Kyohei Mizumoto, profile picture
Uploaded byKyohei Mizumoto
PDF, PPTX3,133 views

Istio service mesh introduction

The document discusses Istio, an open source service mesh that provides traffic management, service migration and monitoring for microservices. It provides an overview of key Istio concepts like the control plane, data plane and components like Envoy, Pilot and Mixer. It also includes steps to install Istio on GKE and deploy a sample Bookinfo application to demonstrate traffic routing and load balancing capabilities.

Embed presentation

Download as PDF, PPTX
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 1/58 Istio Service Mesh Introduction 1 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 2/58 Kyohei Mizumoto(@kyohmizu) C# Software Engineer Interests Docker/Kubernetes Go Security whoami 2 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 3/58 Required Basic knowledge of Kubernetes Targets People who: don't know Service Mesh have never used Istio 3 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 4/58 Contents 1. What is Service Mesh? 2. What is Istio? 3. Setup using Istio on GKE 4. Traffic Management 4 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 5/58 What is Service Mesh? 5 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 6/58 Microservices? Loosely coupled Independently deployable Organized around business capabilities Implemented using different programming languages Continuous delivery/deployment of large, complex applications 6 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 7/58 Service Mesh? Describe the network of microservices that make up applications and the interactions between them Service Discovery Load Balancing Failure Recovery Metrics and Monitoring 7 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 8/58 Service Mesh? More complex operational requirements A/B Testing Canary Rollouts Rate Limiting Access Control End-to-end Authentication 8 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 9/58 What is Istio? 9 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 10/58 Open source independent service mesh Deployed as sidecars in the Pods CNCF hosted project(Envoy) Istio 10 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 11/58 Istio Connect, secure, control, and observe services 11 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 12/58 Architecture 12 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 13/58 Architecture Data plane Envoy Control plane Mixer Pilot Citadel Galley 13 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 14/58 Deployed as a sidecar in the Kubernetes Pod Add to an existing deployment with no need to rearchitect or rewrite code Envoy A high-performance proxy developed in C++ 14 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 15/58 Envoy Features Dynamic Service Discovery Load Balancing TLS Termination HTTP/2 and gRPC proxies 15 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 16/58 Envoy Circuit Breakers Health Checks Staged Rollouts with %-based Traffic Split Fault Injection Rich Metrics 16 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 17/58 Mixer Responsible for providing policy controls and telemetry collection Enforces access control and usage policies across the service mesh Collects telemetry data from the Envoy proxy and other services Includes a flexible plugin model 17 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 18/58 Mixer 18 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 19/58 Pilot Provides service discovery for: Envoy sidecars Traffic management capabilities for intelligent routing (e.g. A/B Tests, Canary Rollouts) Resiliency (e.g. Timeouts, Retries, Circuit Breakers) 19 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 20/58 Pilot 20 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 21/58 Citadel Strong service-to-service/end-user authentication with built-in identity and credential management Galley Istio’s configuration validation, ingestion, processing and distribution component 21 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 22/58 Setup using Istio on GKE 22 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 23/58 Set IAM Set the default compute service account to include: roles/container.admin (Kubernetes Engine Admin) Editor (on by default) 23 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 24/58 Set IAM 24 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 25/58 Create a Cluster Need 4 nodes Check "Enable Istio (beta)" on Advanced options 25 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 26/58 Istio Resources $ kubectl get svc -n istio-system or $ kubectl get po -n istio-system 26 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 27/58 Install Istio 1. Go to the Istio release page to download the installation file 2. Extract the downloaded installation file 3. Change directory to the root of the Istio installation 4. Add the istioctl client to the PATH: $ export PATH=$PWD/bin:$PATH 27 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 28/58 Sample Application 28 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 29/58 Bookinfo Ratings Details Ruby Product page Reviews-v3 Reviews-v2 Reviews-v1 Requests 29 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 30/58 Bookinfo 4 separate microservices: Productpage Details Reviews Ratings 30 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 31/58 Bookinfo 3 versions of the Reviews microservice: Version v1 doesn’t call the ratings service Version v2 calls the ratings service, and displays black stars Version v3 calls the ratings service, and displays red stars 31 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 32/58 Deploy Enable automatic sidecar injection: $ kubectl label namespace default istio-injection=enabled Deploy the application using kubectl: $ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml 32 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 33/58 Resources Confirm all services and pods are running: $ kubectl get po,svc 33 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 