$30 off During Our Annual Pro Sale. View Details »

Kubernetes sidecar pattern as a swiss-army knif...

Kubernetes sidecar pattern as a swiss-army knife for microservices

Kubernetes sidecar pattern as a swiss-army knife for microservices

IQPC Australia’s DevOps APAC Virtual Event 2021
https://m.facebook.com/iqpcaustraIia/photos/a.1828156120808203/2759102687713537/?type=3

Abhishek Tiwari

September 27, 2021
Tweet

More Decks by Abhishek Tiwari

Other Decks in Technology

Transcript

  1. @abhishektiwari A bit about me • Director of Engineering at

    HelloFresh • An early adopter of K8S ~ Dec 2015 • Ran large K8s clusters in AWS and GCP • A range of mission critical stateles workloads
  2. @abhishektiwari J-CURVE OF DevOPs Excellence Credits: Accelerate: State of DevOps

    2018: Strategies for a New Economy | Does DevOps Matter? 7% Elite
  3. @abhishektiwari Common DevOps Concerns A B C Service-to-service communication A

    B C Securing services and communication A B C Control and enforce policies
  4. @abhishektiwari Common DevOps Concerns A B C Service observability and

    telemetry A B C Fault tolerance and circuit breakers A B C Deployments and service topologies
  5. @abhishektiwari Old Approach fault tolerance libraries Implementation specific to -

    Languages (Java/Scala) or - Frameworks or - Server (Tomcat/Jetty)or - Protocols (Thrift/RPC)
  6. @abhishektiwari Kubernetes Kubernetes has now become the de facto standard

    for deploying containerized applications at scale in private, public and hybrid cloud.
  7. @abhishektiwari High-level architecture Kubernetes Master Node Node Node Pod Pod

    Pod Pod Pod Pod Pod Pod Pod Pod Pod Pod Pods are scheduled and packed dynamically on Kubernetes nodes Docker Kubelet Kube Proxy Docker Kubelet Kube Proxy Docker Kubelet Kube Proxy
  8. @abhishektiwari PODS A pod can co-schedule multiple containers as an

    atomic unit. MySQL Django Nginx MySQL Django Nginx Co-scheduled multiple containers as pod Scheduled independently as containers
  9. @abhishektiwari Design patterns for container-based distributed systems 3 Essential Patterns

    • Single-pod single-container patterns • Single-pod multiple-container patterns • multi-pod patterns
  10. @abhishektiwari MySQL Django Nginx MySQL Django Nginx Single-pod, multiple-containers pattern

    Single-pod, single-container pattern PODS MySQL Django Nginx 1 2 3 Combination of 1 & 2
  11. @abhishektiwari MySQL 3 Combination of 1 & 2 Django Nginx

    Django Nginx Stateless Autoscaling of PODS Django Nginx
  12. @abhishektiwari Main container Sidecar container Sidecar pattern A sidecar is

    a utility container in the Pod and its whole purpose is to support the main container Fluentd Python App error.log
  13. @abhishektiwari • Independent resource • Completely reusable • Graceful degradation

    • Seperate life cycle • Runtime injection • Multiple per main • Peripheral tasks Benefits of Sidecar
  14. @abhishektiwari Envoy Linkerd Sidecar proxy (aka data plane) traefik Intelligent

    service proxy which mediate and/or control all network communication Nginx HAProxy
  15. @abhishektiwari Nginx Sidecar proxy MySQL Django Nginx Sidecar Nginx proxy

    mediates all traffic to and from main Django container Python App
  16. @abhishektiwari Service to service communication Service-A Envoy Service-B Envoy Service-C

    Envoy Envoy.yaml: Routing virtual_hosts: - name: backend domains: - "*" routes: - match: prefix: "/service/a" route: cluster: service_a - match: prefix: "/service/b" route: cluster: service_b - match: prefix: "/service/c" route: cluster: service_c
  17. @abhishektiwari Service to service communication Service-A Envoy Service-B Envoy Service-C

    Envoy Envoy.yaml: Load Balancing clusters: - name: service_a connect_timeout: 0.25s type: strict_dns lb_policy: round_robin http2_protocol_options: {} hosts: - socket_address: address: service_a port_value: 443 - name: service_b connect_timeout: 0.25s type: strict_dns lb_policy: round_robin http2_protocol_options: {} hosts: - socket_address: address: service_b port_value: 443
  18. @abhishektiwari Securing services and communication Service-A Envoy Service-B Envoy Service-C

    Envoy Envoy.yaml: JWT Authentication providers: jwt_provider1: issuer: https://auth0.com audiences: audience1 local_jwks: inline_string: PUBLIC-KEY rules: - match: prefix: /health - match: prefix: /api requires: provider_and_audiences: provider_name: jwt_provider1 audiences: api_audience - match: prefix: / requires: provider_name: jwt_provider1
  19. @abhishektiwari Fault tolerance and circuit breakers Service-A Envoy Service-B Envoy

    Service-C Envoy Envoy.yaml: Circuit Breakers circuit_breakers: thresholds: max_connections: 1 max_pending_requests: 1 max_requests: 1
  20. @abhishektiwari Fault tolerance and circuit breakers Service-A Envoy Service-B Envoy

    Service-C Envoy Envoy.yaml: Retry/Timeout retry_policy: retry_on: 5xx num_retries: 3 per_try_timeout: 5s
  21. @abhishektiwari Fault tolerance and circuit breakers Service-A Envoy Service-B Envoy

    Service-C Envoy Envoy.yaml: Fault/Delay http_filters: - name: envoy.fault config: delay: type: fixed fixed_delay: 10s percentage: numerator: 50 denominator: HUNDRED
  22. @abhishektiwari Service observability and telemetry Service-A Envoy Service-B Envoy Service-C

    Envoy Envoy.yaml: Zipkin Tracing tracing: http: name: zipkin typed_config: type: zipkin collector_cluster: zipkin collector_endpoint: "/zipc"
  23. @abhishektiwari We need a control plane Control Plane Manages and

    configures the proxies, enforce policies and collect telemetry Service-A Envoy Service-B Envoy Service-C Envoy Data Plane