The document discusses Istio, an open source service mesh that provides traffic management, service migration and monitoring for microservices. It provides an overview of key Istio concepts like the control plane, data plane and components like Envoy, Pilot and Mixer. It also includes steps to install Istio on GKE and deploy a sample Bookinfo application to demonstrate traffic routing and load balancing capabilities.
The concept of service mesh is one of the new technologies that have grown up around the container and micro-service model over the last couple of years, and Istio is the latest entry into this space. As Istio was recently included as an incubated project in the CNCF, many companies are now looking to it to provide a set of key functions to accelerate their micro-service application management model. Istio enables bi-directional authentication and security of service communication via TLS based authentication and encryption, and at the same time is able to capture application level communication statistics, improving the application development team's visibility into the otherwise difficult to track communication patterns. In this way, Istio acts like an application level network, riding across the underlying capabilities of Kubernetes CNI based networks and network policy. We will implement Istio on a GKE kubernetes cluster, and instrument a simple application to get better insight into how Istio provides its capabilities.
Speaker Bio:
With over 20 years of experience as a systems reliability engineer, and a focus on automating not only application deployments but the underlying infrastructure as well, Robert Starmer brings a wealth of knowledge to the full application enablement stack. He has applied this knowledge in fields from high-performance computing to high-frequency trading environments, and everything in between. Robert also holds patents in network, data center, and application performance and scale enhancements. He is a Founder and the CTO at Kumulus Technologies, a DevOps, Systems Reliability Engineering and cloud computing consultancy. Additionally, Robert is an incurable photography nerd and has been known to stay up until dawn in remote locations to capture celestial time-lapses.
Presentation in IBM Cloud Meet-up of Toronto
https://www.meetup.com/IBM-Cloud-Toronto/events/253903913/?_xtd=gatlbWFpbF9jbGlja9oAJGU3NmM3ZjdmLWE2NzgtNGVlNC1iNGZiLTBlZGE5ZWM0NDZjOQ
Istio is a service mesh—a modernized service networking layer that provides a transparent and language-independent way to flexibly and easily automate application network functions. Istio is designed to run in a variety of environments: on-premise, cloud-hosted, in Kubernetes containers.
Service meshes are relatively new, extremely powerful and can be complex. There’s a lot of information out there on what a service mesh is and what it can do, but it’s a lot to sort through. Sometimes, it’s helpful to have a guide. If you’ve been asking questions like “What is a service mesh?” “Why would I use one?” “What benefits can it provide?” or “How did people even come up with the idea for service mesh?” then The Complete Guide to Service Mesh is for you.
The concept of service mesh is one of the new technologies that have grown up around the container and micro-service model over the last couple of years, and Istio is the latest entry into this space. As Istio was recently included as an incubated project in the CNCF, many companies are now looking to it to provide a set of key functions to accelerate their micro-service application management model. Istio enables bi-directional authentication and security of service communication via TLS based authentication and encryption, and at the same time is able to capture application level communication statistics, improving the application development team's visibility into the otherwise difficult to track communication patterns. In this way, Istio acts like an application level network, riding across the underlying capabilities of Kubernetes CNI based networks and network policy. We will implement Istio on a GKE kubernetes cluster, and instrument a simple application to get better insight into how Istio provides its capabilities.
Speaker Bio:
With over 20 years of experience as a systems reliability engineer, and a focus on automating not only application deployments but the underlying infrastructure as well, Robert Starmer brings a wealth of knowledge to the full application enablement stack. He has applied this knowledge in fields from high-performance computing to high-frequency trading environments, and everything in between. Robert also holds patents in network, data center, and application performance and scale enhancements. He is a Founder and the CTO at Kumulus Technologies, a DevOps, Systems Reliability Engineering and cloud computing consultancy. Additionally, Robert is an incurable photography nerd and has been known to stay up until dawn in remote locations to capture celestial time-lapses.
Presentation in IBM Cloud Meet-up of Toronto
https://www.meetup.com/IBM-Cloud-Toronto/events/253903913/?_xtd=gatlbWFpbF9jbGlja9oAJGU3NmM3ZjdmLWE2NzgtNGVlNC1iNGZiLTBlZGE5ZWM0NDZjOQ
Istio is a service mesh—a modernized service networking layer that provides a transparent and language-independent way to flexibly and easily automate application network functions. Istio is designed to run in a variety of environments: on-premise, cloud-hosted, in Kubernetes containers.
