Matt Turner, profile picture
Uploaded byMatt Turner
PDF, PPTX61 views

Why Is Istio That Shape?

The document explores the architecture and implications of Istio, an open platform for connecting, securing, controlling, and observing microservices. It discusses the reasons for Istio's design choices, its business value, and how it impacts service mesh implementations, including benefits and drawbacks of microservices. The text also touches upon performance, scalability, and practical usage considerations in modern software environments.

Embed presentation

Download as PDF, PPTX
Why Is Istio That Shape? @mt165 Why Is Istio That Shape? Matt Turner Software Architecture Gathering, Virtual | November 2022 @mt165 | mt165.co.uk
Why Is Istio That Shape? @mt165 THE ENTERPRISE SERVICE MESH COMPANY
Why Is Istio That Shape? @mt165 Pop Quiz!
Why Is Istio That Shape? @mt165 Background Service Meshes and Istio
Why Is Istio That Shape? @mt165 Business Value ● Top Line ● Bottom Line ● Time to Market & Speed of Iteration ● Risk Reduction
Why Is Istio That Shape? @mt165 Break the Monolith
Why Is Istio That Shape? @mt165 Pod Pod Pod Break the Monolith Namespace A Namespace B Namespace C Namespace A Namespace B Namespace C
Why Is Istio That Shape? @mt165 But Don’t Just Distribute It!
Why Is Istio That Shape? @mt165 Technical Implications
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165 Service A Service B
Why Is Istio That Shape? @mt165 Lots of Options: In-process libraries and frameworks
Why Is Istio That Shape? @mt165 Polyglot environments
Why Is Istio That Shape? @mt165 Polyglot environments
Why Is Istio That Shape? @mt165 Take the Network Smarts out of the Process
Why Is Istio That Shape? @mt165 Add a Control Plane
Why Is Istio That Shape? @mt165 Istio “An open platform to connect, secure, control, and observe services.”
Why Is Istio That Shape? @mt165 What Shape is Istio?
Why Is Istio That Shape? @mt165 Istio 0.1 - 1.4
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B TLS certs to Envoys
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy k8s consul zk K8s API Server
Why Is Istio That Shape? @mt165 Have We Seen This Before?
Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base Forwarding Engine
Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base Forwarding Engine Latency Throughput Concurrency Availability
Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP PILOT ENVOY Router Information Base Forwarding Information Base Forwarding Engine
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Policy checks, Telemetry Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 IP Router Architecture Interrupt Kernel module User process DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base
Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP PILOT MIXER ENVOY Interrupt Kernel module User process Router Information Base Forwarding Information Base
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys prom ES REPORT CHECK ACL Rate limit Mixer fat client Mixer fat client Citadel
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 Why Isn’t Istio This Shape?
Why Is Istio That Shape? @mt165 Mixer Pros ● Recognisable mental mode ● Good availability ● Can horizontally scale ○ Load ○ High availability Cons ● Performance was never great ● Very few things need coördination between proxies
Why Is Istio That Shape? @mt165 µServices! Pros ● Decoupled deployments ● Isolated security contexts ● Isolated failure domains ● Individual scaling ● Multiple languages ● Clean mapping to individual teams/domains Cons ● Complex to debug ● Fiddly to deploy ● Inefficient ○ Message-passing ○ Missed shared cache opportunities
Why Is Istio That Shape? @mt165 µServices? Decoupled deployments ● No-one ever did
Why Is Istio That Shape? @mt165 µServices? Isolated security contexts ● Citadel is obviously a security component, but… ● Pilot can re-route all your requests ● Mixer can steal all your traffic ● …a breach in any one is as bad as the others
Why Is Istio That Shape? @mt165 µServices? Isolated failure domains ● Mixer is the only acutely critical service
Why Is Istio That Shape? @mt165 µServices? Individual scaling ● Resource usage was dominated by one component of service: Pilot’s XDS serving
Why Is Istio That Shape? @mt165 µServices? Multiple languages ● It’s all Go
Why Is Istio That Shape? @mt165 µServices? Clean mapping to individual teams/domains ● We’re good at writing monoliths ● µServices were never about this anyway
Why Is Istio That Shape? @mt165 Istio 1.5 - Date
Why Is Istio That Shape? @mt165 Pilot ● That thing I said about a compiler… ● It’s a nice mental model ● It wasn’t true
Why Is Istio That Shape? @mt165 Pilot Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
Why Is Istio That Shape? @mt165 Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
Why Is Istio That Shape? @mt165 Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB istiod Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy µServices
Why Is Istio That Shape? @mt165 Mixer ● Policy: implemented with (new) Envoy-native features
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB istiod Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy WASM WASM WASM WASM Telem etry
Why Is Istio That Shape? @mt165 Dataplane Topology - Host-Based Proxy #eBPF #sidecarless #nomesh
Why Is Istio That Shape? @mt165 Envoy Service A Service B WASM WASM host istiod Control Plane API
Why Is Istio That Shape? @mt165 CPU Usage Per Request Idle
Why Is Istio That Shape? @mt165 Memory Usage Per Service Config Overhead: programme
Why Is Istio That Shape? @mt165 Dataplane Topology - “Ambient Mesh”
Why Is Istio That Shape? @mt165 Ambient Mesh - zTunnel host host Service A Service B zTunnel zTunnel Service A
Why Is Istio That Shape? @mt165 Ambient Mesh - “Waypoint” Proxies host host Service A Service B zTunnel zTunnel Service A Envoy K8s ServiceAccount A Envoy K8s ServiceAccount B
Why Is Istio That Shape? @mt165 Thanks! Slides Videos Demo code mt165.co.uk Questions @mt165

