Red Hat OpenShift Service Mesh allows running multiple Istio control planes on a single Kubernetes cluster without requiring elevated privileges. It installs Grafana, Jaeger, and Kiali by default for observability and removes the need for manual sidecar injection. Version 2.0 updates Istio to 1.6, deprecates some policies and components, and improves certificate management with SDS. The presentation demonstrated how Red Hat OpenShift Service Mesh provides traffic management, policy enforcement, and telemetry collection for microservices without code changes.

1. Red Hat OpenShift Service Mesh
Olaf Meyer
Senior Consultant
09.12.2020

2. Red Hat OpenShift Service Mesh Page 2 of 36
Who am I and what do I do for living?
I’m a consultant at ConSol. I support &
advise customers how to use OpenShift
and Kubernetes and how to run
applications on these platforms.
My interest is how to accelerate the
development cycles for cloud native
applications.
E-Mail: olaf.meyer@consol.de
Twitter: @ola_mey

3. Red Hat OpenShift Service Mesh Page 3 of 36
Agenda
• When or why to use Service Meshes?
• What is Istio?
• What are the differences between Red Hat OpenShift Service Mesh and Istio?
• What has changed in version 2?
• Demo
• Summary

4. Red Hat OpenShift Service Mesh Page 4 of 36
Typical application architecture (Official)
Web-Frontend
B2B Mobile-App
Mobile-Gateway
B2C Mobile-App
Partner Web-page
Rest-Gateway
ESB
CRM
ERP
GIS
Logistics

5. Red Hat OpenShift Service Mesh Page 5 of 36
Typical application architecture (Reality)
Web-Frontend
B2B Mobile-App
Mobile-Gateway
B2C Mobile-App
Partner Web-page
Rest-Gateway
ESB
CRM
ERP
GIS
Logistics
Management Reporting (U-Boot)

6. Red Hat OpenShift Service Mesh Page 6 of 36
What does Ops and Security want from your apps?
Resilience & Fault Tolerance
Visibility & Reporting
Policy Enforcement
Identity & Security
Routing & Traffic Control

7. Red Hat OpenShift Service Mesh Page 7 of 36
How does this affect your application?
Business Logic
Service Discovery
Circuit Breaker
Monitoring
Load Balancing
Traffic Control
Tracing
Application
Service Registry
Monitoring
API Management
Traffic Control
Tracing
Smart Routing
Netflix OSS
Config Server Security Policy
Infrastructure
Resilience & Fault Tolerance
Visibility & Reporting
Policy Enforcement
Identity & Security
Routing & Traffic Control

8. Red Hat OpenShift Service Mesh Page 8 of 36
Overview for two applications
Business Logic
Service Discovery
Circuit Breaker
Monitoring
Load Balancing
Traffic Control
Tracing
Application
Service Registry
Monitoring
API Management
Traffic Control
Tracing
Smart Routing
Netflix OSS
Config Server Security Policy
Infrastructure
Business Logic
Service Discovery
Circuit Breaker
Monitoring
Load Balancing
Traffic Control
Tracing
Application
Used frameworks are only available
for a defined set of frameworks and
or programming languages
How does this work for off-the-
shelf-apps? Good luck if you need
to integrate your ERP

9. Red Hat OpenShift Service Mesh Page 9 of 36
Reminder of your application architecture
Web-Frontend
B2B Mobile-App
Mobile-Gateway
B2C Mobile-App
Partner Web-page
Rest-Gateway
ESB
CRM
ERP
GIS
Logistics
Management Reporting (U-Boot)

10. Red Hat OpenShift Service Mesh Page 10 of 36
How does a service mesh work?
Business Logic
Application
Service Mesh Control Plane
Proxy
Business Logic
Application
Proxy
Service Mesh Data Plane
No code changes in application required!!!
Popular service meshes are:
●
Istio → Red Hat Openshift Service Mesh
●
Linkerd
●
Consul Connect
●
...
ConfigConfig TelemetryTelemetry

11. Red Hat OpenShift Service Mesh Page 11 of 36
Introduction to Istio
Istio → Greek for "sail"
Definition from Istio homepage:
Istio is an open platform-independent service
mesh that provides traffic management, policy
enforcement, and telemetry collection.

12. Red Hat OpenShift Service Mesh Page 12 of 36
High-level architecture of Istio
Source: https://istio.io/docs/concepts/security/

13. Red Hat OpenShift Service Mesh Page 13 of 36
High-level architecture of Istio (Data plane)
Source: https://istio.io/docs/concepts/security/

14. Red Hat OpenShift Service Mesh Page 14 of 36
High-level architecture of Istio (Control plane)
Source: https://istio.io/docs/concepts/security/

15. Red Hat OpenShift Service Mesh Page 15 of 36
High-level architecture of Istio (Ingress)
Source: https://istio.io/docs/concepts/security/

16. Red Hat OpenShift Service Mesh Page 16 of 36
High-level architecture of Istio (Engress)
Source: https://istio.io/docs/concepts/security/

17. Red Hat OpenShift Service Mesh Page 17 of 36
High-level architecture of Istio (Pods)
Source: https://istio.io/docs/concepts/security/

18. Red Hat OpenShift Service Mesh Page 18 of 36
High-level architecture of Istio (Pilot)
Source: https://istio.io/docs/concepts/security/

