WebSocket MicroService vs. REST MicroserviceRick Hightower
Comparing the speed of RPC calls over WebScoket Microservices versus REST based microservices. Using wrk, QBit, and examples in Java we show how much faster WebSocket is for doing RPC service calls.
WebSocket MicroService vs. REST MicroserviceRick Hightower
Comparing the speed of RPC calls over WebScoket Microservices versus REST based microservices. Using wrk, QBit, and examples in Java we show how much faster WebSocket is for doing RPC service calls.
NFV Orchestration for Telcos using OpenStack TackerSridhar Ramaswamy
ETSI MANO NFV Orchestration for Telco Service Providers using OpenStack Tacker project. Showcases integration of Tacker to orchestrate Brocade VNFs like 5600 Virtual Router and Connectem vEPC.
Tech Talk by Louis Fourie: SFC: technology, trend and implementationnvirters
Synopsis
In this Tech Talk, Louis Fourie will do deep dive into one of the key technology enablers -- service function chaining and describe extensions to OpenStack networking (Neutron) for service chaining, including use cases, architecture and implementation.
About Louis Fourie
Louis Fourie is currently a senior staff engineer working on network virtualization, cloud services, and SDN technologies at Huawei Technology, USA. Louis is an active contributor to the service chaining work in several organizations including OpenStack, ONF, ETSI NFV, IETF, and OPNFV. Louis previously worked at Cisco on several computer networking, voice and data communications products, and is the holder of several patents.
Microservices: The phantom menace . Istio Service Mesh: the new hopeSergii Bishyr
Microservices are everywhere and they help in solving business problems. But they also introduce complexity. Istio Service Mesh will help you solve it.
How can infrastructure engineers empower their product developers with easy-to-use systems and processes that abstract the complexity of core infrastructure? This talk focuses on Envoy configuration management, and how the networking team at Lyft builds on top of Envoy to allow Lyft engineers to focus on business logic. I gave this talk twice and made some edits for the second time. This is the most recent version
L4-L7 services for SDN and NVF by Youcef Laribibuildacloud
In this talk, we will discuss how L4-L7 devices can integrate in various SDN architectures, discuss benefits and some of the challenges that such integration represents. We will also talk about how SDN and NFV relate, and what are the different challenges to successfully deploy L4-L7 devices as Virtual Network Functions (VNFs) or provide such services to the NFV Infrastructure (VIM).
Bio
Youcef Laribi is a Principal Architect in the Delivery Networks BU at Citrix. He is responsible for driving the integration projects of the NetScaler ADC product with several Cloud, SDN and Automation environments including OpenStack, CloudStack, VMware NSX and Cisco ACI. He is also the Citrix representative on the OpenDaylight Technical Steering Committee. His background is mainly in Operating Systems and Distributed Systems, and he worked on several middleware technologies from DCE and CORBA in the early days, to J2EE and .NET to SOA and micro-services today. Youcef speaks 4 languages and holds a PhD and an MSc in Computer Science from the French INPG Institute in Grenoble, France.
Dynamic routing in microservice oriented architectureDaniel Leon
When splitting an application into different micro-services and each application access URL is dynamically generated, the hell gets loose. If you are tired of manually setting a route in your ngnix, come see linkerd in action.
Simplifying and Securing your OpenShift Network with Project CalicoAndrew Randall
OpenShift Commons Webinar presented on March 2 2017
OpenShift networking works great out of the box, right? So why would you consider anything else? This briefing examines an alternative approach that has benefits for many scenarios – from tightly securing a few high value AWS instances to scaling a large private cloud deployment. Come learn about how how Calico differs from traditional solutions like OpenShift SDN, and see how Calico has now been integrated with Kubernetes and OpenShift to provide a smooth deployment experience, and lessons learned across hundreds of enterprise users.
The presentation will provide a brief overview of Tungsten Fabric, and the new features in the recent 5.0 release. A demo of Tungsten Fabric will follow, with an overview of core functionality, and newly released features.
Speaker: Nick Davey, Cloud - SDN Product Manager
NFV Orchestration for Telcos using OpenStack TackerSridhar Ramaswamy
ETSI MANO NFV Orchestration for Telco Service Providers using OpenStack Tacker project. Showcases integration of Tacker to orchestrate Brocade VNFs like 5600 Virtual Router and Connectem vEPC.