More Related Content

PPTX
Istio a service mesh
byChandresh Pancholi
 
PPTX
ISTIO Deep Dive
byYong Feng
 
PPTX
An Open-Source Platform to Connect, Manage, and Secure Microservices
byDoiT International
 
PDF
Service Mesh in Practice
byBallerina
 
PDF
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
byMichael Man
 
PDF
Istio (service mesh) why and how
byMilan Das
 
PPTX
Introduction to Istio for APIs and Microservices meetup
byDaniel Ciruli
 
PDF
Service Mesh For Beginner
byMien Dinh
 
Istio a service mesh
byChandresh Pancholi
 
ISTIO Deep Dive
byYong Feng
 
An Open-Source Platform to Connect, Manage, and Secure Microservices
byDoiT International
 
Service Mesh in Practice
byBallerina
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
byMichael Man
 
Istio (service mesh) why and how
byMilan Das
 
Introduction to Istio for APIs and Microservices meetup
byDaniel Ciruli
 
Service Mesh For Beginner
byMien Dinh
 

Similar to Why Is Istio That Shape?

PDF
Istio and Kubernetes Relationship
byKnoldus Inc.
 
PDF
Api observability
byRed Hat
 
PDF
APIdays Paris 2018 - Microservices the right way : an introduction to Istio, ...
byapidays
 
PDF
Istio service mesh: past, present, future (TLV meetup)
byelevran
 
PDF
Istio Triangle Kubernetes Meetup Aug 2019
byRam Vennam
 
PPTX
istio: service mesh for all
byMandar Jog
 
PDF
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
byWSO2
 
PDF
Stop reinventing the wheel with Istio by Mete Atamel (Google)
byCodemotion
 
PDF
Istio Up Running Using a Service Mesh to Connect Secure Control and Observe 1...
bykecketatyz
 
PDF
How to Make Istio Work with Your App
byStackRox
 
PDF
How to Make Istio Work with Your App
byKarenBruner
 
PPTX
Connecting All Abstractions with Istio
byVMware Tanzu
 
PPTX
Microservices With Istio Service Mesh
byNatanael Fonseca
 
PDF
What is a Service Mesh and what can it do for your Microservices
byMatt Turner
 
PPTX
Manging Container Deployments at Scale
byMofizur Rahman
 
PPTX
Istio Mesh – Managing Container Deployments at Scale
byMofizur Rahman
 
PDF
Managing Microservices With The Istio Service Mesh on Kubernetes
byIftach Schonbaum
 
PDF
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
byapidays
 
PDF
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
byCodeOps Technologies LLP
 
PPTX
Istio Security Overview
byMichael Furman
 
Istio and Kubernetes Relationship
byKnoldus Inc.
 
