to troubleshoot and leverage some Kuma tools
Why this Talk?

4. THE CLOUDCONNECTIVITYCOMPANY
3
© Kong Inc. 3
Engineering manager of the mesh team @ Kong
Worked on many infrastructure projects
Twitter @moltch

5. THE CLOUDCONNECTIVITYCOMPANY
4
© Kong Inc. 4
Service Mesh architecture

6. THE CLOUDCONNECTIVITYCOMPANY
5
© Kong Inc. 5

7. THE CLOUDCONNECTIVITYCOMPANY
6
© Kong Inc. 6
Focused architecture

8. THE CLOUDCONNECTIVITYCOMPANY
7
© Kong Inc.
- Simple security model
- Containers did a lot of work to achieve multi -tenancy
- Great failure isolation (you crash your sidecar, only your pod loses connectivity)
- Your sidecar scales like your app does
- Upgrading your sidecar is like upgrading your app , something you already do right?!
Why a sidecar?
For more: https://thenewstack.io/ebpf-or-not-sidecars-are-the-future-of-the-service-mesh/

9. THE CLOUDCONNECTIVITYCOMPANY
8
© Kong Inc.
Control Plane and Sidecars

10. THE CLOUDCONNECTIVITYCOMPANY
9
© Kong Inc.
- Envoy has a very complete admin api exposed on 127.0.0.1:9901
- Use kumactl or GUI to access it
- policies : list policies that apply to your dataplane
- config -dump: get the full envoy config dump
- stats: show stats of the proxy
- clusters: show information about envoy clusters and endpoints.
What happens under the hood
Inspecting your sidecar

11. THE CLOUDCONNECTIVITYCOMPANY
10
© Kong Inc.
- Control-plane issue a certificate per sidecar
- Sidecar info are added in the SAN of the cert as spiffe ids. .e.g:
spiffe://default/demo-app_kuma-demo_svc_5000
- Server leverages spiffe ids to identify clients
- Cert is renewed by the Control-plane before expiration
What happens under the hood
Mutual TLS and Certificate rotation

12. THE CLOUDCONNECTIVITYCOMPANY
11
© Kong Inc.
- Envoy will issue 1 certificate for each sidecar
- Control-plane regenerates when at 4/5 of the expiration time
- Envoy will use this new certificate
- Dataplane tags are added in the SAN of the cert as spiffe ids.
.e.g: spiffe://default/demo-app_kuma-demo_svc_5000
What happens under the hood
Mutual TLS and Certificate rotation

13. THE CLOUDCONNECTIVITYCOMPANY
12
© Kong Inc.
- Control-plane will issue new certificates using the
“enabledBacked” for all dataplanes
- All sidecars will have both CAs to allow clients with old and
new cert
- Once all sidecars are on the new CA you can delete the old
backend
What happens under the hood
CA Rotation is Almost as Easy

14. THE CLOUDCONNECTIVITYCOMPANY
13
© Kong Inc.
- Envoy will expose metrics on :5670
- The sidecar can also scrape your application metrics on :5000
- Application metrics and sidecar metrics are all exposed with a
common set of labels regardless of where they run
(kubernetes or elsewhere).
- No need to expose your application metrics port to scrape
metrics
What happens under the hood
How About Metrics?

15. THE CLOUDCONNECTIVITYCOMPANY
14
© Kong Inc.
- Whenever a pod is added/removed or goes unhealthy the CP recomputes the configuration of all of
the service’s clients
- All this usually happens in < 1 second
- Load balancing algorithm is configurable
What happens under the hood
Endpoint discovery / load balancing

16. THE CLOUDCONNECTIVITYCOMPANY
15
© Kong Inc.
- Exclude endpoints for some time if the failure rate
jumps over a threshold
- When setting it to 15% we see the endpoint that has
81%success won’t receive requests
What happens under the hood
Outlier detection

17. THE CLOUDCONNECTIVITYCOMPANY
16
© Kong Inc.
- Raising the threshold to 5%
- Now 2 endpoints are outliers and won’t receive requests
What happens under the hood
Lowering the threshold

18. THE CLOUDCONNECTIVITYCOMPANY
17
© Kong Inc.
- When playing with endpoint health always set fail safe to
avoid ending with too few endpoints.
- In this case maxEjectionPercent does this. If less than 50%
of the endpoints are outliers consider no-one as an outlier
What happens under the hood
Avoiding Shooting Yourself in the Foot

19. THE CLOUDCONNECTIVITYCOMPANY
18
© Kong Inc.
- Sidecars implement complex algorithms
- Envoy is very mature so you can trust these algorithms
- Whenever evaluating the overhead of the mesh take into
account the features it brings
- Use kumactl inspect (or the UI) to figure out how things work
What happens under the hood
Conclusion

20. THE CLOUDCONNECTIVITYCOMPANY
19
© Kong Inc.
1
9
Scan To Get Kong Mesh
Thanks! Please ask me any questions