34/58 Define Ingress Gateway $ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml $ kubectl get gateway NAME AGE bookinfo-gateway 17s 34 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 35/58 Control Ingress Traffic 35 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 36/58 Httpbin HTTP testing service that can be used for experimenting with all kinds of Istio features $ kubectl apply -f samples/httpbin/httpbin.yaml 36 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 37/58 Set variables Set the ingress IP and ports: $ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') $ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') $ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}') 37 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 38/58 Create an Istio Gateway kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: httpbin-gateway spec: selector: istio: ingressgateway # use Istio default gateway implementation servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" EOF 38 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 39/58 Configure routes kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: httpbin spec: hosts: - "*" gateways: - httpbin-gateway http: - match: - uri: prefix: /headers route: - destination: port: number: 8000 host: httpbin EOF 39 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 40/58 Virtual Service Contains the route rules that Allows traffic for path /headers All other external requests will be rejected $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT $ $ curl -I http://$GATEWAY_URL/headers HTTP/1.1 200 OK ... $ $ curl -I http://$GATEWAY_URL/status HTTP/1.1 404 Not Found ... 40 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 41/58 Bookinfo Web Page http://$GATEWAY_URL/productpage 41 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 42/58 Bookinfo Web Page If you refresh the page several times, you should see different versions of reviews shown in productpage, presented in a round robin style red stars black stars no stars since we haven’t yet used Istio to control the version routing. 42 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 43/58 Apply default destination rules Create default destination rules for the Bookinfo services: $ kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml Display the destination rules: $ kubectl get destinationrules -o yaml 43 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 44/58 Traffic Management 44 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 45/58 Request routing Introduces the concept of a service version: Versions (v1, v2) Environment (staging, prod) Choose service version dynamically based on the routing rules that specified by using Pilot 45 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 46/58 Request routing 46 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 47/58 Request routing Route to v1: $ kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml Display the defined routes: $ kubectl get virtualservices -o yaml 47 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 48/58 Discovery and load balancing HTTP traffic is automatically re-routed through Envoy 3 load balancing modes: Round robin Random Weighted least request Checks the health of each instance 48 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 49/58 Discovery and load balancing 49 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 50/58 Discovery and load balancing Apply weight-based routing: Transfer 50% of the traffic from reviews:v1 to reviews:v3 $ kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml Route based on user identity: $ kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml 50 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 51/58 Handling failures Timeouts Bounded retries with timeout budgets and variable jitter between retries Limits on number of concurrent connections and requests to upstream services Active (periodic) health checks on each member of the load balancing pool Fine-grained circuit breakers (passive health checks) 51 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 52/58 Fault injection Test the end-to-end failure recovery capability Protocol-specific fault injection into the network instead of deleting pods/ delaying/ corrupting packets 2 types of faults Delays: Timing failures (Increased network latency/ Overloaded upstream service) Aborts: Crash failures (HTTP error codes/ TCP connection failures) 52 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 53/58 Canary rollout Introduce a new version of a service by first testing it using a small percentage of user traffic. Kubernetes provides features that support canary rollout: Uses instance scaling to manage the traffic distribution Only supports a simple (random percentage) canary rollout 53 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 54/58 Canary rollout With Istio: The number of pods are orthogonal to the control of version traffic routing Control fine grain traffic percentages (e.g. route 1% of traffic without requiring 100 pods) Control traffic using other criteria (e.g. route traffic for specific users) 54 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 55/58 Books 55 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 56/58 Links Microservice Architecture https://microservices.io/index.html Istio.io https://istio.io/ Istio Solutions | Google Cloud https://cloud.google.com/istio/ Istioサービスメッシュ⼊⾨ https://www.slideshare.net/yokawasa/istio-114360124 56 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 57/58 Links Installing Istio on GKE https://cloud.google.com/istio/docs/istio-on-gke/installing Install Istio on the Google Kubernetes Engine https://istio.io/docs/setup/kubernetes/install/platform/gke/ Bookinfo Application https://istio.io/docs/examples/bookinfo/ 57 / 58
2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 58/58 Thank You! 58 / 58

More Related Content

PPTX
ISTIO Deep Dive
byYong Feng
 
PDF
Introduction to Istio Service Mesh
byGeorgios Andrianakis
 
PDF
Istio : Service Mesh
byKnoldus Inc.
 
