Download to read offline
Uploaded byInfluxData
Giacomo Tirabassi [InfluxData] | Istio at InfluxData | InfluxDays Virtual Experience London 2020
The document provides an overview of service meshes, highlighting their purpose, deployment methods, and benefits, particularly focusing on Istio as an example. It discusses the extraction of functionalities like networking and security from applications into the platform, emphasizing the need for service mesh in multi-language environments and zero trust networks. The roadmap includes plans for enhanced monitoring, stricter security policies, and cross-region failover capabilities.
More Related Content
![Nicolas Steinmetz [CérénIT] | Sustain Your Observability from Bare Metal TICK...](https://cdn.slidesharecdn.com/ss_thumbnails/sustainable-observability-from-bare-metal-to-k8s-world-nicolas-steinmetz-200623205020-thumbnail.jpg?width=640&height=640&fit=bounds)
![Vasilis Papavasiliou [Mist.io] | Integrating Telegraf, InfluxDB and Mist to M...](https://cdn.slidesharecdn.com/ss_thumbnails/vasilispapavasiliouslides-210511200808-thumbnail.jpg?width=640&height=640&fit=bounds)
![Dominik Obermaier and Anja Helmbrecht-Schaar [HiveMQ] | IIoT Monitoring with ...](https://cdn.slidesharecdn.com/ss_thumbnails/dominikobermaieranjahelmbrecht-schaarslides-210511200918-thumbnail.jpg?width=640&height=640&fit=bounds)
![Jess Ingrassellino [InfluxData] | How to Get Data Into InfluxDB | InfluxDays ...](https://cdn.slidesharecdn.com/ss_thumbnails/jessingrassellinoslides-210511200652-thumbnail.jpg?width=640&height=640&fit=bounds)
![Brandon Farmer [InfluxData] | Tools for Working with Flux Now and in the Futu...](https://cdn.slidesharecdn.com/ss_thumbnails/influxdaysbfarmer-200630193014-thumbnail.jpg?width=640&height=640&fit=bounds)
![Sebastian Spaink [InfluxData] | Layer by Layer: Printing Your Own External In...](https://cdn.slidesharecdn.com/ss_thumbnails/influxdaysemea20211-210419194123-thumbnail.jpg?width=640&height=640&fit=bounds)
![Andy Charlton [InfluxData] | Managing Your Dashboards, Tasks and Alerts Made ...](https://cdn.slidesharecdn.com/ss_thumbnails/andycharltonslides-210507162942-thumbnail.jpg?width=640&height=640&fit=bounds)
![Paul Dix [InfluxData] | InfluxDays Opening Keynote | InfluxDays Virtual Exper...](https://cdn.slidesharecdn.com/ss_thumbnails/influxdays-opening-keynote-paul-dix-200623175743-thumbnail.jpg?width=640&height=640&fit=bounds)
![Jacob Marble [InfluxData] | Observability with InfluxDB IOx and OpenTelemetry...](https://cdn.slidesharecdn.com/ss_thumbnails/influxdbioxandopentelemetry-27-oct-2021jmarble-211022195239-thumbnail.jpg?width=640&height=640&fit=bounds)
![Bernard Paques & Kevin Polossat [AWS] | Combining the Power of InfluxDB and A...](https://cdn.slidesharecdn.com/ss_thumbnails/bernardpaqueskevinpolossatawscombiningthepowerofinfluxdbandawsforiotusecasesinfluxdaysemea2021-210517184442-thumbnail.jpg?width=640&height=640&fit=bounds)
![Brian Gilmore [InfluxData] | InfluxDB in an IoT Application Architecture | In...](https://cdn.slidesharecdn.com/ss_thumbnails/brian-gilmoreinfluxdays-2021iot1-211022195133-thumbnail.jpg?width=640&height=640&fit=bounds)
![Ryan Betts [InfluxData] | InfluxDB Platform Performance | InfluxDays Virtual ...](https://cdn.slidesharecdn.com/ss_thumbnails/influxdaysna-ryan-201110022532-thumbnail.jpg?width=640&height=640&fit=bounds)
![Ana-Maria Calin [InfluxData] | Migrating from OSS to InfluxDB Cloud | InfluxD...](https://cdn.slidesharecdn.com/ss_thumbnails/influxdays2021-migratingfromosstoinfluxdbcloudanacalin-211022195114-thumbnail.jpg?width=640&height=640&fit=bounds)
![Michael DeSa [InfluxData] | Monitoring Methodologies | InfluxDays Virtual Exp...](https://cdn.slidesharecdn.com/ss_thumbnails/monitoring-methodologies-michael-desa-200623172150-thumbnail.jpg?width=640&height=640&fit=bounds)
![Kristina Robinson [InfluxData] | Understand and Visualize Your Data with Infl...](https://cdn.slidesharecdn.com/ss_thumbnails/kristinarobinsonsildes1-210519102649-thumbnail.jpg?width=640&height=640&fit=bounds)
![Evan Kaplan [InfluxData] | InfluxDays Opening Remarks | InfluxDays EMEA 2021](https://cdn.slidesharecdn.com/ss_thumbnails/evankaplanslides-210519180533-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Giacomo Tirabassi [InfluxData] | Istio at InfluxData | InfluxDays Virtual Experience London 2020
![Ward Bowman [PTC] | ThingWorx Long-Term Data Storage with InfluxDB | InfluxDa...](https://cdn.slidesharecdn.com/ss_thumbnails/influxdays-221027185325-5d2f430b-thumbnail.jpg?width=640&height=640&fit=bounds)
![Steinkamp, Clifford [InfluxData] | Welcome to InfluxDays 2022 - Day 2 | Influ...](https://cdn.slidesharecdn.com/ss_thumbnails/influxdays2022welcometoday2-221020215815-c8463942-thumbnail.jpg?width=640&height=640&fit=bounds)
![Steinkamp, Clifford [InfluxData] | Closing Thoughts | InfluxDays 2022](https://cdn.slidesharecdn.com/ss_thumbnails/influxdays2022closingthoughtsday2-221020220104-abde55ea-thumbnail.jpg?width=640&height=640&fit=bounds)
![Steinkamp, Clifford [InfluxData] | Closing Thoughts Day 1 | InfluxDays 2022](https://cdn.slidesharecdn.com/ss_thumbnails/influxdays2022closingthoughtsday1-221020215301-f8040e1f-thumbnail.jpg?width=640&height=640&fit=bounds)
![Scott Anderson [InfluxData] | New & Upcoming Flux Features | InfluxDays 2022](https://cdn.slidesharecdn.com/ss_thumbnails/influxdays2022-fluxupdates-scott-221021210238-9d323cba-thumbnail.jpg?width=640&height=640&fit=bounds)
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
Giacomo Tirabassi [InfluxData] | Istio at InfluxData | InfluxDays Virtual Experience London 2020
- 1.