Tech Talk by Louis Fourie: SFC: technology, trend and implementationnvirters
Synopsis
In this Tech Talk, Louis Fourie will do deep dive into one of the key technology enablers -- service function chaining and describe extensions to OpenStack networking (Neutron) for service chaining, including use cases, architecture and implementation.
About Louis Fourie
Louis Fourie is currently a senior staff engineer working on network virtualization, cloud services, and SDN technologies at Huawei Technology, USA. Louis is an active contributor to the service chaining work in several organizations including OpenStack, ONF, ETSI NFV, IETF, and OPNFV. Louis previously worked at Cisco on several computer networking, voice and data communications products, and is the holder of several patents.
Microservices: The phantom menace . Istio Service Mesh: the new hopeSergii Bishyr
Microservices are everywhere and they help in solving business problems. But they also introduce complexity. Istio Service Mesh will help you solve it.
How can infrastructure engineers empower their product developers with easy-to-use systems and processes that abstract the complexity of core infrastructure? This talk focuses on Envoy configuration management, and how the networking team at Lyft builds on top of Envoy to allow Lyft engineers to focus on business logic. I gave this talk twice and made some edits for the second time. This is the most recent version
L4-L7 services for SDN and NVF by Youcef Laribibuildacloud
In this talk, we will discuss how L4-L7 devices can integrate in various SDN architectures, discuss benefits and some of the challenges that such integration represents. We will also talk about how SDN and NFV relate, and what are the different challenges to successfully deploy L4-L7 devices as Virtual Network Functions (VNFs) or provide such services to the NFV Infrastructure (VIM).
Bio
Youcef Laribi is a Principal Architect in the Delivery Networks BU at Citrix. He is responsible for driving the integration projects of the NetScaler ADC product with several Cloud, SDN and Automation environments including OpenStack, CloudStack, VMware NSX and Cisco ACI. He is also the Citrix representative on the OpenDaylight Technical Steering Committee. His background is mainly in Operating Systems and Distributed Systems, and he worked on several middleware technologies from DCE and CORBA in the early days, to J2EE and .NET to SOA and micro-services today. Youcef speaks 4 languages and holds a PhD and an MSc in Computer Science from the French INPG Institute in Grenoble, France.
Dynamic routing in microservice oriented architectureDaniel Leon
When splitting an application into different micro-services and each application access URL is dynamically generated, the hell gets loose. If you are tired of manually setting a route in your ngnix, come see linkerd in action.
Simplifying and Securing your OpenShift Network with Project CalicoAndrew Randall
OpenShift Commons Webinar presented on March 2 2017
OpenShift networking works great out of the box, right? So why would you consider anything else? This briefing examines an alternative approach that has benefits for many scenarios – from tightly securing a few high value AWS instances to scaling a large private cloud deployment. Come learn about how how Calico differs from traditional solutions like OpenShift SDN, and see how Calico has now been integrated with Kubernetes and OpenShift to provide a smooth deployment experience, and lessons learned across hundreds of enterprise users.
The presentation will provide a brief overview of Tungsten Fabric, and the new features in the recent 5.0 release. A demo of Tungsten Fabric will follow, with an overview of core functionality, and newly released features.
Speaker: Nick Davey, Cloud - SDN Product Manager
An introductory look at Kubernetes and how it leverages AWS IaaS features to provide its own virtual clustering, and demonstration of some of the behaviour inside the cluster that makes Kubernetes a popular choice for microservice deployments.
An introduction to Kubernetes and a look at how it leverages AWS IaaS features to provide its own virtual clustering, and demonstration of some of the behaviour inside the cluster that makes Kubernetes a popular choice for microservice deployments.
Kubermatic How to Migrate 100 Clusters from On-Prem to Google Cloud Without D...Tobias Schneck
Have you ever thought about migrating your Kubernetes clusters to Google Cloud to get your services closer to your customers? Yes? We too! Join us on an interactive journey to discover the main challenges of live migration at scale of etcd's, traffic routing and application workloads from your on-premise platform to GCP. The talk will discuss the current state of the technical concept, known problems and insides of the already proven migration steps for stateless workload.
As part of the journey, we'll see the differences between migrating one or one hundred clusters with productive workloads; What parts can be automated? What steps may need to be manual? Let's see how an automated solution could look like in the future and what steps are missing.