PDF
Service Mesh on Kubernetes with Istio
byMichelle Holley
 
PPTX
Microservices With Istio Service Mesh
byNatanael Fonseca
 
PDF
Istio Service Mesh for Developers and Platform Engineers
bySaiLinnThu2
 
PDF
Comparing Sidecar-less Service Mesh from Cilium and Istio
byChristian Posta
 
PDF
The Future of Service Mesh
byAll Things Open
 
ISTIO Deep Dive
byYong Feng
 
Introduction to Istio Service Mesh
byGeorgios Andrianakis
 
Istio : Service Mesh
byKnoldus Inc.
 
Service Mesh on Kubernetes with Istio
byMichelle Holley
 
Microservices With Istio Service Mesh
byNatanael Fonseca
 
Istio Service Mesh for Developers and Platform Engineers
bySaiLinnThu2
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
byChristian Posta
 
The Future of Service Mesh
byAll Things Open
 

What's hot

PPTX
Service mesh
byArnab Mitra
 
PDF
The Complete Guide to Service Mesh
byAspen Mesh
 
PDF
What Is Helm
byAMELIAOLIVIA2
 
PPTX
Istio a service mesh
byChandresh Pancholi
 
PDF
Kubernetes Deployment Strategies
byAbdennour TM
 
PDF
Red Hat OpenShift Container Platform Overview
byJames Falkner
 
PDF
OpenShift 4, the smarter Kubernetes platform
byKangaroot
 
PDF
Getting Started with Kubernetes
byVMware Tanzu
 
PPTX
Kubernetes for Beginners: An Introductory Guide
byBytemark
 
PDF
OpenTelemetry Introduction
byDimitrisFinas1
 
PPTX
Kubernetes Introduction
byEric Gustafson
 
PPTX
Terraform Basics
byMohammed Fazuluddin
 
PPTX
Introduction to microservices
byPaulo Gandra de Sousa
 
PPTX
Introduction to helm
byJeeva Chelladhurai
 
PDF
Kubernetes
byMeng-Ze Lee
 
PDF
Helm 3
byMatthew Farina
 
PDF
Observability, Distributed Tracing, and Open Source: The Missing Primer
byVMware Tanzu
 
PDF
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
byNETWAYS
 
PPTX
Prometheus and Grafana
byLhouceine OUHAMZA
 
PDF
Monitoring Kubernetes with Prometheus
byGrafana Labs
 
Service mesh
byArnab Mitra
 
The Complete Guide to Service Mesh
byAspen Mesh
 
What Is Helm
byAMELIAOLIVIA2
 
Istio a service mesh
byChandresh Pancholi
 
Kubernetes Deployment Strategies
byAbdennour TM
 
Red Hat OpenShift Container Platform Overview
byJames Falkner
 
OpenShift 4, the smarter Kubernetes platform
byKangaroot
 
Getting Started with Kubernetes
byVMware Tanzu
 
Kubernetes for Beginners: An Introductory Guide
byBytemark
 
OpenTelemetry Introduction
byDimitrisFinas1
 
Kubernetes Introduction
byEric Gustafson
 
Terraform Basics
byMohammed Fazuluddin
 
Introduction to microservices
byPaulo Gandra de Sousa
 
Introduction to helm
byJeeva Chelladhurai
 
Kubernetes
byMeng-Ze Lee
 
Helm 3
byMatthew Farina
 
Observability, Distributed Tracing, and Open Source: The Missing Primer
byVMware Tanzu
 
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
byNETWAYS
 
Prometheus and Grafana
byLhouceine OUHAMZA
 
Monitoring Kubernetes with Prometheus
byGrafana Labs
 

Similar to Istio service mesh introduction

PDF
Introduction to Istio on Kubernetes
byJonh Wendell
 
PPTX
Anton Grishko "Multi-cloud with Google Anthos, Kubernetes and Istio. How to s...
byFwdays
 
PPTX
Kubernetes And Istio and Azure AKS DevOps
byOfir Makmal
 
PDF
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byTinaCondrache1
 
PDF
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
byCodeOps Technologies LLP
 
PDF
Service Mesh in Practice
byBallerina
 
PDF
Service mesh on Kubernetes - Istio 101
byHuy Vo
 
PDF
Istio Triangle Kubernetes Meetup Aug 2019
byRam Vennam
 
PDF
How to Make Istio Work with Your App
byKarenBruner
 
PDF
How to Make Istio Work with Your App
byStackRox
 
PDF
Managing microservices with Istio Service Mesh
byRafik HARABI
 
PPTX
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PDF
Microservice: the phanot menace. Istio Service Mesh: the new hope. JEEConf 2019
bySergii Bishyr
 