Service meshes are relatively new, extremely powerful and can be complex. There’s a lot of information out there on what a service mesh is and what it can do, but it’s a lot to sort through. Sometimes, it’s helpful to have a guide. If you’ve been asking questions like “What is a service mesh?” “Why would I use one?” “What benefits can it provide?” or “How did people even come up with the idea for service mesh?” then The Complete Guide to Service Mesh is for you.
- Archeology: before and without Kubernetes
- Deployment: kube-up, DCOS, GKE
- Core Architecture: the apiserver, the kubelet and the scheduler
- Compute Model: the pod, the service and the controller
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2mcpD5B.
Oliver Gould talks about the Linkerd project, a service mesh hosted by the Cloud Native Computing Foundation, to give operators control over the traffic between their microservices. He shares the lessons they've learned helping dozens of organizations get to production with Linkerd and how they've applied these lessons to tackle complexity with Linkerd. Filmed at qconnewyork.com.
Oliver Gould is co-founder and CTO at Buoyant, Inc.
Istio is an open platform to connect, manage, and secure microservices.
This is presented at Bangalore Docker meetup #35.
https://www.meetup.com/Docker-Bangalore/events/244197013/
Kubernetes for Beginners: An Introductory GuideBytemark
An introduction to Kubernetes for beginners. Includes the definition, architecture, benefits and misconceptions of Kubernetes. Written in plain English, ideal for both developers and non-developers who are new to Kubernetes.
Find out more about Kubernetes at Bytemark here: https://www.bytemark.co.uk/managed-kubernetes/
In this session, we’ll discuss the benefits of moving from monolithic to micro-services application architectures, and examine where micro-services can be used. We’ll share common transition strategies and relate them to the specifics of e-commerce and retail workloads, using customer examples. You’ll learn how to build micro-services using AWS services, and get a better understanding of the role of data storage, API endpoints and service discovery. Plus, you can learn from the real-life experience of Digital Goodie, an online retailing platform for connected commerce.
Istio is a service mesh, and it's a cool new project from Google, IBM, Lyft and others. This talk describes at a high level how Istio works as a sidecar, and how it works great with Weave Cloud, which provides visualization to understand what's going on when you deploy Istio, and long-term Prometheus metrics storage with its built-in Prometheus service.
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
As the adoption of Kubernetes continues to grow, so does the need for securing containerized applications and their data. One effective security model that has gained popularity is Zero Trust Networking, which assumes that all resources, devices and users are untrusted, and access to resources is granted only after proper authentication and authorization. However, implementing Zero Trust Networking in Kubernetes can be challenging, given the dynamic nature of containerized workloads and the complexity of network policies.
In this presentation, we will explore how to implement Zero Trust Networking in Kubernetes using Cilium, Hubble & Grafana. We will start by setting up Cilium on a Kubernetes cluster, which provides network security by enforcing identity-based access control policies using eBPF. Next, we will export Network Policy Verdict metrics using Hubble, which allows us to visualize network policies and track security events in real-time. Finally, we will use a Grafana dashboard to visualize these metrics and demonstrate how to secure a Kubernetes namespace without affecting existing traffic in the namespace.
By the end of this presentation, attendees will have a good understanding of the importance of Zero Trust Networking in Kubernetes and how to implement it using Cilium, Hubble & Grafana. They will also learn how to secure a Kubernetes namespace and monitor network policies using a Grafana dashboard.
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-certification **
This Edureka tutorial on "Kubernetes Architecture" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Architecture and its working. The following topics are covered in this training session:
1. What is Kubernetes
2. Features of Kubernetes
3. Kubernetes Architecture and Its Components
4. Components of Master Node and Worker Node
5. ETCD
6. Network Setup Requirements
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
Comparison of Current Service Mesh ArchitecturesMirantis
Learn the differences between Envoy, Istio, Conduit, Linkerd and other service meshes and their components. Watch the recording including demo at: https://info.mirantis.com/service-mesh-webinar
Microservices, Kubernetes and Istio - A Great Fit!Animesh Singh
Microservices and containers are now influencing application design and deployment patterns. Sixty percent of all new applications will use cloud-enabled continuous delivery microservice architectures and containers. Service discovery, registration, and routing are fundamental tenets of microservices. Kubernetes provides a platform for running microservices. Kubernetes can be used to automate the deployment of Microservices and leverage features such as Kube-DNS, Config Maps, and Ingress service for managing those microservices. This configuration works fine for deployments up to a certain size. However, with complex deployments consisting of a large fleet of microservices, additional features are required to augment Kubernetes.