How to Migrate 100 Clusters from On-Prem to Google Cloud Without Downtimeloodse
Have you ever thought about migrating your Kubernetes clusters to Google Cloud to get your services closer to your customers? Yes? Us too! Join us on an interactive journey to discover the main challenges of live migration at scale of etcd’s, traffic routing and application workloads from your on-premise platform to GCP. The talk will discuss the current state of the technical concept, known problems and insides of the already proven migration steps for stateless workloads.
As part of the journey, we'll see
- The differences between migrating one or one hundred clusters with productive workloads
- What parts can be automated?
- What steps may need to be done manually?
OSS Japan 2019 service mesh bridging Kubernetes and legacySteve Wong
how to join legacy VMs and bare metal machines to a Kubernetes service mesh so that VMs can consume Kubernetes services AND publish services used by Kubernetes hosted applications
Presented as part of Container Conference 2018: www.containerconf.in
Deep dive into Kubernetes networking
"Container networking is pretty complex and Kubernetes has taken a unique approach to solve container networking challenges. Both simplicity and scalability have been key design principles of Kubernetes networking. This session will illustrate kubernetes networking concepts with examples and demos. Best practises and considerations for deploying container networks in production using Kubernetes will be covered.
This session will also go into latest developments in Kubernetes networking like Network policy and Service policy using Istio."
Kubernetes has been a key component for many companies to reduce technical debt in infrastructure by:
• Fostering the Adoption of Docker
• Simplifying Container Management
• Onboarding Developers On Infrastructure
• Unlocking Continuous Integration and Delivery
During this meetup we are going to discuss the following topics and share some best practices
• What's new with Kubernetes 1.3
• Generate Cluster Configuration using CloudFormation
• Deploy Kubernetes Clusters on AWS
• Scaling the Cluster
• Integrating Ingress with Elastic Load Balancer
• Using Internal ELB's as Kubernetes' Service
• Using EBS for persistent volumes
• Integrating Route53
Introduction to Container Storage Interface (CSI)Idan Atias
Among the cool stuff we do at Silk, my colleagues and I develop the Silk CSI Plugin for customers who use our system as the storage layer for their Kubernetes workloads.
Before deep diving into the code and as part of my ramp-up on this subject I prepared some slides that cover some basic and important information on this topic.
These slides start by recapping some basic storage principals in containers and Kubernetes, continues with some more advanced use cases (including an "offline demo" of persisting Redis data on EBS volumes), and ends with a detailed information on the CSI solution itself.
IMHO, reviewing these slides can improve your understanding on this matter and can get you started implementing your own CSI plugin.
The main sources of information I used for preparing these slides are:
* Official CSI docs
* Kubernetes Storage Lingo 101 - Saad Ali, Google
* Container Storage Interface: Present and Future - Jie Yu, Mesosphere, Inc.
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2Alfonso Martino
Questa presentazione tratta le seguenti tematiche:
- Service discovery su Kubernetes (Service, Ingress Controller)
- Ingress Controller setup su EKS
- Ingress Controller Template setup su RTF
- Strategie di segregazione del traffico (interno ed esterno)
- Differenze tra RTF BYOK (Bring Your Own Kubernetes) e Self-managed
Manchester MuleSoft Meetup #6 - Runtime Fabric with Mulesoft Akshata Sawant
Come join us at the Online Meetup to learn more about ServiceNow and Gmail Integration with MuleSoft with detailed Demo. Help us spread the knowledge of Mule!
A brief agenda:
> Networking and Knowledge sharing.
> MuleSoft Latest Product Release Updates.
> Runtime Fabric in depth architecture.
> Finally, we will wrap-up this event with the agenda for the next meetup.
Stay connected to get updates on what's new in MuleSoft.
An Early Warning System for Ambient Assisted LivingAndrea Monacchi
A Proof of Concept of an early warning system that is able to simulate users and spot potential dangers before they occur. We desire in particular assist and alert users in order to prevent them from getting in dangerous situations, which is important when dealing with impaired individuals.
Assisting Energy Management in Smart Buildings and MicrogridsAndrea Monacchi
Increasing the use of renewable sources for energy generation bring in the power grid a stochasticity that needs to be addressed with appropriate control mechanism. Demand response is one of such a kind of control mechanism. In particular a price is used to reflect the current availability and demand of energy. Based on this concept we investigate possible use of a price signal to coordinate the operation of small electrical prosumers. In addition we provide interactive means that can assist human decision makers.