PDF
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byALVAROEMMANUELSOCOPP
 
PDF
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
byMichael Man
 
PDF
OSS Japan 2019 service mesh bridging Kubernetes and legacy
bySteve Wong
 
PPTX
Service Meshes with Istio
byRandyGupta
 
PDF
Managing Microservices With The Istio Service Mesh on Kubernetes
byIftach Schonbaum
 
PPTX
Docker Dublin: Just What is a Service Mesh, and if I get one will it make eve...
byElton Stoneman
 
PPTX
Microservices on kubernetes
byChandresh Pancholi
 
Introduction to Istio on Kubernetes
byJonh Wendell
 
Anton Grishko "Multi-cloud with Google Anthos, Kubernetes and Istio. How to s...
byFwdays
 
Kubernetes And Istio and Azure AKS DevOps
byOfir Makmal
 
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byTinaCondrache1
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
byCodeOps Technologies LLP
 
Service Mesh in Practice
byBallerina
 
Service mesh on Kubernetes - Istio 101
byHuy Vo
 
Istio Triangle Kubernetes Meetup Aug 2019
byRam Vennam
 
How to Make Istio Work with Your App
byKarenBruner
 
How to Make Istio Work with Your App
byStackRox
 
Managing microservices with Istio Service Mesh
byRafik HARABI
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Microservice: the phanot menace. Istio Service Mesh: the new hope. JEEConf 2019
bySergii Bishyr
 
Introduction-to-Service-Mesh-with-Istio-and-Kiali-OSS-Japan-July-2019.pdf
byALVAROEMMANUELSOCOPP
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
byMichael Man
 
OSS Japan 2019 service mesh bridging Kubernetes and legacy
bySteve Wong
 
Service Meshes with Istio
byRandyGupta
 
Managing Microservices With The Istio Service Mesh on Kubernetes
byIftach Schonbaum
 
Docker Dublin: Just What is a Service Mesh, and if I get one will it make eve...
byElton Stoneman
 
Microservices on kubernetes
byChandresh Pancholi
 

More from Kyohei Mizumoto

PDF
Multi cluster management with rancher
byKyohei Mizumoto
 
PDF
Introduction of cloud native CI/CD on kubernetes
byKyohei Mizumoto
 
PDF
Windowsコンテナ入門
byKyohei Mizumoto
 
PDF
Introduction to telepresence
byKyohei Mizumoto
 
PDF
Git入門
byKyohei Mizumoto
 
PDF
Deploy Mattermost on AKS
byKyohei Mizumoto
 
PDF
Kubernetes monitoring introduction
byKyohei Mizumoto
 
PDF
Recap of de code 2019
byKyohei Mizumoto
 
PDF
Kubernetes logging introduction
byKyohei Mizumoto
 
PDF
Running k3s on raspberry pi
byKyohei Mizumoto
 
Multi cluster management with rancher
byKyohei Mizumoto
 
Introduction of cloud native CI/CD on kubernetes
byKyohei Mizumoto
 
Windowsコンテナ入門
byKyohei Mizumoto
 
Introduction to telepresence
byKyohei Mizumoto
 
Git入門
byKyohei Mizumoto
 
Deploy Mattermost on AKS
byKyohei Mizumoto
 
Kubernetes monitoring introduction
byKyohei Mizumoto
 
Recap of de code 2019
byKyohei Mizumoto
 
Kubernetes logging introduction
byKyohei Mizumoto
 
Running k3s on raspberry pi
byKyohei Mizumoto
 

Recently uploaded

PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
December Patch Tuesday
byIvanti
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
API-First Architecture in Financial Systems
bycyy111112
 
December Patch Tuesday
byIvanti
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
software-security-intro in information security.ppt
byismaeelsahib032
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 

