The document discusses the need for service meshes in microservices architecture, highlighting various implementations such as Istio, Linkerd, and Consul Connect. It poses essential questions related to service meshes, including their cost, selection, and functionality. The content also references the Service Mesh Interface (SMI) for standardizing service mesh operations and compares different service meshes based on manageability, observability, and complexity.

1. @antweiss
WTF Do We Need A
Service Mesh?
Ant Weiss, Otomato Software

2. @antweiss
whoami: Anton (Ant) Weiss
@antweiss
Otomato Software Delivery
http://otomato.link

3. @antweiss
A Long Long Time Ago...
https://linkerd.io/2016/02/18/linkerd-twitter-style-operability-for-microservices/

4. @antweiss
A Long Long Time Ago...

5. @antweiss
A Long Long Time Ago...

6. @antweiss
Today:
● Istio 1.3 (managed service on GKE)

7. @antweiss
Today:
● Istio 1.3 (managed service on GKE)
● Linkerd 2.0 (instead of Conduit)

8. @antweiss
Today:
● Istio 1.3 (managed service on GKE)
● Linkerd 2.0 (instead of Conduit)
● Consul Connect + Envoy sidecar-proxy

9. @antweiss
Today:
● Istio 1.3 (managed service on GKE)
● Linkerd 2.0 (instead of Conduit)
● Consul Connect + Envoy sidecar-proxy
● Maesh (from Containous)

10. @antweiss
Today:
● Istio 1.3 (managed service on GKE)
● Linkerd 2.0 (instead of Conduit)
● Consul Connect + Envoy sidecar-proxy
● Maesh (from Containous)
● Kuma (from Kong)

11. @antweiss
Today:
● Istio 1.3 (managed service on GKE)
● Linkerd 2.0 (instead of Conduit)
● Consul Connect + Envoy sidecar-proxy
● Maesh (from Containous)
● Kuma (from Kong)
● NSM

12. @antweiss
Today:
● AWS App Mesh
● Aspen Mesh
● Octarine
● Grey Matter
● A10 Secure Service Mesh
● VMWare NSX
● Glasnostic

13. @antweiss
Questions:

14. @antweiss
Questions:
● What’s a Service Mesh?

15. @antweiss
Questions:
● What’s a Service Mesh?
● WTF Do We Need a Service Mesh?

16. @antweiss
Questions:
● What’s a Service Mesh?
● WTF Do We Need a Service Mesh?
● Which Mesh To Choose?

17. @antweiss
Questions:
● What’s a Service Mesh?
● WTF Do We Need a Service Mesh?
● Which Mesh To Choose?
● What Will It Cost Us?

18. @antweiss
WHAT?

19. @antweiss
MEsh vs Gateway

20. @antweiss
SMI - the Service Mesh Interface
Total CRD-ization for Service Meshes

21. @antweiss
SMI - the Service Mesh Interface
Traffic Spec - what does the traffic look like?
apiVersion: specs.smi-spec.io/v1alpha1
kind: HTTPRouteGroup
metadata:
name: the-routes
matches:
- name: metrics
pathRegex: "/metrics"
methods:
- GET
- name: health
pathRegex: "/healthz"
methods: ["*"]

22. @antweiss
SMI - the Service Mesh Interface
Traffic Access
Control -
Who can and who
should talk to whom?
kind: TrafficTarget
apiVersion:
access.smi-spec.io/v1alpha1
metadata:
name: path-specific
destination:
kind: ServiceAccount
name: service-a
port: 8080
specs:
- kind: HTTPRouteGroup
name: the-routes
matches:
- metrics
sources:
- kind: ServiceAccount
name: prometheus
namespace: default

23. @antweiss
SMI - the Service Mesh Interface
Traffic Split - Divide and Conquer!
apiVersion: split.smi-spec.io/v1alpha1
kind: TrafficSplit
metadata:
name: my-app-split
spec:
# The root service that clients request
service: my-app
# Services inside the namespace with their own selectors,etc
backends:
- service: my-app-v1
weight: 50
- service: my-app-v2
weight: 50

24. @antweiss
SMI - the Service Mesh Interface
Traffic Metrics -
Let’s Measure Stuff apiVersion: metrics.smi-spec.io/v1alpha1
kind: TrafficMetrics
resource:
name: foo-775b9cbd88-ntxsl
namespace: foobar
kind: Pod
edge:
direction: to
resource:
name: baz-577db7d977-lsk2q
namespace: foobar
kind: Pod

25. @antweiss
SMI - the Service Mesh Interface
apiVersion: metrics.smi-spec.io/v1alpha1
kind: TrafficMetrics
resource:
name: foo-775b9cbd88-ntxsl
namespace: foobar
kind: Pod
edge:
direction: from
resource:
name: baz-577db7d977-lsk2q
namespace: foobar
kind: Pod
Traffic Metrics -
Let’s Measure Stuff