Stability issues in the electric power grid originate from the rising of renewable energy generation and the increasing number of electric vehicles. The uncertainty and the distributed nature of generation and consumption demand for optimal allocation of energy resources, which, in the absence of sufficient control reserve for power generation, can be achieved using demand-response. A price signal can be exploited to reflect the availability of energy. In this paper, market-based energy allocation solutions for small energy grids are discussed and implemented in a simulator, which is released for open use. Artificial neural network controllers for energy prosumers can be designed to minimize individual and overall running costs. This enables a better use of local energy production from renewable sources, while considering residents’ necessities to minimize discomfort.
GREEND: An energy consumption dataset of households in Austria and ItalyAndrea Monacchi
Home energy management systems can be used to monitor and optimize consumption and local production from renewable energy. To assess solutions before their deployment, researchers and designers of those systems demand for energy consumption datasets. In this paper, we present the GREEND dataset, containing detailed power usage information obtained through a measurement campaign in households in Austria and Italy. We provide a description of consumption scenarios and discuss design choices for the sensing infrastructure. Finally, we benchmark the dataset with state-of-the-art techniques in load disaggregation, occupancy detection and appliance usage mining.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
4. K8s Architecture
● Master (Supervisor)
○ api-server - exposes K8s APIs
○ etcd - distributed key-value storage
○ scheduler - selects a node to run a new pod
○ controller-manager - detects changes on nodes,
number of replicas, endpoint availability, changes to
service accounts, etc.
○ kube-dns - DNS service mapping services to pods
● Worker Nodes (hosting worload pods)
○ kubelet - runs containers based on Pod specs
○ kube-proxy - implements network rules
● Simple Setup - KubeAdm
○ KubeAdm Init (Master) / KubeAdm Join (each Worker)
source: kubernetes.io
5. Basic Concepts
● Pod
○ group of colocated containers - shared IP address and file system volumes
○ most commonly - 1 container : 1 pod, sidecar container pattern
● Pod Controllers - define a template to run multiple pods in a group
○ Deployment - to define multiple replicas (ReplicaSet)
○ DaemonSet - runs a copy of a pod on each node available to the cluster (i.e. daemon) - for monitoring, storage, etc.
○ StatefulSet - pods with persistent IDs to directly match resources (e.g. volumes)
● Service discovery and Load Balancing
○ Service - maps a DNS name to a set of Pods - can load balance them
● Storage
○ PersistentVolume (PV) - volume statically available to cluster or dynamically provisioned using a storage class
○ PersistentVolumeClaim (PVC) - request for storage resolved with a PV
○ StorageClass - describe storage type as provisioner, parameters.type, reclaimPolicy
7. Istio
● Open-source service mesh
● Unifies ways of securing, connecting and monitoring microservices! (reference)
○ automatic load balancing for HTTP, gRPC, WebSocker, TCP traffic
○ fine-grained control of traffic (routing rules and policies, retries, failovers, fault injection
○ policy layer supporting access control, rate limits and quotas
○ out-of the box metrics, logs, traces for all traffic across the cluster, including ingress and egress
○ secure service-to-service communication with strong identify-based authentication and authorization
● Collection of packages to be run on a K8s Cluster
8. Istio Architecture
1. Data Plane
a. Envoy Proxy injected as sidecar container
b. Traffic Routing + Telemetry
2. Control Plane
a. controls data plane configuration
b. comprises:
i. Pilot - acts on the configs. of Envoy Sidecars
ii. Citadel - Identity & Access Management (IAM)
iii. Galley - Overall Configuration Management
c. configuration propagation
i. input yaml detected by galley
ii. configuration converted to istio format
iii. istio format passed to pilot
iv. pilot convert it to envoy configuration