Istio Triangle Kubernetes Meetup Aug 2019Ram Vennam
It's been two years since we introduced the Istio project to the Triangle Kubernetes Meetup group. This presentation will be a brief re-introduction of the Istio project, and a summary of the updates to the Istio project since its 1.0 release.
Introduction of the Red Hat OpenShift Service Mesh. What are service meshes? What is the difference between the Red Hat OpenShift Service Mesh and Istio?
- Archeology: before and without Kubernetes
- Deployment: kube-up, DCOS, GKE
- Core Architecture: the apiserver, the kubelet and the scheduler
- Compute Model: the pod, the service and the controller
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2mcpD5B.
Oliver Gould talks about the Linkerd project, a service mesh hosted by the Cloud Native Computing Foundation, to give operators control over the traffic between their microservices. He shares the lessons they've learned helping dozens of organizations get to production with Linkerd and how they've applied these lessons to tackle complexity with Linkerd. Filmed at qconnewyork.com.
Oliver Gould is co-founder and CTO at Buoyant, Inc.
Istio is an open platform to connect, manage, and secure microservices.
This is presented at Bangalore Docker meetup #35.
https://www.meetup.com/Docker-Bangalore/events/244197013/
Kubernetes for Beginners: An Introductory GuideBytemark
An introduction to Kubernetes for beginners. Includes the definition, architecture, benefits and misconceptions of Kubernetes. Written in plain English, ideal for both developers and non-developers who are new to Kubernetes.
Find out more about Kubernetes at Bytemark here: https://www.bytemark.co.uk/managed-kubernetes/
In this session, we’ll discuss the benefits of moving from monolithic to micro-services application architectures, and examine where micro-services can be used. We’ll share common transition strategies and relate them to the specifics of e-commerce and retail workloads, using customer examples. You’ll learn how to build micro-services using AWS services, and get a better understanding of the role of data storage, API endpoints and service discovery. Plus, you can learn from the real-life experience of Digital Goodie, an online retailing platform for connected commerce.
Istio is a service mesh, and it's a cool new project from Google, IBM, Lyft and others. This talk describes at a high level how Istio works as a sidecar, and how it works great with Weave Cloud, which provides visualization to understand what's going on when you deploy Istio, and long-term Prometheus metrics storage with its built-in Prometheus service.
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
As the adoption of Kubernetes continues to grow, so does the need for securing containerized applications and their data. One effective security model that has gained popularity is Zero Trust Networking, which assumes that all resources, devices and users are untrusted, and access to resources is granted only after proper authentication and authorization. However, implementing Zero Trust Networking in Kubernetes can be challenging, given the dynamic nature of containerized workloads and the complexity of network policies.
In this presentation, we will explore how to implement Zero Trust Networking in Kubernetes using Cilium, Hubble & Grafana. We will start by setting up Cilium on a Kubernetes cluster, which provides network security by enforcing identity-based access control policies using eBPF. Next, we will export Network Policy Verdict metrics using Hubble, which allows us to visualize network policies and track security events in real-time. Finally, we will use a Grafana dashboard to visualize these metrics and demonstrate how to secure a Kubernetes namespace without affecting existing traffic in the namespace.
By the end of this presentation, attendees will have a good understanding of the importance of Zero Trust Networking in Kubernetes and how to implement it using Cilium, Hubble & Grafana. They will also learn how to secure a Kubernetes namespace and monitor network policies using a Grafana dashboard.
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-certification **
This Edureka tutorial on "Kubernetes Architecture" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Architecture and its working. The following topics are covered in this training session:
1. What is Kubernetes
2. Features of Kubernetes
3. Kubernetes Architecture and Its Components
4. Components of Master Node and Worker Node
5. ETCD
6. Network Setup Requirements
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
Comparison of Current Service Mesh ArchitecturesMirantis
Learn the differences between Envoy, Istio, Conduit, Linkerd and other service meshes and their components. Watch the recording including demo at: https://info.mirantis.com/service-mesh-webinar
Microservices, Kubernetes and Istio - A Great Fit!Animesh Singh
Microservices and containers are now influencing application design and deployment patterns. Sixty percent of all new applications will use cloud-enabled continuous delivery microservice architectures and containers. Service discovery, registration, and routing are fundamental tenets of microservices. Kubernetes provides a platform for running microservices. Kubernetes can be used to automate the deployment of Microservices and leverage features such as Kube-DNS, Config Maps, and Ingress service for managing those microservices. This configuration works fine for deployments up to a certain size. However, with complex deployments consisting of a large fleet of microservices, additional features are required to augment Kubernetes.