26. @antweiss
SMI - the Service Mesh Interface
kind: TrafficMetrics
spec:
…
timestamp: 2019-04-08T22:25:55Z
window: 30s
metrics:
- name: p99_response_latency
unit: seconds
value: 10m
- name: p90_response_latency
unit: seconds
value: 10m
- name: p50_response_latency
unit: seconds
value: 10m
- name: success_count
value: 100
- name: failure_count
value: 100
Traffic Metrics -
Let’s Measure Stuff

27. @antweiss
WTF?
Manageability

28. @antweiss
WTF?
Manageability
Observability

29. @antweiss
WTF?
Manageability
Observability
Reliability

30. @antweiss
WTF?
Manageability
Observability
Reliability
Security

31. @antweiss
WTF?
Manageability
Observability
Reliability
Security
Progressive
Delivery

32. What Mesh to Choose?

33. @antweiss
● The Reference Implementation
Istio

34. @antweiss
● The Reference Implementation
● Hybrid Configs and Topologies (?)
Istio

35. @antweiss
● The Reference Implementation
● Hybrid Configs and Topologies (?)
● Sidecar-proxy: Envoy
Istio

36. @antweiss
● The Reference Implementation
● Hybrid Configs and Topologies (?)
● Sidecar-proxy: Envoy
● Performance Issues
Istio

37. @antweiss
● The Reference Implementation
● Hybrid Configs and Topologies (?)
● Sidecar-proxy: Envoy
● Performance Issues
● Complexity ( going down - 20 CRDs in version 1.3.1)
Istio

38. @antweiss
● The Reference Implementation
● Hybrid Configs and Topologies (?)
● Sidecar-proxy: Envoy
● Performance Issues
● Complexity ( going down - 20 CRDs in version 1.3.1)
● Modularity
Istio

39. @antweiss
● The Reference Implementation
● Hybrid Configs and Topologies (?)
● Sidecar-proxy: Envoy
● Performance Issues
● Complexity ( going down - 20 CRDs in version 1.3.1)
● Modularity
● OpenTracing Support (with adapter)
Istio

40. @antweiss
● The Reference Implementation
● Hybrid Configs and Topologies (?)
● Sidecar-proxy: Envoy
● Performance Issues
● Complexity ( going down - 20 CRDs in version 1.3.1)
● Modularity
● OpenTracing Support (with adapter)
● Prometheus Integration (with adapter)
Istio

41. @antweiss
LinkerD 2.0
● From the Service Mesh Pioneers

42. @antweiss
LinkerD 2.0
● From the Service Mesh Pioneers
● Kubernetes Only

43. @antweiss
LinkerD 2.0
● From the Service Mesh Pioneers
● Kubernetes Only
● Sidecar-proxy: Linkerd (Rust)

44. @antweiss
LinkerD 2.0
● From the Service Mesh Pioneers
● Kubernetes Only
● Sidecar-proxy: Linkerd (Rust)
● Minimum Config

45. @antweiss
LinkerD 2.0
● From the Service Mesh Pioneers
● Kubernetes Only
● Sidecar-proxy: Linkerd (Rust)
● Minimum Config
● Telemetry Built-in

46. @antweiss
LinkerD 2.0
● From the Service Mesh Pioneers
● Kubernetes Only
● Sidecar-proxy: Linkerd (Rust)
● Minimum Config
● Telemetry Built-in
● High Performance

47. @antweiss
LinkerD 2.0
● From the Service Mesh Pioneers
● Kubernetes Only
● Sidecar-proxy: Linkerd (Rust)
● Minimum Config
● Telemetry Built-in
● High Performance
● Simplicity

48. @antweiss
● Battle-tested Tooling
Consul Connect

49. @antweiss
● Battle-tested Tooling
● Heterogeneous Environments
Consul Connect

50. @antweiss
● Battle-tested Tooling
● Heterogeneous Environments
● Sidecar-proxy: Envoy
Consul Connect

51. @antweiss
● Battle-tested Tooling
● Heterogeneous Environments
● Sidecar-proxy: Envoy
● Consul Agent on every Node
Consul Connect

52. @antweiss
● Battle-tested Tooling
● Heterogeneous Environments
● Sidecar-proxy: Envoy
● Consul Agent on every Node
● HCL/json/UI instead of YAML
Consul Connect

53. @antweiss
● Battle-tested Tooling
● Heterogeneous Environments
● Sidecar-proxy: Envoy
● Consul Agent on every Node
● HCL/json/UI instead of YAML
● Telemetry - directly from proxies
Consul Connect

54. @antweiss
● Battle-tested Tooling
● Heterogeneous Environments
● Sidecar-proxy: Envoy
● Consul Agent on every Node
● HCL/json/UI instead of YAML
● Telemetry - directly from proxies
● SMI - Traffic Access only
Consul Connect

55. @antweiss
Maesh
● Kubernetes Only

56. @antweiss
Maesh
● Kubernetes Only
● Proxy: Traefik

57. @antweiss
Maesh
● Kubernetes Only
● Proxy: Traefik
● Look Ma, No Sidecars!