d. citadel - manages TLS/SSL certificates
source: istio.io
9. K8s Operators
● Software extensions to K8s meant for automation - original blog post
○ operator = custom resource definition (CRD) + controller
○ applicable if custom resources can be exposed via a CRUD (create, read, update, delete) REST API
■ resources no longer treated as collection of primitives (e.g. pods, deployment, services) but as a single
object exposing only what shall be controlled from outside
■ object integrated with K8s api (http+kubectl)
○ control loop monitoring changes on monitored resources
■ runs beside the control plane (running default controllers), e.g. as any deployment
■ very application specific - translates to primitive resources (e.g. pods)
● Implementation
○ As a client querying the kube api
○ using an SDK (e,g. KUDO, KubeBuilder, Metacontroller, Operator Framework)
○ e.g. OperatorFramework - GoLang, Ansible, Helm - implementation possibilities
10. Data Plane: The Envoy Proxy
● automatically injected as sidecar container for each pod - helper container design pattern
● Envoy proxy
○ Reverse Proxy in C++ from Lyft
○ Istio translates Yaml-based resource definitions into Envoy configurations automatically
11. Istio Setup
● Prerequisite - Running K8s cluster
○ Minikube/microK8s for dev
○ Rancher/Kubespray/KOPS for cloud-based
● Install istioctl CLI to
● Install istio (preferred as operator)
○ install using istioctl
○ install using Helm Chart
12. Istio Setup
● Prerequisite - Running K8s cluster
○ Minikube/microK8s for dev
○ Rancher/Kubespray/KOPS for cloud-based
● Install istioctl CLI to
● Install istio (preferred as operator)
○ install using istioctl
○ install using Helm Chart
Tutorial On Ubuntu:
sudo snap install microk8s --classic
microk8s.start
microk8s enable dns registry istio
microk8s kubectl get all --all-namespaces
Shortcut to kubectl for microk8s:
kubectl --kubeconfig file
alias mkctl="microk8s kubectl"
mkctl get pods
17. Traffic Management
● New entities introduced by Istio:
○ Virtual Service
■ a set of custom traffic routing rules to apply to when a K8s service (host) is addressed on a specific protocol
■ the specification is per protocol (e.g. http, tcp) and can match a subset (i.e. service version)
■ the mapping subset/label (e.g. subset-version) for the service is defined as destination rule
○ Destination Rule
■ defines routing policies for a load balancer (somehow but not directly related to virtual service)
■ configures the load balancer, including settings for outlier detection to evict unhealthy hosts from the pool
○ Gateway
■ defines a load balancer placed at the edge of the mesh (i.e. as ingress/egress)
■ allows any virtual service in the same or a matching namespace (based on expression) to bind to it
18. Canary Releases
● Deploy new version alongside old version
○ Define availability for a percentage of requests - to test new version (like a pilot)
○ Useful for very busy services whose offtime is not an option - Reduce risk of deploying possibly faulty code
● No direct solution in K8s
○ Would mean a Service mapping to both the new and old version running on different pods
■ e.g. deployment has metadata.labels.app: service-name and service has spec.selector.app: service-name
■ any label can be used to group pods on a service, but kiali assigns to “app” a special meaning
■ a version label can be used along the app one, do distinguish the version used within the deployment
○ Default - (probabilistic) round robin on pods - to implement a percentage would need a proportional number of pods
● Kial UIi: “Actions” > “Create Weighted Routing”
○ to create a virtual service and a destination rule to the pod groups (based on their version label)
● Yaml definition for a VirtualService
19. VirtualService
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: just-a-name-for-your-virtual-service
namespace: default
spec:
hosts:
- your-service-name
gateways: ~
http:
- route:
- destination:
host: your-target-service-name
subset: v1-group
weight: 10
- destination:
host: your-target-service-name
subset: v2-group
weight: 90
tcp: ~
tls: ~
exportTo: ~
can be a subset on the same service host or even different services
just a name for a routing configuration!