Istio Triangle Kubernetes Meetup Aug 2019Ram Vennam
It's been two years since we introduced the Istio project to the Triangle Kubernetes Meetup group. This presentation will be a brief re-introduction of the Istio project, and a summary of the updates to the Istio project since its 1.0 release.
Introduction of the Red Hat OpenShift Service Mesh. What are service meshes? What is the difference between the Red Hat OpenShift Service Mesh and Istio?
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWAREFIWARE
Presentation by Parwinder Singh (Technical Specialist, NEC Technologies India Pvt Ltd.) and Satinder Jeet Singh (Group Project Manager, NEC Technologies India Pvt Ltd.)
FIWARE Global Summit
23-24 October 2019 - Berlin, Germany
MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup Stephanie Swart
Istio, seen as the leading service mesh model, was released its 1.0 in July 2018. It has generated massive interest, judging from conference talks and blogs. Have you ever wondered how I can develop a cloud-native microservice deployed on Istio and be confident about its performance? In other words, what is the programming model for developing such a cloud-native microservice? Eclipse MicroProfile comes to rescue. In this session, we will look closely on MicroProfile specifications and demonstrate how MicroProfile can help microservice performing well on Istio and utilize Istio features with a live demo. After this session, you should understand Istio and MicroProfile and be able to design a simple microservice using MicroProfile and deploy to Istio.
Managing microservices with Istio Service MeshRafik HARABI
Developing and managing hundreds (or maybe thousands) of microservices at scale is a challenge for both development and operations teams.
We have seen over the last years the appearance of new frameworks dedicated to deliver ‘Cloud Native’ applications by providing a set of (out of box) building blocks. Most of these frameworks integrate microservices concerns at the code level.
Recently, we have seen the emerging of a new pattern known as sidecar or proxy promoting to push all these common concerns outside of the business code and provides them on the edge by integrate a new layer to the underlying platform called Service Mesh.
Istio is one of the leading Service Mesh implementing sidecar pattern.
We will go during the presentation throw the core concepts behind Istio, the capabilities that provides to manage, secure and observe microservices and how it gives a new breath for both developers and operations.
The presentation will be guided by a sequence of demo exposing Istio capabilities.
IPv6 Progress and Challenge in Chunghwa TelecomAPNIC
IPv6 Progress and Challenge in Chunghwa Telecom, by Shih-Kang Wang.
A presentation given at APRICOT 2016’s IPv6 Readiness Measurement BoF and APIPv6TF session on 24 February 2016.
Sensors being provided for Bardhaman Bridge health monitoringRajesh Prasad
For monitoring of the structural health of the bridge during its service life, 6 nos. sensors have been installed on the stay cables subjected to maximum loads.
Jakarta EE 10 - Simplicity for Modern and Lighweight CloudIvar Grimstad
Jakarta EE 10 is packed with new features for simple development of modern, lightweight enterprise Java applications for the Cloud. The new Jakarta EE Core Profile enables developers to develop microservices with Jakarta EE technologies with runtimes smaller than ever.
In this session, we will explore the new features of Jakarta EE 10 in an interactive way packed with live code demos. We will take a peek at what to expect from Jakarta EE 11.
Netflix dürfte für die meisten als Streaming-Dienstleister bekannt sein. Viele Entwickler erfreuen sich an den Open-Source Werkzeugen wie Eureka für Service-Discovery und Hystrix für Resilience. Dementsprechend gilt Netflix auch als Pionier rund um die Themen Microservices und Betrieb. Mit Hilfe von Spring Cloud Netflix ist es möglich durch wenige, einfache Annotationen die entsprechenden Komponenten von Netflix zu integrieren, konfigurieren und zu nutzen. Allerdings hat Netflix bereits die Weiterentwicklung an Eureka 2.0 und an Hystrix eingestellt. Im Zuge dieser Entscheidung wird Spring Cloud Netflix ebenfalls nicht mehr weiterentwickelt. In diesem Vortrag soll aufgezeigt werden, welche Alternativen Netflix selbst vorschlägt, um resiliente Cloud-Architekturen zu entwickeln. Es wird auf die Konzepte sowie Integration eingegangen und wie diese zu einer sinnvollen Architektur kombiniert werden können. Darüber hinaus soll dargestellt werden, welche Out-Of-The-Box Lösungen PaaS wie Cloud Foundry, verteilte Container-Umgebungen wie Kubernetes und Services Meshes bereitstellen, wie diese zu bewerten sind und wie sie genutzt werden können.