Api observability
byRed Hat
 
APIdays Paris 2018 - Microservices the right way : an introduction to Istio, ...
byapidays
 
Istio service mesh: past, present, future (TLV meetup)
byelevran
 
Istio Triangle Kubernetes Meetup Aug 2019
byRam Vennam
 
istio: service mesh for all
byMandar Jog
 
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
byWSO2
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
byCodemotion
 
Istio Up Running Using a Service Mesh to Connect Secure Control and Observe 1...
bykecketatyz
 
How to Make Istio Work with Your App
byStackRox
 
How to Make Istio Work with Your App
byKarenBruner
 
Connecting All Abstractions with Istio
byVMware Tanzu
 
Microservices With Istio Service Mesh
byNatanael Fonseca
 
What is a Service Mesh and what can it do for your Microservices
byMatt Turner
 
Manging Container Deployments at Scale
byMofizur Rahman
 
Istio Mesh – Managing Container Deployments at Scale
byMofizur Rahman
 
Managing Microservices With The Istio Service Mesh on Kubernetes
byIftach Schonbaum
 
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
byapidays
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
byCodeOps Technologies LLP
 
Istio Security Overview
byMichael Furman
 

More from Matt Turner

PDF
The Life of a Packet through Istio III
byMatt Turner
 
PDF
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
byMatt Turner
 
PDF
apiserver-Only "Clusters" for fun and profit
byMatt Turner
 
PDF
Istio + SPIRE for cross-domain traffic trust in hybrid-cloud scenarios
byMatt Turner
 
PDF
Dynamically Testing Individual Microservice Releases In Production
byMatt Turner
 
PDF
Gateway APIs, Envoy Gateway, and API Gateways
byMatt Turner
 
PDF
The Life of a Packet III - Service Mesh London
byMatt Turner
 
PDF
Cloud-Native Progressive Delivery
byMatt Turner
 
PDF
An Introduction to Bazel
byMatt Turner
 
PDF
Networks, Linux, Containers, Pods
byMatt Turner
 
PDF
Debugging an RBAC Problem in Istio
byMatt Turner
 
PDF
Running Resillient Workloads with Istio - KubeCon China 2019
byMatt Turner
 
PDF
Software Networking and Interfaces on Linux
byMatt Turner
 
PDF
Running Resillient Workloads with Istio - OpenInfra Days 2019
byMatt Turner
 
PDF
The Life of a Packet through Istio - DevExperience Romania, April 2019
byMatt Turner
 
PDF
The life of a packet through Istio - QCon London 2019
byMatt Turner
 
PDF
Do You Need a Service Mesh? @ London Devops, January 2019
byMatt Turner
 
PDF
Istio, The Packet's-Eye View - KubeCon NA 2018
byMatt Turner
 
PDF
The life of a packet through Istio
byMatt Turner
 
PDF
Bash is Testing
byMatt Turner
 
The Life of a Packet through Istio III
byMatt Turner
 
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
byMatt Turner
 
apiserver-Only "Clusters" for fun and profit
byMatt Turner
 
Istio + SPIRE for cross-domain traffic trust in hybrid-cloud scenarios
byMatt Turner
 
