Girish Ranganathan
Ayrat
Khyretdinov
a dedicated layer for managing service-to-service communication
So, a microservices platform?
obviously.
Orchestrators don't bring all that you need
and neither do service meshes,
but they do get you closer.
partially.
an open platform to connect, manage, and secure microservices
Observability
Resiliency
Traffic Control
Security
Policy Enforcement
@IstioMesh
what gets people hooked on service metrics
Metrics without instrumenting apps
Consistent metrics across fleet
Trace flow of requests across services
Portable across metric back-end providers
You get a metric! You get a metric! Everyone gets a metric!
© 2018 SolarWinds Worldwide, LLC. All rights reserved.
control over chaos
Timeouts and Retries
Control connection pool size and request load - rate limiting
Circuit breakers and Health checks
content-based traffic steering
Missing: application lifecycle management, but not by much
Missing: distributed debugging; provide nascent visibility (topology)
Join Slack http://slack.layer5.io
[Optional] Subscribe to newsletter https://layer5.io/subscribe
Start Docker Desktop, Minikube or other.
(either single-node or multi-node clusters will work)
Verify that you have a functional Docker environment by running :
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete
Digest: sha256:0e11c388b664df8a27a901dce21eb89f11d8292f7fca1b3e3c4321bf7897bffe
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
Docker and Kubernetes
Ensure your Docker Desktop VM has 4GB of memory assigned.
Ensure Kubernetes is enabled.
$ kubectl version --short
Client Version: v1.14.1
Server Version: v1.14.1
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
docker-desktop Ready master 10m v1.14.1
v1.9 or higher
layer5.io/meshery
Management
Plane
Provides expanded governance, backend system integration, multi-mesh, federation, expanded policy, and dynamic application and mesh configuration.
Control Plane
Data Plane
sudo curl -L https://git.io/meshery -o /usr/local/bin/meshery
sudo chmod a+x /usr/local/bin/meshery
meshery start
Cluster Management
Host Discovery
Host Health Monitoring
Scheduling
Orchestrator Updates and Host Maintenance
Service Discovery
Networking and Load Balancing
Stateful Services
Multi-Tenant, Multi-Region
Application Health and Performance Monitoring
Application Deployments
Application Secrets
minimal capabilities required to qualify as a container orchestrator
Service meshes generally rely on these underlying layers.
Ambassador uses Envoy
Kong uses Nginx
OpenResty uses Nginx
north-south vs. east-west
Enforcing consistency is challenging.
Foo Container
Flow Control
Foo Pod
Go Library
A v1
Network Stack
Service Discovery
Circuit Breaking
Application / Business Logic
Bar Container
Flow Control
Bar Pod
Go Library
A v2
Network Stack
Service Discovery
Circuit Breaking
Application / Business Logic
Baz Container
Flow Control
Baz Pod
Java Library
B v1
Network Stack
Service Discovery
Circuit Breaking
Application / Business Logic
Retry Budgets
Rate Limiting
to avoid...
Avoid bloated service code
Duplicating work to make services production-ready
Load balancing, auto scaling, rate limiting, traffic routing...
Inconsistency across services
Retry, tls, failover, deadlines, cancellation, etc., for each language, framework
Siloed implementations lead to fragmented, non-uniform policy application and difficult debugging
Diffusing responsibility of service management
• Observability
• Logging
• Metrics
• Tracing
• Traffic Control
• Resiliency
• Efficiency
• Security
• Policy
...a Service Mesh
North star is and has always been applications.
We're concerning less about infrastructure and focusing more on applications.
where Dev and Ops meet
Problem: too much infrastructure code in services
Can modernize your IT inventory without:
Rewriting your applications
Adopting microservices, regular services are fine
Adopting new frameworks
Moving to the cloud
address the long-tail of IT services
Get there for free
Data Plane
Ingress Gateway
Egress Gateway
No control plane? Not a service mesh.
Egress Gateway
Control Plane
Data Plane
Ingress Gateway
Control Plane
Data Plane
You need a management plane.