Sunku Rangarnath on service providers miss to implement complete service assurance solutions that encompasses its 3 elements of monitor, report & provision the infrastructure. Service Assurance requires deeper tracking of infrastructure & service metrics, automated intervention of threshold violations using trend analysis against configured parameters & finally configuring the hardware resources & service levels based on service priority.
This talk presents range of closed loop platform automation domains focusing on the real-time and near-real-time loops touching the platform. We discuss the integration of Infrastructure telemetry, analytics, policy management interfaces & introduce the concept of Node Agent, using a noisy neighbor demo, for VM/container orchestrators to achieve intervention free Closed Loop Automation based service assurance solutions.
Carrier WiFi Architecture presentation delivered during the 1st Cisco Student Network Day - CSND'14 at the Antonine University in Lebanon in collaboration with Cisco Networking Academy on Tuesday May 24th 2014.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
3. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 3/58
Required
Basic knowledge of Kubernetes
Targets
People who:
don't know Service Mesh
have never used Istio
3 / 58
4. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 4/58
Contents
1. What is Service Mesh?
2. What is Istio?
3. Setup using Istio on GKE
4. Traffic Management
4 / 58
5. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 5/58
What is Service Mesh?
5 / 58
6. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 6/58
Microservices?
Loosely coupled
Independently deployable
Organized around business capabilities
Implemented using different programming languages
Continuous delivery/deployment of large, complex
applications
6 / 58
7. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 7/58
Service Mesh?
Describe the network of microservices that make up
applications and the interactions between them
Service Discovery
Load Balancing
Failure Recovery
Metrics and Monitoring
7 / 58
8. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 8/58
Service Mesh?
More complex operational requirements
A/B Testing
Canary Rollouts
Rate Limiting
Access Control
End-to-end Authentication
8 / 58
10. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 10/58
Open source independent service
mesh
Deployed as sidecars in the Pods
CNCF hosted project(Envoy)
Istio
10 / 58
11. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 11/58
Istio
Connect, secure, control, and observe services
11 / 58
13. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 13/58
Architecture
Data plane
Envoy
Control plane
Mixer
Pilot
Citadel
Galley
13 / 58
14. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 14/58
Deployed as a sidecar in the
Kubernetes Pod
Add to an existing deployment with
no need to rearchitect or rewrite code
Envoy
A high-performance proxy developed in C++
14 / 58
15. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 15/58
Envoy
Features
Dynamic Service Discovery
Load Balancing
TLS Termination
HTTP/2 and gRPC proxies
15 / 58
16. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 16/58
Envoy
Circuit Breakers
Health Checks
Staged Rollouts with %-based Traffic Split
Fault Injection
Rich Metrics
16 / 58
17. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 17/58
Mixer
Responsible for providing policy controls and telemetry
collection
Enforces access control and usage policies across the
service mesh
Collects telemetry data from the Envoy proxy and other
services
Includes a flexible plugin model
17 / 58
21. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 21/58
Citadel
Strong service-to-service/end-user authentication with
built-in identity and credential management
Galley
Istio’s configuration validation, ingestion, processing and
distribution component
21 / 58
22. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 22/58
Setup using Istio on GKE
22 / 58
23. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 23/58
Set IAM
Set the default compute service account to include:
roles/container.admin (Kubernetes Engine Admin)
Editor (on by default)
23 / 58
25. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 25/58
Create a Cluster
Need 4 nodes
Check "Enable Istio (beta)" on Advanced options
25 / 58
26. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 26/58
Istio Resources
$ kubectl get svc -n istio-system
or
$ kubectl get po -n istio-system
26 / 58
27. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 27/58
Install Istio
1. Go to the Istio release page to download the
installation file
2. Extract the downloaded installation file
3. Change directory to the root of the Istio installation
4. Add the istioctl client to the PATH:
$ export PATH=$PWD/bin:$PATH
27 / 58
30. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 30/58
Bookinfo
4 separate microservices:
Productpage
Details
Reviews
Ratings
30 / 58
31. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 31/58
Bookinfo
3 versions of the Reviews microservice:
Version v1
