Service Mesh with Istio on Kubernetes. Dmitry Burlea Software FlixCharter

Transcription

1 Service Mesh with Istio on Kubernetes Dmitry Burlea Software FlixCharter

2 Road to Microservices Monolith (all-in-one)

3 Road to Microservices Images from

4 Road to Microservices Image from

5 Road to Microservices Monolith (all-in-one) Service A Service C Service B Service D

6 Self Contained Systems / Micro Frontends Backend Team A Team B Team C Database Frontend

7 Microservices Deployment Service A Service B Service C Service D

8 Microservices Deployment: Containers

9 Microservice Architecture Challenges Service A Service B Service A Service B Service C Service D Service C Service D

10 Microservice Architecture Challenges Image from

11 Microservice Architecture Challenges Image from

12 Microservice Architecture Challenges Scaling up & down Resiliency Service Discovery Rolling out & back Security

13 Container Orchestration Tools Docker Swarm

14 FlixTech Image from

15 Kubernetes Open-sourced by Google in 2014 Replication Controller Pod Service Communication Channel Container Container Container Container Pod blueprint Pod Pod Pod

16 Microservice Architecture Challenges Image from

17 Microservice Architecture Challenges Image from

18 Microservice Architecture Challenges Observability Resiliency Traffic Management Metrics Distributed Tracing Dependency Visualization Circuit Breaking Health Checks Fault Injection Policy Enforcement Service Identity & Security

19 Microservice Architecture Challenges Observability Resiliency Traffic Management Policy Enforcement Service Identity & Security

20 Frameworks response to the challenge: Netflix OSS example Hystrix -

21 Service Discovery : :3444 Service A Service A Client Service : :4555 Service B Service B : :7777 Service C Service C

22 Netflix OSS: public class EurekaServiceApplication { public static void main(string[] args) { SpringApplication.run(EurekaServiceApplication.class, args); @RestController public class EurekaClientApplication private DiscoveryClient discoveryclient; public List<ServiceInstance> String applicationname) { return this.discoveryclient.getinstances(applicationname); }

23 Circuit Breaking Service A Client Service Service B Service C

24 Netflix OSS: Circuit Breaking public class BookService { private final RestTemplate resttemplate; public BookService (RestTemplate rest) { this.resttemplate = rest; = "reliable") public String readinglist() { URI uri = URI.create(" } return this.resttemplate.getforobject(uri, String.class); public String reliable() { return "Cloud Native Java (O'Reilly)"; } }

25 Distributed Tracing Service D Service B Service E error Client Service Service F Service C Service G

26 Distributed Tracing Service D Service B Service E Client Service Service F Service C Service G

27 Distributed Tracing

28 Distributed Tracing Service D Service B No Trace ID No Span ID Trace ID = X Span ID = A Client Service Service E Service F Service C Service G

29 Distributed Tracing Trace Data Storage / UI Service D Service B No Trace ID No Span ID Trace ID = X Span ID = A Client Service Service E Service F Service C Service G

30 Distributed Tracing

31 Frameworks Support Summary Hystrix Hello, me again Custom Vendor Specific Instrumentation None of them are native networking technologies Not flexible

32 Frameworks Support Summary

33 Another programming language Let s maybe implement the new service in Go, Kotlin, Ruby, (insert what is missing)???

34 New microservice in another programming language

35 Network & Business Logic Network related implementation Business logic implementation Service Service Service Service Service Service Service Service Service

36 Separate Business Logic from Networking Network related implementation Business logic implementation Service

37 Service Mesh: Sidecar "A sidecar is a one-wheeled device attached to the side of a motorcycle, scooter, or bicycle, producing a three-wheeled Images from

38 Service Mesh: Sidecar Sidecar proxy Service application Sidecar Service

39 Service Mesh: Sidecar In 2014, we started an initiative to create a replacement architecture that would scale better. The result has proven extremely successful and has been gradually deployed throughout Google, saving in the process millions of dollars a month in ops costs. Google Sidecar Sidecar Sidecar Service A Service B Service C

40 Service Mesh: Data Plane Sidecar Sidecar Sidecar Sidecar Sidecar Sidecar Data Plane Service A Service A Sidecar Sidecar Service B Service B Sidecar Sidecar Service C Service C Sidecar Sidecar Service D Service D Service E Service E Service F Service F

41 Service Mesh: Control Plane Control Plane Sidecar Sidecar Sidecar Sidecar Sidecar Sidecar Data Plane Service A Service A Sidecar Sidecar Service B Service B Sidecar Sidecar Service C Service C Sidecar Sidecar Service D Service D Service E Service E Service F Service F

42 Data Plane Solutions

43 Service Mesh Platforms

44 Istio. How has it started? IBM Amalgam8 project Google Service Control Envoy Lyft

45 Istio Service Architecture Pilot Mixer Service Discovery Citadel Envoy Proxy Envoy Proxy Envoy Proxy Kubernetes Pod Service A Service B Service C

46 Envoy L3 (Network) / L4 (Transport) Proxy L7 (Application) Proxy Implemented in C++ 11 Small memory footprint Battle Lyft VMs ~ requests / second

47 Istio Concepts Traffic Management Discovery & Load Balancing Traffic Splitting Traffic Steering Handling Failures Fault Injections Policies and Telemetry Rate limiting Distributing Tracing Collecting Logs & Metrics Generating Service Graph Security Authentication Policy Mutual TLS Authentication Istio RBAC

48 Istio: Traffic Management Service A Pod 1 Service Pod A2 Service V1 Pod A3 Service V1 B

49 Istio: Traffic Splitting Pod 1 Service Pod A2 Service V1 Pod A3 Service V1 B V1 Service A Canary Rollout Pod 4 Service B V2

50 Istio: Traffic Steering Pod 1 Service Pod A2 Service V1 Pod A3 Service V1 B V1 Service A A/B Testing Pod 4 Service B V2

51 Istio: Traffic Mirroring (Dark Launch)

52 Istio: Traffic Mirroring (Dark Launch) Service B V1 Service A Service B V2

53 Istio DSL A bit of code

54 Istio Routing API: Traffic Splitting split-95-5.yml apiversion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: split-95-5 spec: hosts: - service-b http: - route: - destination: host: service-b subset: v1 weight: 95 - route: - destination: host: service-b subset: v2 weight: 5 Service A Pod 1 Service Pod 2 AService Pod 3 V1 AService V1 B V1 Pod 4 Service B V2 istioctl create -f split-95-5.yaml

55 Istio Routing API: Traffic Steering apiversion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: route-rule-chrome-firefox spec: hosts: - service-b http: - match: - headers: user-agent: regex: *.Chrome.* route: - destination: host: service-b subset: v1 - match: - headers: user-agent: regex: *.Firefox.* route: - destination: host: service-b subset: v2 Service A Pod 1 Service Pod 2 AService Pod 3 V1 AService V1 B V1 Pod 4 Service B V2 istioctl create -f split-browser.yaml

56 Istio Routing API: Traffic Mirroring apiversion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: route-rule-mirror spec: hosts: - service-b http: - route: - destination: host: service-b subset: v1 mirror: host: service-b subset: v2 Service A Service B V1 Service B V2

57 Istio Resiliency: Http Timeout apiversion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: timeout-rule spec: hosts: - service-a http: - route: - destination: host: service-a subset: v1 timeout: 5s 00:30 istioctl create -f timeout-rule.yaml

58 Istio Resiliency: Http Retry apiversion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: retry-rule spec: hosts: - service-a http: - route: - destination: host: service-a subset: v1 retries: attempts: 3 pertrytimeout: 2s istioctl create -f retry-rule.yaml

59 Istio Fault Injection: Http Delay apiversion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: delay-rule spec: hosts: - service-a http: - fault: delay: fixeddelay: 7s percent: 100 match: - headers: cookie: regex: ^(.*?;)?(user=jason)(;.*)?$ route: - destination: host: service-a subset: v2 istioctl create -f delay-rule.yaml

60 Distributed Tracing Zipkin Backend Zipkin Adapter Stackdriver Adapter Custom Adapter Custom Backend Mixer Envoy Service A Trace Headers: x-request-id x-b3-traceid x-b3-spanid x-b3-parentspanid x-b3-sampled x-b3-flags x-ot-span-context Envoy Service B Trace Headers: x-request-id x-b3-traceid x-b3-spanid x-b3-parentspanid x-b3-sampled x-b3-flags x-ot-span-context Sidecar Service C

61 Distributed Tracing $ kubectl apply -f install/kubernetes/addons/zipkin.yaml $ kubectl apply -n istio-system -f tracing/jaeger-kubernetes/master/all-inone/jaeger-all-in-one-template.yml

62 Service Graph Service Graph Add-On $ kubectl apply -f install/kubernetes/addons/servicegraph.yaml

63 Security: Citadel Peer: Service-to-service mutual TLS Origin: End-user authentication with JWT apiversion: "authentication.istio.io/v1alpha1" kind: "Policy metadata: name: "example-3 spec: targets: - name: httpbin peers: - mtls: origins: - jwt: issuer: $SVC_ACCOUNT jwksuri: $JWKS principalbinding: USE_ORIGIN

64 Why Service Mesh is a good option? Networking

65 Decouple Networking from Business Logic Networking Business logic

66 References Istio Docs and Tutorials: Workshops: ks/introducing-istio-service-meshmicroservices/

67 Thank you! Do you have any questions?