Ingress Gateway
Egress Gateway
Management
Plane
layer5.io/landscape
Pilot
Citadel
Mixer
Control Plane
Data Plane
istio-system namespace
policy check
Foo Pod
Proxy Sidecar
Service Foo
tls certs
discovery & config
Foo Container
Bar Pod
Proxy Sidecar
Service Bar
Bar Container
Out-of-band telemetry propagation
telemetry
reports
Control flow during request processing
application traffic
Application traffic
application namespace
telemetry reports
Galley
Ingress Gateway
Egress Gateway
- A C++ based L4/L7 proxy
- Low memory footprint
- In production at Lyftâ„¢
Capabilities:
the included battery
Data Plane
Pod
Proxy sidecar
App Container
provides service discovery to sidecars
manages sidecar configuration
Pilot
Citadel
the head of the ship
Mixer
istio-system namespace
system of record for service mesh
}
provides abstraction from underlying platforms
Galley
Control Plane
an attribute-processing and routing machine
operator-focused
Pilot
Citadel
Mixer
istio-system namespace
Galley
Control Plane
AppOpticsâ„¢
types: logs, metrics, access control, quota
Papertrailâ„¢
Prometheusâ„¢
Stackdriverâ„¢
Open Policy Agent
Grafanaâ„¢
Fluentd
Statsd
®
Pilot
Citadel
Mixer
istio-system namespace
Galley
Control Plane
Mixer
Control Plane
Data Plane
istio-system namespace
Foo Pod
Proxy sidecar
Service Foo
Foo Container
Out-of-band telemetry propagation
Control flow during request processing
application traffic
application traffic
application namespace
telemetry reports
an attribute processing engine
security at scale
security by default
Orchestrate Key & Certificate:
Pilot
Citadel
Mixer
istio-system namespace
Galley
Control Plane
github.com/layer5io/istio-service-mesh-workshop
a multi-service mesh management plane
Service Mesh Interface (SMI)
@layer5
Configuration
Security
Telemetry
Control Plane
Data
Plane
service mesh ns
Foo Pod
Proxy Sidecar
Service Foo
Foo Container
Bar Pod
Proxy Sidecar
Service Bar
Bar Container
Out-of-band telemetry propagation
Control flow
application traffic
http / gRPC
Application traffic
application namespace
Ingress Gateway
Egress Gateway
Management
Plane
meshery
adapter
gRPC
kube-api
kube-system
github.com/layer5io/istio-service-mesh-workshop
Reviews v1
Reviews Pod
Reviews v2
Reviews v3
Product Pod
Details Container
Details Pod
Ratings Container
Ratings Pod
Product Container
Reviews Service
Ratings Service
Details Service
Product Service
Reviews v1
Reviews Pod
Reviews v2
Reviews v3
Product Pod
Details Container
Details Pod
Ratings Container
Ratings Pod
Product Container
Envoy sidecar
Envoy sidecar
Envoy sidecar
Envoy sidecar
Envoy sidecar
Reviews Service
Enovy sidecar
Envoy ingress
Product Service
Ratings Service
Details Service
Istio ingress gateway
application traffic
github.com/layer5io/istio-service-mesh-workshop
Mixer
Control Plane
Data Plane
istio-system namespace
Foo Pod
Proxy sidecar
Service Foo
Foo Container
Out-of-band telemetry propagation
Control flow during request processing
application traffic
application traffic
application namespace
telemetry reports
Grafana
github.com/layer5io/istio-service-mesh-workshop
Jaeger
github.com/layer5io/istio-service-mesh-workshop
Jaeger
The istio-proxy collects and propagates the following headers from the incoming request to any outgoing requests:
github.com/layer5io/istio-service-mesh-workshop
Web
Service Foo
Timeout = 600ms
Retries = 3
Timeout = 300ms
Retries = 3
Timeout = 900ms
Retries = 3
Service Bar
Database
Timeout = 500ms
Retries = 3
Timeout = 300ms
Retries = 3
Timeout = 900ms
Retries = 3
github.com/layer5io/istio-service-mesh-workshop
github.com/layer5io/istio-service-mesh-workshop
the Service Mesh Community
layer5.io/subscribe
github.com/layer5io/istio-service-mesh-workshop
curl -L https://git.io/getLatestIstio
istioctl version
for i in install/kubernetes/helm/istio-init/files/crd*yaml;
do kubectl apply -f $i; done
kubectl get crd | grep istio
kubectl apply -f install/kubernetes/istio-demo.yaml
kubectl get namespaces
kubectl get svc -n istio-system
kubectl get pod -n istio-system
github.com/layer5io/istio-service-mesh-workshop
Automatic sidecar injection leverages Kubernetes' Mutating Webhook Admission Controller.