Istio service mesh introduction

  • 1.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 1/58 Istio Service Mesh Introduction 1 / 58
  • 2.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 2/58 Kyohei Mizumoto(@kyohmizu) C# Software Engineer Interests Docker/Kubernetes Go Security whoami 2 / 58
  • 3.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 3/58 Required Basic knowledge of Kubernetes Targets People who: don't know Service Mesh have never used Istio 3 / 58
  • 4.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 4/58 Contents 1. What is Service Mesh? 2. What is Istio? 3. Setup using Istio on GKE 4. Traffic Management 4 / 58
  • 5.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 5/58 What is Service Mesh? 5 / 58
  • 6.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 6/58 Microservices? Loosely coupled Independently deployable Organized around business capabilities Implemented using different programming languages Continuous delivery/deployment of large, complex applications 6 / 58
  • 7.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 7/58 Service Mesh? Describe the network of microservices that make up applications and the interactions between them Service Discovery Load Balancing Failure Recovery Metrics and Monitoring 7 / 58
  • 8.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 8/58 Service Mesh? More complex operational requirements A/B Testing Canary Rollouts Rate Limiting Access Control End-to-end Authentication 8 / 58
  • 9.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 9/58 What is Istio? 9 / 58
  • 10.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 10/58 Open source independent service mesh Deployed as sidecars in the Pods CNCF hosted project(Envoy) Istio 10 / 58
  • 11.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 11/58 Istio Connect, secure, control, and observe services 11 / 58
  • 12.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 12/58 Architecture 12 / 58
  • 13.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 13/58 Architecture Data plane Envoy Control plane Mixer Pilot Citadel Galley 13 / 58
  • 14.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 14/58 Deployed as a sidecar in the Kubernetes Pod Add to an existing deployment with no need to rearchitect or rewrite code Envoy A high-performance proxy developed in C++ 14 / 58
  • 15.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 15/58 Envoy Features Dynamic Service Discovery Load Balancing TLS Termination HTTP/2 and gRPC proxies 15 / 58
  • 16.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 16/58 Envoy Circuit Breakers Health Checks Staged Rollouts with %-based Traffic Split Fault Injection Rich Metrics 16 / 58
  • 17.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 17/58 Mixer Responsible for providing policy controls and telemetry collection Enforces access control and usage policies across the service mesh Collects telemetry data from the Envoy proxy and other services Includes a flexible plugin model 17 / 58
  • 18.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 18/58 Mixer 18 / 58
  • 19.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 19/58 Pilot Provides service discovery for: Envoy sidecars Traffic management capabilities for intelligent routing (e.g. A/B Tests, Canary Rollouts) Resiliency (e.g. Timeouts, Retries, Circuit Breakers) 19 / 58
  • 20.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 20/58 Pilot 20 / 58
  • 21.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 21/58 Citadel Strong service-to-service/end-user authentication with built-in identity and credential management Galley Istio’s configuration validation, ingestion, processing and distribution component 21 / 58
  • 22.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 22/58 Setup using Istio on GKE 22 / 58
  • 23.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 23/58 Set IAM Set the default compute service account to include: roles/container.admin (Kubernetes Engine Admin) Editor (on by default) 23 / 58
  • 24.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 24/58 Set IAM 24 / 58
  • 25.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 25/58 Create a Cluster Need 4 nodes Check "Enable Istio (beta)" on Advanced options 25 / 58
  • 26.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 26/58 Istio Resources $ kubectl get svc -n istio-system or $ kubectl get po -n istio-system 26 / 58
  • 27.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 27/58 Install Istio 1. Go to the Istio release page to download the installation file 2. Extract the downloaded installation file 3. Change directory to the root of the Istio installation 4. Add the istioctl client to the PATH: $ export PATH=$PWD/bin:$PATH 27 / 58
  • 28.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 28/58 Sample Application 28 / 58
  • 29.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 29/58 Bookinfo Ratings Details Ruby Product page Reviews-v3 Reviews-v2 Reviews-v1 Requests 29 / 58
  • 30.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 30/58 Bookinfo 4 separate microservices: Productpage Details Reviews Ratings 30 / 58
  • 31.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 31/58 Bookinfo 3 versions of the Reviews microservice: Version v1 doesn’t call the ratings service Version v2 calls the ratings service, and displays black stars Version v3 calls the ratings service, and displays red stars 31 / 58
  • 32.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 32/58 Deploy Enable automatic sidecar injection: $ kubectl label namespace default istio-injection=enabled Deploy the application using kubectl: $ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml 32 / 58
  • 33.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 33/58 Resources Confirm all services and pods are running: $ kubectl get po,svc 33 / 58
  • 34.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 34/58 Define Ingress Gateway $ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml $ kubectl get gateway NAME AGE bookinfo-gateway 17s 34 / 58