58. @antweiss
Maesh
● Kubernetes Only
● Proxy: Traefik
● Look Ma, No Sidecars!
● SMI compliant (implements Spec, Acces, Split)

59. @antweiss
Maesh
● Kubernetes Only
● Proxy: Traefik
● Look Ma, No Sidecars!
● SMI compliant (implements Spec, Acces, Split)
● Config: by annotations on K8S objects

60. @antweiss
Maesh
● Kubernetes Only
● Proxy: Traefik
● Look Ma, No Sidecars!
● SMI compliant (implements Spec, Acces, Split)
● Config: by annotations on K8S objects
● Access to services through <service>.<namespace>.maesh

61. @antweiss
Kuma (Kong Mesh)
● Universal Service Mesh

62. @antweiss
Kuma (Kong Mesh)
● Universal Service Mesh
● Sidecar-proxy: Envoy

63. @antweiss
Kuma (Kong Mesh)
● Universal Service Mesh
● Sidecar-proxy: Envoy
● Platform-agnostic (Universal and Kubernetes-native)

64. @antweiss
Kuma (Kong Mesh)
● Universal Service Mesh
● Sidecar-proxy: Envoy
● Platform-agnostic (Universal and Kubernetes-native)
● No SMI Compliance

65. @antweiss
Kuma (Kong Mesh)
● Universal Service Mesh
● Sidecar-proxy: Envoy
● Platform-agnostic (Universal and Kubernetes-native)
● No SMI Compliance
● Kong Integration for Ingress

66. @antweiss
Kuma (Kong Mesh)
● Universal Service Mesh
● Sidecar-proxy: Envoy
● Platform-agnostic (Universal and Kubernetes-native)
● No SMI Compliance
● Kong Integration for Ingress
● For Enterprise (?)

67. @antweiss
NSM - Network Service Mesh
● L2/3

68. @antweiss
NSM - Network Service Mesh
● L2/3
● Hybrid and Multi-Cloud Scenarios

69. @antweiss
NSM - Network Service Mesh
● L2/3
● Hybrid and Multi-Cloud Scenarios
● Connecting Containers in Different Clusters

70. @antweiss
NSM - Network Service Mesh
● L2/3
● Hybrid and Multi-Cloud Scenarios
● Connecting Containers in Different Clusters
● Support for Exotic Protocols

71. @antweiss
NSM - Network Service Mesh
● L2/3
● Hybrid and Multi-Cloud Scenarios
● Connecting Containers in Different Clusters
● Support for Exotic Protocols
● Tunnels as First-Class Citizens

72. @antweiss
NSM - Network Service Mesh
● L2/3
● Hybrid and Multi-Cloud Scenarios
● Connecting Containers in Different Clusters
● Support for Exotic Protocols
● Tunnels as First-Class Citizens
● Dynamic Network Interface Allocation

73. @antweiss
NSM - Network Service Mesh
● L2/3
● Hybrid and Multi-Cloud Scenarios
● Connecting Containers in Different Clusters
● Support for Exotic Protocols
● Tunnels as First-Class Citizens
● Dynamic Network Interface Allocation
● NFV Platform for Cloud Native

74. @antweiss
EcoSystem!

75. @antweiss
EcoSystem!
● Landscape
● Playground
● Performance Benchmarks
https://layer5.io/
https://meshery.io/

76. @antweiss
EcoSystem!
https://github.com/istio-ecosystem
dns-discovery

77. @antweiss
BenchMarks
- Kinvolk’s service mesh benchmark suite :
https://github.com/kinvolk/service-mesh-benchmark
Istio vs. Linkerd 2.0 :
https://kinvolk.io/blog/2019/05/performance-benchmark-analysis-
of-istio-and-linkerd/
- Layer5 Service Mesh Performance Benchmark Spec :
https://github.com/layer5io/service-mesh-benchmark-spec

78. @antweiss
BenchMarks

79. @antweiss
Otomators
https://github.com/otomato-gh/birdwatch-otomator
https://github.com/weaveworks/flagger
https://github.com/solo-io/glooshot

80. @antweiss
For ServerLess
Istio
PLONK!
linkerd

81. @antweiss
Get Into The Mesh
● Start With Ingress
● Initial: Bypass + Telemetry
● Bring on Chaos (GlooShot)
● Single Namespace
● Think of : authz, authn, CA, change control, troubleshooting,
upgrade path
● One Cluster
● The Whole World is One Big Mesh

82. @antweiss
Thank You!
@antweiss
@otomato_sw
https://otomato.link
https://devopstrain.pro