If your environment does NOT this API, then you may manually inject the istio sidecar.
github.com/layer5io/istio-service-mesh-workshop
kubectl get mutatingwebhookconfigurations
kubectl get mutatingwebhookconfigurations istio-sidecar-injector -o yaml
kubectl api-versions | grep admissionregistration
Sidecars proxy can be either manually or automatically injected into your pods.
Envoy ingress
kubectl -n istio-system get deployment -l istio=sidecar-injector
github.com/layer5io/istio-service-mesh-workshop
2. Confirm namespace label
kubectl get ns -L istio-injection
Envoy ingress
In namespaces without the istio-injection label, you can use istioctl kube-inject to manually inject Envoy containers in your application pods before deploying them:
istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -
github.com/layer5io/istio-service-mesh-workshop
Kiali
kubectl -n istio-system edit svc kiali
kubectl -n istio-system get svc kiali
github.com/layer5io/istio-service-mesh-workshop
Web
Service Foo
Timeout = 600ms
Retries = 3
Timeout = 300ms
Retries = 3
Timeout = 900ms
Retries = 3
Service Bar
Database
Timeout = 500ms
Retries = 3
Timeout = 300ms
Retries = 3
Timeout = 900ms
Retries = 3
Web
Service Foo
Deadline = 600ms
Deadline = 496ms
Service Bar
Database
Deadline = 428ms
Deadline=180ms
Elapsed=104ms
Elapsed=68ms
Elapsed=248ms
If we have time...
Client
Edge Cache
Istio Gateway
(envoy)
Cache Generator
Collection of VMs running APIs
service mesh
Istio VirtualService
Istio VirtualService
Istio ServiceEntry
Situation:
Benefits:
Out-of-band telemetry propagation
Application traffic
Control flow
Service A
Service A
Service A
linkerd
Node (server)
Service A
Service A
Service B
linkerd
Node (server)
Service A
Service A
Service C
linkerd
Node (server)
Advantages:
Less (memory) overhead.
Simpler distribution of configuration information.
primarily physical or virtual server based; good for large monolithic applications.
Disadvantages:
Coarse support for encryption of service-to-service communication, instead host-to-host encryption and authentication policies.
Blast radius of a proxy failure includes all applications on the node, which is essentially equivalent to losing the node itself.
Not a transparent entity, services must be aware of its existence.
layer5.io/books
Advantages:
Good starting point for building a brand-new microservices architecture or for migrating from a monolith.
Disadvantages:
When the number of services increase, it becomes difficult to manage.
Advantages:
Granular encryption of service-to-service communication.
Can be gradually added to an existing cluster without central coordination.
Disadvantages:
Lack of central coordination. Difficult to scale operationally.
Advantages:
Works with existing services that can be broken down over time.
Disadvantages:
Is missing the benefits of service-to-service visibility and control.
Configuration
Security
Telemetry
Control Plane
Data
Plane
service mesh ns
Foo Pod
Proxy Sidecar
Service Foo
Foo Container
Bar Pod
Proxy Sidecar
Service Bar
Bar Container
Out-of-band telemetry propagation
Control flow
Application traffic
application namespace
Ingress Gateway
kube-api
kube-system
Barz Pod
Proxy Sidecar
Service Bar
Baz Container
application namespace
kube-api
kube-system
LOCAL CLUSTER
REMOTE CLUSTER
Egress Gateway
injector
Shared Root CA