- 2. © 2020 InfluxData.All rights reserved. 2 Who am I? Italian SRE @ InfluxData (keep Cloud2 running) Running Kubernetes since version 1.8 (weird flex but OK) Travel, eat, cook, repeat
- 3. © 2020 InfluxData.All rights reserved. 3 Agenda 1. What is a service mesh? 2. Why do we need a service mesh? 3. How do we run it? 4. Outcome 5. Roadmap
- 4. What is aservice mesh? Volume 1
- 5. © 2020 InfluxData.All rights reserved. 5 Alternatives ● Istio (Google) ● Linkerd (CNCF, Buoyant) ● Consul Connect (Hashicorp)
- 6. © 2020 InfluxData.All rights reserved. 6 What is a Service Mesh? Extract functionalities from application into the platform ● Networking: retries, timeout, rate limits, circuit breakers, canary ● Security: mTLS or JWT for authentication, authorization policies ● Observability: automatic tracing, access log, protocol specific metrics
- 7. © 2020 InfluxData.All rights reserved. Kubernetes : Linux Process = Istio : HTTP Request
- 8. © 2020 InfluxData.All rights reserved. 8 Why does it make sense? Extract functionalities from application into the platform ● Unix philosophy: “do one thing and do it well” ● Polyglot platforms: attempts like Hystrix don’t work if multiple languages are used ● Zero trust networks: just because it's in your VPC doesn't mean it's secure, reduce blast radius
- 9. © 2020 InfluxData.All rights reserved. 9 Let it sink in Platform All Apps
- 10. Why do weneed a service mesh? Volume 2
- 11. © 2020 InfluxData.All rights reserved. 1 Initial reasons ● Canary deployments ● Defining better SLAs and SLOs
- 12.
- 13. Moooar complexity Service Mesh CNI Kubernetes Containers LinuxOS Cloud Provider
- 14.
- 15. How do weinstall and run Istio? Volume 3
- 16. © 2020 InfluxData.All rights reserved. 1 Istio Deployment From version 1.2 to 1.4 ● We kept our fork of Helm installation in Jsonnet ●Configuration mess Version 1.5 and 1.6 ● Istio operator with istiod: single control plane component ● https://github.com/influxdata/helm-charts/tree/master/istio
- 17. © 2020 InfluxData.All rights reserved. 1 Prometheus-less deployment ● With istio-mixer (metrics aggregator) ○ Telegraf sidecar for istio-mixer to scrape metrics ● Without istio-mixer ○ Sidecar with telegraf-operator foristiod ○ telegraf-operator is used to add sidecar to every pod using istioto scrape `http://127.0.0.1:15090/stats/prometheus`
- 18. © 2020 InfluxData.All rights reserved. 1 Istio caused outage ● Running Istio 1.3 and defining a Kubernetes Service with port name `http` and port number `443` broke all communications from application in the mesh to external services exposed with https ● Upstream bug: https://github.com/istio/istio/issues/16458
- 19. © 2020 InfluxData.All rights reserved. 1 Istio caused outage ● Solved in 1.4 upstream ● We solved it with conftest
- 20.
- 21. © 2020 InfluxData.All rights reserved. 2
- 22. © 2020 InfluxData.All rights reserved. 22 sensitive
- 23. © 2020 InfluxData.All rights reserved. 23
- 24. © 2020 InfluxData.All rights reserved. 24
- 25. © 2020 InfluxData.All rights reserved. 25 Dashboards soon to be in https://github.com/influxdata/community-templates
- 26.
- 27. © 2020 InfluxData.All rights reserved. 2 Roadmap ( 1 of 3) ● Switch to mixer-less monitoring ● more services enrolled in the mesh ● ingress gateway ● configure tracing (flip the switch) ● enable access logs
- 28. © 2020 InfluxData.All rights reserved. 28 Roadmap ( 2 of 3) ● mTLS policy to STRICT which means that envoy will refuse all connections which are not over mTLS from within the MESH ● outbound traffic to REGISTRY_ONLY: this means that only endpoints inside of the mesh and in ServiceEntry are reachable by an app ● start using Egress Gateway for egress traffic out for alerts
- 29. © 2020 InfluxData.All rights reserved. 29 Roadmap ( 3 of 3) ● Sidecar CRD for all workloads (reduce number of connectionscross namespace) ● Start reducing cross service access with PeerAuthentication ● Cross Region Failover with multi-cluster configuration ● Contribute to Kiali to work with InfluxDB
- 30. © 2020 InfluxData.All rights reserved. 30 The End Twitter / Linkedin / Github @gitirabassi