● A Service maps a DNS name to a set of Pods (IP addrs)
● A VirtualService defines a set of routing rules (what/when to call)
● istio-pilot applies the VS spec as envoy configuration on istio each sidecar proxy
the service we apply the rules to - <svcname>.<nsname>.svc.cluster.local
we are intercepting traffic of the host svc and redirecting it to different ones
20. DestinationRule
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: just-a-name-for-a-destination-rule
namespace: default
spec:
host: service-name
trafficPolicy: ~
subsets:
- labels:
version: v2
name: v1-group
- labels:
version: v2
name: v2-group
● directly related to a virtual service
● can be used to affect the load balancing for the original service
define which pods should be part of each subset for the VS:
● service name matches in Service selector.app: service-name
● labels.version lookups pods with same label value for key “version”
● the subset name is the one to be used in the VS
21. Load Balancing
algorithms:
● round robin
● hashing-based (session affinity - same user to same svc/pod)
○ only for HTTP connections - hash to route traffic
○ uses hash of either HTTP header, cookie or source IP
○ not working with weighted routing (routing comes before hashing)
● locality-based - based on traffic origin
○ distribute policy - weight on zones/locations
○ failover policy - failover when endpoint becomes unhealthy
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: just-a-name-for-a-destination-rule
namespace: default
spec:
host: service-name
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
subsets:
- labels:
version: v2
name: v1-group
- labels:
version: v2
name: v2-group
trafficPolicy:
loadBalancer:
consistentHash:
httpCookie:
name: user
ttl: 0s
distribute:
- from: us-west/zone1/*
to:
"us-west/zone1/*": 80
"us-west/zone2/*": 20
- from: us-west/zone2/*
to:
"us-west/zone1/*": 20
"us-west/zone2/*": 80
22. Ingress Gateways
● mesh edge - alternative to classic K8s
Ingress Controllers
● istio-ingressgateway pod and service
ramped up during istio installation
● adds monitoring and usual istio
functionalities for traffic routing
● configured as any other istio service rather
than tech specific ingress controller
● by default deny all traffic
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ingress-gateway-configuration
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: http
hosts:
- “whatever.com”
selects default istio ingress
gateway who has the label set
list of DNS names we are
listening for (or * if we are just
testing locally), this has to be
reflected on the virtual service
23. Exposed Virtual Service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: just-a-name-for-your-virtual-service
namespace: default
spec:
hosts:
- “whatever.com”
gateways:
- ingress-gateway-configuration
http:
- route:
- destination:
host: your-target-service-name
subset: v1-group
weight: 10
- destination:
host: your-target-service-name
subset: v2-group
weight: 90
tcp: ~
tls: ~
exportTo: ~
a DNS name or star to catch all (testing only!)
http:
- name: “whatever-name”
match:
- uri:
prefix: “/something”
- uri:
prefix: “/else”
rewrite:
uri: “/newuri”
route:
- destination:
host: your-target-service-name
subset: v2-group
weight: 90
fault:
delay:
percentage:
value: 10.0
fixedDelay: 10s
HTTP rewrite
Exact-, prefix-, regex-based
routing on incoing requests
e.g., useful for testing a
Dark Release directly online
fault injection to test reliability
- delay or abort requests
24. Circuit Breakers
● Problem: Cascading Failures
○ Unpredictable failure on a service which affects all dependent services
○ When this happens, it’s difficult to understand root cause because many services perform badly
● Solution: Circuit Breaking
○ Design Pattern - breaker as a relay between two services and able to detect failing requests
○ Upon detected failures (e.g. timeouts on multiple requests) can interrupt connection and return error from then on
○ By preventing access to faulty service we should give it enough time to recover from failure (e.g. OOM)
○ Periodic polling for health of target service, when available, connection can be restored
● Main Concept - Backpressure: reduce traffic to faulty system assuming failures result from lack of resources
○ historically - circuit breakers as library built with application code (of requesting service) - e.g. Netflix Hystrix
■ problems - multiple langs to mantain and legacy code for which to be added (needs redeployment)
○ istio - circuit breakers can be managed directly by the proxy
■ stop making requests to a pod if multiple consecutive faulty requests were made (works on a pod level)
25. Circuit Breakers
● outlier detection on a DestinationRule
● configuration applied to a Service (i.e. host)
● metrics collected at pod level
● errors:
○ consecutiveGatewayErrors (HTTP 502, 503 and 504 - no 505!)
○ consecutive5xxErrors (all 5xx errors!)
● settings:
○ number of consecutive errors
○ time interval for consecutive errors
○ ejection duration
○ maxEjectionPercent of max ejected hosts in pool
○ minHealthPercent - apply only if at least % healthy in pool
● use a tool like fortio to generate load and test them
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews-cb-policy
spec:
host: reviews.prod.svc.cluster.local
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 10
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
27. TLS Encryption
● enable mutual TLS (mTLS) for proxy-to-proxy communication
● managed by citadel
● performed at transport layer - usable for HTTP, TCP, gRPC
● can be enforced as policy - prevent any non TLS traffic across cluster
● automatically enabled at istio installation!
● check Kiali for the lock symbol on edges
● Permissive Vs Strict mTLS
○ permissive - allows querying istio-based services (i.e., their proxies) from other namespaces where proxy injection is
not available - connection can’t be upgraded to TLS so it’s kept in unsecured plain text (e.g. HTTP)
○ strict - only allow mTLS traffic - this can be enabled with the PeerAuthentication set to spec.mtls.mode: STRICT
apiVersion: networking.istio.io/v1alpha3
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT