clouds, containers, functions, applications, and their management
Girish Ranganathan
Principal Architect,
SolarWinds
First few services are relatively easy
Democratization of language and technology choice
Faster delivery, service teams running independently, rolling updates
Next 10 or so may introduce pain
Language and framework-specific libraries
Distributed environments, ephemeral infrastructure, out-moded tooling
to avoid...
Bloated service code
Duplicating work to make services production-ready
Load balancing, auto scaling, rate limiting, traffic routing...
Inconsistency across services
Retry, tls, failover, deadlines, cancellation, etc., for each language, framework
Siloed implementations lead to fragmented, non-uniform policy application and difficult debugging
Diffusing responsibility of service management
Cluster Management
Host Discovery
Host Health Monitoring
Scheduling
Orchestrator Updates and Host Maintenance
Service Discovery
Networking and Load Balancing
Stateful Services
Multi-Tenant, Multi-Region
Application Health and Performance Monitoring
Application Deployments
Application Secrets
minimal capabilities required to qualify as a container orchestrator
Istio relies on these capabilities.
Ambassador uses Envoy
Kong uses Nginx
OpenResty uses Nginx
• Observability
• Logging
• Metrics
• Tracing
• Traffic Control
• Resiliency
• Efficiency
• Security
• Policy
a dedicated layer for managing service-to-service communication
So, a microservices platform?
obviously.
Orchestrators don't bring all that you need
and neither do service meshes,
but they do get you closer.
Missing: application lifecycle management, but not by much
partially.
Missing: distributed debugging; provide nascent visibility (topology)
where Dev and Ops meet
Problem: too much infrastructure code in services
visit layer5.io
1) Join Layer5 Slack account.
2) Use 8.8.8.8 as your name server.
Open PWK
Deploy master node
use external DNS
save your `kubeadm join` command output
Install overlay networking
Add two more nodes to the cluster
an open platform to connect, manage, and secure microservices
Observability
Resiliency
Traffic Control
Security
Policy Enforcement
@IstioMesh
what gets people hooked on service metrics
Metrics without instrumenting apps
Consistent metrics across fleet
Trace flow of requests across services
Portable across metric back-end providers
You get a metric! You get a metric! Everyone gets a metric!
© 2018 SolarWinds Worldwide, LLC. All rights reserved.
control over chaos
Timeouts and Retries with timeout budget
Circuit breakers and Health checks
Control connection pool size and request load
content-based traffic steering
Control Plane
Data Plane
Pilot
Citadel
Mixer
Control Plane
Data Plane
istio-system namespace
policy check
Foo Pod
Proxy Sidecar
Service Foo
tls certs
discovery & config
Foo Container
Bar Pod
Proxy Sidecar
Service Bar
Bar Container
Out-of-band telemetry propagation
telemetry
reports
Control flow during request processing
application traffic
Application traffic
application namespace
telemetry reports
- A C++ based L4/L7 proxy
- Low memory footprint
- In production at Lyftâ„¢
Capabilities:
the included battery
Data Plane
Pod
Proxy sidecar
App Container
provides service discovery to sidecars
manages sidecar configuration
Pilot
Citadel
Control Plane
the head of the ship
Mixer
istio-system namespace
system of record for service mesh
}
provides abstraction from underlying platforms
Pilot
Citadel
Mixer
Control Plane
istio-system namespace
an attribute-processing and routing machine
operator-focused
Mixer
Control Plane
Data Plane
istio-system namespace
Foo Pod
Proxy Sidecar
Service Foo
Foo Container
Out-of-band telemetry propagation
Control flow during request processing
application traffic
Application traffic
application namespace
telemetry reports
an attribute processing engine
R
Pilot
Citadel
Control Plane
security at scale
Mixer
istio-system namespace
security by default
Orchestrate Key & Certificate:
®
Setting up `istioctl`
Istio Adapter for SolarWinds
Open Source Adapters and Add-ons
(servicegraph)
Manual sidecar injection
Reviews v1
Reviews Pod
Reviews v2
Reviews v3
Product Pod
Details Container
Details Pod
Ratings Container
Ratings Pod
Product Container
Reviews Service
Reviews v1
Reviews Pod
Reviews v2
Reviews v3
Product Pod
Details Container
Details Pod
Ratings Container
Ratings Pod
Product Container
Nginx sidecar
Nginx sidecar
Nginx sidecar
Nginx sidecar
Nginx sidecar
Reviews Service
Nginx sidecar
Envoy ingress
Envoy ingress
visit layer5.io for more
service mesh playground
compliments of NGINX
clouds, containers, functions,
and their management
layer5io.slack.com
distributed systems, golang, operating at-scale,
Pilot
Citadel
Mixer
Control Plane
istio-system namespace
AppOpticsâ„¢
types: logs, metrics, access control, quota
Papertrailâ„¢
Prometheusâ„¢
Stackdriverâ„¢
Open Policy Agent
Grafanaâ„¢
Fluentd
Statsd
®
Mixer
Control Plane
Data Plane
istio-system namespace
Foo Pod
Proxy sidecar
Service Foo
Foo Container
Out-of-band telemetry propagation
Control flow during request processing
application traffic
application traffic
application namespace
telemetry reports
an attribute processing engine
Web
Service Foo
Timeout = 600ms
Retries = 3
Timeout = 300ms
Retries = 3
Timeout = 900ms
Retries = 3
Service Bar
Database
Timeout = 500ms
Retries = 3
Timeout = 300ms
Retries = 3
Timeout = 900ms
Retries = 3
Web
Service Foo
Deadline = 600ms
Deadline = 496ms
Service Bar
Database
Deadline = 428ms
Deadline=180ms
Elapsed=104ms
Elapsed=68ms
Elapsed=248ms