Dynamically Testing Individual Microservice Releases In Production
byMatt Turner
 
Gateway APIs, Envoy Gateway, and API Gateways
byMatt Turner
 
The Life of a Packet III - Service Mesh London
byMatt Turner
 
Cloud-Native Progressive Delivery
byMatt Turner
 
An Introduction to Bazel
byMatt Turner
 
Networks, Linux, Containers, Pods
byMatt Turner
 
Debugging an RBAC Problem in Istio
byMatt Turner
 
Running Resillient Workloads with Istio - KubeCon China 2019
byMatt Turner
 
Software Networking and Interfaces on Linux
byMatt Turner
 
Running Resillient Workloads with Istio - OpenInfra Days 2019
byMatt Turner
 
The Life of a Packet through Istio - DevExperience Romania, April 2019
byMatt Turner
 
The life of a packet through Istio - QCon London 2019
byMatt Turner
 
Do You Need a Service Mesh? @ London Devops, January 2019
byMatt Turner
 
Istio, The Packet's-Eye View - KubeCon NA 2018
byMatt Turner
 
The life of a packet through Istio
byMatt Turner
 
Bash is Testing
byMatt Turner
 

Recently uploaded

PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
apidays New York 2025 | AI in Application Security
byapidays
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Workflow and decision Automation with Flowable
bychakib ch
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 

Why Is Istio That Shape?