  • 35.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 35/58 Control Ingress Traffic 35 / 58
  • 36.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 36/58 Httpbin HTTP testing service that can be used for experimenting with all kinds of Istio features $ kubectl apply -f samples/httpbin/httpbin.yaml 36 / 58
  • 37.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 37/58 Set variables Set the ingress IP and ports: $ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') $ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') $ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}') 37 / 58
  • 38.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 38/58 Create an Istio Gateway kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: httpbin-gateway spec: selector: istio: ingressgateway # use Istio default gateway implementation servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" EOF 38 / 58
  • 39.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 39/58 Configure routes kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: httpbin spec: hosts: - "*" gateways: - httpbin-gateway http: - match: - uri: prefix: /headers route: - destination: port: number: 8000 host: httpbin EOF 39 / 58
  • 40.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 40/58 Virtual Service Contains the route rules that Allows traffic for path /headers All other external requests will be rejected $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT $ $ curl -I http://$GATEWAY_URL/headers HTTP/1.1 200 OK ... $ $ curl -I http://$GATEWAY_URL/status HTTP/1.1 404 Not Found ... 40 / 58
  • 41.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 41/58 Bookinfo Web Page http://$GATEWAY_URL/productpage 41 / 58
  • 42.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 42/58 Bookinfo Web Page If you refresh the page several times, you should see different versions of reviews shown in productpage, presented in a round robin style red stars black stars no stars since we haven’t yet used Istio to control the version routing. 42 / 58
  • 43.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 43/58 Apply default destination rules Create default destination rules for the Bookinfo services: $ kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml Display the destination rules: $ kubectl get destinationrules -o yaml 43 / 58
  • 44.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 44/58 Traffic Management 44 / 58
  • 45.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 45/58 Request routing Introduces the concept of a service version: Versions (v1, v2) Environment (staging, prod) Choose service version dynamically based on the routing rules that specified by using Pilot 45 / 58
  • 46.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 46/58 Request routing 46 / 58
  • 47.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 47/58 Request routing Route to v1: $ kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml Display the defined routes: $ kubectl get virtualservices -o yaml 47 / 58
  • 48.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 48/58 Discovery and load balancing HTTP traffic is automatically re-routed through Envoy 3 load balancing modes: Round robin Random Weighted least request Checks the health of each instance 48 / 58
  • 49.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 49/58 Discovery and load balancing 49 / 58
  • 50.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 50/58 Discovery and load balancing Apply weight-based routing: Transfer 50% of the traffic from reviews:v1 to reviews:v3 $ kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml Route based on user identity: $ kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml 50 / 58
  • 51.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 51/58 Handling failures Timeouts Bounded retries with timeout budgets and variable jitter between retries Limits on number of concurrent connections and requests to upstream services Active (periodic) health checks on each member of the load balancing pool Fine-grained circuit breakers (passive health checks) 51 / 58
  • 52.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 52/58 Fault injection Test the end-to-end failure recovery capability Protocol-specific fault injection into the network instead of deleting pods/ delaying/ corrupting packets 2 types of faults Delays: Timing failures (Increased network latency/ Overloaded upstream service) Aborts: Crash failures (HTTP error codes/ TCP connection failures) 52 / 58
  • 53.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 53/58 Canary rollout Introduce a new version of a service by first testing it using a small percentage of user traffic. Kubernetes provides features that support canary rollout: Uses instance scaling to manage the traffic distribution Only supports a simple (random percentage) canary rollout 53 / 58
  • 54.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 54/58 Canary rollout With Istio: The number of pods are orthogonal to the control of version traffic routing Control fine grain traffic percentages (e.g. route 1% of traffic without requiring 100 pods) Control traffic using other criteria (e.g. route traffic for specific users) 54 / 58
  • 55.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 55/58 Books 55 / 58
  • 56.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 56/58 Links Microservice Architecture https://microservices.io/index.html Istio.io https://istio.io/ Istio Solutions | Google Cloud https://cloud.google.com/istio/ Istioサービスメッシュ⼊⾨ https://www.slideshare.net/yokawasa/istio-114360124 56 / 58
  • 57.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 57/58 Links Installing Istio on GKE https://cloud.google.com/istio/docs/istio-on-gke/installing Install Istio on the Google Kubernetes Engine https://istio.io/docs/setup/kubernetes/install/platform/gke/ Bookinfo Application https://istio.io/docs/examples/bookinfo/ 57 / 58
  • 58.
    2019/4/4 Istio ServiceMesh Introduction 127.0.0.1:5500/#54 58/58 Thank You! 58 / 58