doesn’t call the ratings service
Version v2
calls the ratings service, and displays black stars
Version v3
calls the ratings service, and displays red stars
31 / 58
33. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 33/58
Resources
Confirm all services and pods are running:
$ kubectl get po,svc
33 / 58
34. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 34/58
Define Ingress Gateway
$ kubectl apply -f
samples/bookinfo/networking/bookinfo-gateway.yaml
$ kubectl get gateway
NAME AGE
bookinfo-gateway 17s
34 / 58
35. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 35/58
Control Ingress Traffic
35 / 58
36. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 36/58
Httpbin
HTTP testing service that can be used for experimenting
with all kinds of Istio features
$ kubectl apply -f samples/httpbin/httpbin.yaml
36 / 58
37. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 37/58
Set variables
Set the ingress IP and ports:
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway
-o jsonpath='{.status.loadBalancer.ingress[0].ip}')
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway
-o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service
istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
37 / 58
40. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 40/58
Virtual Service
Contains the route rules that Allows traffic for path
/headers
All other external requests will be rejected
$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
$ $ curl -I http://$GATEWAY_URL/headers
HTTP/1.1 200 OK
...
$ $ curl -I http://$GATEWAY_URL/status
HTTP/1.1 404 Not Found
...
40 / 58
41. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 41/58
Bookinfo Web Page
http://$GATEWAY_URL/productpage
41 / 58
42. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 42/58
Bookinfo Web Page
If you refresh the page several times, you should see
different versions of reviews shown in productpage,
presented in a round robin style
red stars
black stars
no stars
since we haven’t yet used Istio to control the version
routing.
42 / 58
43. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 43/58
Apply default destination rules
Create default destination rules for the Bookinfo services:
$ kubectl apply -f
samples/bookinfo/networking/destination-rule-all.yaml
Display the destination rules:
$ kubectl get destinationrules -o yaml
43 / 58
45. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 45/58
Request routing
Introduces the concept of a service version:
Versions (v1, v2)
Environment (staging, prod)
Choose service version dynamically based on the
routing rules that specified by using Pilot
45 / 58
47. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 47/58
Request routing
Route to v1:
$ kubectl apply -f
samples/bookinfo/networking/virtual-service-all-v1.yaml
Display the defined routes:
$ kubectl get virtualservices -o yaml
47 / 58
48. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 48/58
Discovery and load balancing
HTTP traffic is automatically re-routed through Envoy
3 load balancing modes:
Round robin
Random
Weighted least request
Checks the health of each instance
48 / 58
49. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 49/58
Discovery and load balancing
49 / 58
50. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 50/58
Discovery and load balancing
Apply weight-based routing:
Transfer 50% of the traffic from reviews:v1 to reviews:v3
$ kubectl apply -f
samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml
Route based on user identity:
$ kubectl apply -f
samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml
50 / 58
51. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 51/58
Handling failures
Timeouts
Bounded retries with timeout budgets and variable jitter
between retries
Limits on number of concurrent connections and
requests to upstream services
Active (periodic) health checks on each member of the
load balancing pool
Fine-grained circuit breakers (passive health checks)
51 / 58
52. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 52/58
Fault injection
Test the end-to-end failure recovery capability
Protocol-specific fault injection into the network
instead of deleting pods/ delaying/ corrupting packets
2 types of faults
Delays: Timing failures (Increased network latency/
Overloaded upstream service)
Aborts: Crash failures (HTTP error codes/ TCP
connection failures)
52 / 58
53. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 53/58
Canary rollout
Introduce a new version of a service by first testing it
using a small percentage of user traffic.
Kubernetes provides features that support canary rollout:
Uses instance scaling to manage the traffic distribution
Only supports a simple (random percentage) canary
rollout
53 / 58
54. 2019/4/4 Istio Service Mesh Introduction
127.0.0.1:5500/#54 54/58
Canary rollout
With Istio:
The number of pods are orthogonal to the control of
version traffic routing
Control fine grain traffic percentages
(e.g. route 1% of traffic without requiring 100 pods)
Control traffic using other criteria
(e.g. route traffic for specific users)
54 / 58