19. Red Hat OpenShift Service Mesh Page 19 of 36
High-level architecture of Istio (Citadel)
Source: https://istio.io/docs/concepts/security/

20. Red Hat OpenShift Service Mesh Page 20 of 36
High-level architecture of Istio (Mixer)
Source: https://istio.io/docs/concepts/security/

21. Red Hat OpenShift Service Mesh Page 21 of 36
Applications in Istio/Red Hat OpenShift Service Mesh
ecosystem
Observe Observe
Secure
ControlConnect
Jaeger
Kiali Grafana
Prometheus
Istio

22. Red Hat OpenShift Service Mesh Page 22 of 36
Red Hat OpenShift Service Mesh <> Istio?

23. Red Hat OpenShift Service Mesh Page 23 of 36
Red Hat Service Mesh <> Istio?
Service Mesh installation can be done in two ways:
1. Control plane is responsible for the whole cluster (Kubernetes default
behavior)
2. Control plane is installed in a define project and is only responsible for a
defined set of projects.
→ Multiple control planes can run on the same OpenShift cluster

24. Red Hat OpenShift Service Mesh Page 24 of 36
Red Hat Service Mesh <> Istio?
Istio init container no longer needs elevated privileges
In plain Istio the Init Container needs elevated privileges, because it modifies
the network settings. The RH OpenShift Service Mesh replaces the Init
container with a CNI Plugin to eliminate need for elevated privileges for Service
Accounts and for SCC.

25. Red Hat OpenShift Service Mesh Page 25 of 36
Red Hat Service Mesh <> Istio?
Istio sidecar injection
In order to inject (Istio) sidecars into pods add the annotation
„sidecar.istio.io/inject: "true"“ to the definition. An automatic injection via a
namespace annotation is not supported. A manual inject via istioctl is still
possible.

26. Red Hat OpenShift Service Mesh Page 26 of 36
Red Hat Service Mesh <> Istio?
Kiali and Jaeger are installed by default
The Red Hat OpenShift Service Mesh installs by default Kiali and Jaeger. This
means that you have out of the box a graphical interface to visualize an Istio
service mesh and to trace requests and responses. Furthermore a supported
and working version of Kiali and Jaeger are installed. No manual steps are
required.

27. Red Hat OpenShift Service Mesh Page 27 of 36
Red Hat Service Mesh <> Istio?
Updates of Istio are handled by an Istio Operator
The operator takes care of update of the Istio control plane(s). With a redeploy
Istio data plane(s) updates to the latest version. Only in exceptions manually
steps are required i.e. for version 1.1 add an attribute „version: 1.1“ to resource
„ServiceMeshControlPlane“

28. Red Hat OpenShift Service Mesh Page 28 of 36
Difference
Red Hat OpenShift Service Mesh
v1 and v2

29. Red Hat OpenShift Service Mesh Page 29 of 36
Red Hat Service Mesh <> Istio?
●
Update Istio from 1.4.6 to Istio 1.6
●
Deprecated
−
ServiceRole and ServiceRoleBinding
−
Policies from Mixer
●
Improved Certificate Management with SDS
●
Goodbye Mixer, Hello WebAssembly Extensions (TP)
●
Enhancements in Kiali
−
Distributed Tracing Topology view
−
Replay function
−
Improved Wizards

30. Red Hat OpenShift Service Mesh Page 30 of 36
Red Hat Service Mesh <> Istio?
Component Name Red Hat Service Mesh
(Maistra 2.0)
Plain Istio
Istio 1.6 1.8
Kiali 1.24.1 1.27.0
Jaeger 1.20.1 1.21.0

31. Red Hat OpenShift Service Mesh Page 31 of 36
Architecture of the example application
Customer
Istio-
Ingress-
Gateway
Preference
Recommendation V1
Recommendation V2
Recommendation V3

32. Red Hat OpenShift Service Mesh Page 32 of 36
Demo

33. Red Hat OpenShift Service Mesh Page 33 of 36
Hmm, so can I ….
• Can‘t I just use Network Policies and be fine?
→ No missing mTLS and Routing etc. are missing in NetworkPolicies
• How about using just an API Gateway like 3Scale?
→ Gateway allows incoming (North & South) traffic to controlled and secured,
but not East to West traffic
• Or maybe both?
→ Still not covering east to west traffic :-(
• Istio requires so much resources → How much resources would you need for
DIY?

34. Red Hat OpenShift Service Mesh Page 34 of 36
Summary
• Summary for Red Hat OpenShift Service Mesh
– No need for higher privileges and control plane runs on dedicated projects.
– Enables multiple control planes on the same cluster
– Updates are handled by Istio operator
– No additional subscription needed
– Changes in configuration no changes in application code.
• There is no such thing as a free lunch:
With great power (of Istio) comes great responsibility
increased complexity of the configuration!
Source: Spiderman (The movie 2002)

35. Thank you!

36. Olaf Meyer
E-Mail: olaf.meyer@consol.de
Twitter: @ola_mey
ConSol
Consulting & Solutions Software
GmbH
St.-Cajetan-Str. 43
D-81669 München
Tel.: +49-89-45841-100
info@consol.de
www.consol.de
Twitter: @consol_de