  • 1.
    Why Is IstioThat Shape? @mt165 Why Is Istio That Shape? Matt Turner Software Architecture Gathering, Virtual | November 2022 @mt165 | mt165.co.uk
  • 2.
    Why Is IstioThat Shape? @mt165 THE ENTERPRISE SERVICE MESH COMPANY
  • 3.
    Why Is IstioThat Shape? @mt165 Pop Quiz!
  • 4.
    Why Is IstioThat Shape? @mt165 Background Service Meshes and Istio
  • 5.
    Why Is IstioThat Shape? @mt165 Business Value ● Top Line ● Bottom Line ● Time to Market & Speed of Iteration ● Risk Reduction
  • 6.
    Why Is IstioThat Shape? @mt165 Break the Monolith
  • 7.
    Why Is IstioThat Shape? @mt165 Pod Pod Pod Break the Monolith Namespace A Namespace B Namespace C Namespace A Namespace B Namespace C
  • 8.
    Why Is IstioThat Shape? @mt165 But Don’t Just Distribute It!
  • 9.
    Why Is IstioThat Shape? @mt165 Technical Implications
  • 10.
    Why Is IstioThat Shape? @mt165
  • 11.
    Why Is IstioThat Shape? @mt165
  • 12.
    Why Is IstioThat Shape? @mt165
  • 13.
    Why Is IstioThat Shape? @mt165
  • 14.
    Why Is IstioThat Shape? @mt165
  • 15.
    Why Is IstioThat Shape? @mt165
  • 16.
    Why Is IstioThat Shape? @mt165 Service A Service B
  • 17.
    Why Is IstioThat Shape? @mt165 Lots of Options: In-process libraries and frameworks
  • 18.
    Why Is IstioThat Shape? @mt165 Polyglot environments
  • 19.
    Why Is IstioThat Shape? @mt165 Polyglot environments
  • 20.
    Why Is IstioThat Shape? @mt165 Take the Network Smarts out of the Process
  • 21.
    Why Is IstioThat Shape? @mt165 Add a Control Plane
  • 22.
    Why Is IstioThat Shape? @mt165 Istio “An open platform to connect, secure, control, and observe services.”
  • 23.
    Why Is IstioThat Shape? @mt165 What Shape is Istio?
  • 24.
    Why Is IstioThat Shape? @mt165 Istio 0.1 - 1.4
  • 25.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 26.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 27.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 28.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B
  • 29.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B
  • 30.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B TLS certs to Envoys
  • 31.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 32.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy k8s consul zk K8s API Server
  • 33.
    Why Is IstioThat Shape? @mt165 Have We Seen This Before?
  • 34.
    Why Is IstioThat Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base Forwarding Engine
  • 35.
    Why Is IstioThat Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base Forwarding Engine Latency Throughput Concurrency Availability
  • 36.
    Why Is IstioThat Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP PILOT ENVOY Router Information Base Forwarding Information Base Forwarding Engine
  • 37.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Policy checks, Telemetry Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 38.
    Why Is IstioThat Shape? @mt165 IP Router Architecture Interrupt Kernel module User process DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base
  • 39.
    Why Is IstioThat Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP PILOT MIXER ENVOY Interrupt Kernel module User process Router Information Base Forwarding Information Base
  • 40.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys prom ES REPORT CHECK ACL Rate limit Mixer fat client Mixer fat client Citadel
  • 41.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 42.
    Why Is IstioThat Shape? @mt165 Why Isn’t Istio This Shape?
  • 43.
    Why Is IstioThat Shape? @mt165 Mixer Pros ● Recognisable mental mode ● Good availability ● Can horizontally scale ○ Load ○ High availability Cons ● Performance was never great ● Very few things need coördination between proxies
  • 44.
    Why Is IstioThat Shape? @mt165 µServices! Pros ● Decoupled deployments ● Isolated security contexts ● Isolated failure domains ● Individual scaling ● Multiple languages ● Clean mapping to individual teams/domains Cons ● Complex to debug ● Fiddly to deploy ● Inefficient ○ Message-passing ○ Missed shared cache opportunities
  • 45.
    Why Is IstioThat Shape? @mt165 µServices? Decoupled deployments ● No-one ever did
  • 46.
    Why Is IstioThat Shape? @mt165 µServices? Isolated security contexts ● Citadel is obviously a security component, but… ● Pilot can re-route all your requests ● Mixer can steal all your traffic ● …a breach in any one is as bad as the others
  • 47.
    Why Is IstioThat Shape? @mt165 µServices? Isolated failure domains ● Mixer is the only acutely critical service
  • 48.
    Why Is IstioThat Shape? @mt165 µServices? Individual scaling ● Resource usage was dominated by one component of service: Pilot’s XDS serving
  • 49.
    Why Is IstioThat Shape? @mt165 µServices? Multiple languages ● It’s all Go
  • 50.
    Why Is IstioThat Shape? @mt165 µServices? Clean mapping to individual teams/domains ● We’re good at writing monoliths ● µServices were never about this anyway
  • 51.
    Why Is IstioThat Shape? @mt165 Istio 1.5 - Date
  • 52.
    Why Is IstioThat Shape? @mt165 Pilot ● That thing I said about a compiler… ● It’s a nice mental model ● It wasn’t true
  • 53.
    Why Is IstioThat Shape? @mt165 Pilot Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
  • 54.
    Why Is IstioThat Shape? @mt165 Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
  • 55.
    Why Is IstioThat Shape? @mt165 Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
  • 56.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB istiod Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy µServices
  • 57.
    Why Is IstioThat Shape? @mt165 Mixer ● Policy: implemented with (new) Envoy-native features
  • 58.
    Why Is IstioThat Shape? @mt165 Envoy SvcA Envoy SvcB istiod Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy WASM WASM WASM WASM Telem etry
  • 59.
    Why Is IstioThat Shape? @mt165 Dataplane Topology - Host-Based Proxy #eBPF #sidecarless #nomesh
  • 60.
    Why Is IstioThat Shape? @mt165 Envoy Service A Service B WASM WASM host istiod Control Plane API
  • 61.
    Why Is IstioThat Shape? @mt165 CPU Usage Per Request Idle
  • 62.
    Why Is IstioThat Shape? @mt165 Memory Usage Per Service Config Overhead: programme
  • 63.
    Why Is IstioThat Shape? @mt165 Dataplane Topology - “Ambient Mesh”
  • 64.
    Why Is IstioThat Shape? @mt165 Ambient Mesh - zTunnel host host Service A Service B zTunnel zTunnel Service A
  • 65.
    Why Is IstioThat Shape? @mt165 Ambient Mesh - “Waypoint” Proxies host host Service A Service B zTunnel zTunnel Service A Envoy K8s ServiceAccount A Envoy K8s ServiceAccount B
  • 66.
    Why Is IstioThat Shape? @mt165 Thanks! Slides Videos Demo code mt165.co.uk Questions @mt165