Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong

apidays
December 31, 2022

apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong

apidays Paris 2022 - APIs the next 10 years: Software, Society, Sovereignty, Sustainability
December 14, 15 & 16, 2022

The Magic of Service Mesh: Everything Your Sidecar Does for You
Charly Molter, Engineering Manager at Kong
------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

Deep dive into the API industry with our reports:
https://www.apidays.global/industry-reports/

Subscribe to our global newsletter:
https://apidays.typeform.com/to/i1MPEW

apidays

December 31, 2022
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. THE CLOUD CONNECTIVITY COMPANY 1 © Kong Inc. THE CLOUD

    CONNECTIVITY COMPANY Charly Molter ApiDays Paris - DECEMBER 2022 The Magic of Service Mesh What your sidecar does for You
  2. 2023 SERIES OF EVENT New York May 16&17 Australia October

    11&12 Singapore April 12&13 Helsinki & North June 5&6 Paris SEPTEMBER London November 15&16 June 28-30 SILICON VALLEY March 14&15 Dubai & Middle East February 22&23
  3. THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. - Sidecars

    are amazing you’ll see! - It’s fun to understand how a service mesh works - As a user it’s useful to understand how things work - Learn how to troubleshoot and leverage some Kuma tools Why this Talk?
  4. THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. 3 Engineering

    manager of the mesh team @ Kong Worked on many infrastructure projects Twitter @moltch
  5. THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. - Simple

    security model - Containers did a lot of work to achieve multi -tenancy - Great failure isolation (you crash your sidecar, only your pod loses connectivity) - Your sidecar scales like your app does - Upgrading your sidecar is like upgrading your app , something you already do right?! Why a sidecar? For more: https://thenewstack.io/ebpf-or-not-sidecars-are-the-future-of-the-service-mesh/
  6. THE CLOUD CONNECTIVITY COMPANY 9 © Kong Inc. - Envoy

    has a very complete admin api exposed on 127.0.0.1:9901 - Use kumactl or GUI to access it - policies : list policies that apply to your dataplane - config -dump: get the full envoy config dump - stats: show stats of the proxy - clusters: show information about envoy clusters and endpoints. What happens under the hood Inspecting your sidecar
  7. THE CLOUD CONNECTIVITY COMPANY 10 © Kong Inc. - Control-plane

    issue a certificate per sidecar - Sidecar info are added in the SAN of the cert as spiffe ids. .e.g: spiffe://default/demo-app_kuma-demo_svc_5000 - Server leverages spiffe ids to identify clients - Cert is renewed by the Control-plane before expiration What happens under the hood Mutual TLS and Certificate rotation
  8. THE CLOUD CONNECTIVITY COMPANY 11 © Kong Inc. - Envoy

    will issue 1 certificate for each sidecar - Control-plane regenerates when at 4/5 of the expiration time - Envoy will use this new certificate - Dataplane tags are added in the SAN of the cert as spiffe ids. .e.g: spiffe://default/demo-app_kuma-demo_svc_5000 What happens under the hood Mutual TLS and Certificate rotation
  9. THE CLOUD CONNECTIVITY COMPANY 12 © Kong Inc. - Control-plane

    will issue new certificates using the “enabledBacked” for all dataplanes - All sidecars will have both CAs to allow clients with old and new cert - Once all sidecars are on the new CA you can delete the old backend What happens under the hood CA Rotation is Almost as Easy
  10. THE CLOUD CONNECTIVITY COMPANY 13 © Kong Inc. - Envoy

    will expose metrics on :5670 - The sidecar can also scrape your application metrics on :5000 - Application metrics and sidecar metrics are all exposed with a common set of labels regardless of where they run (kubernetes or elsewhere). - No need to expose your application metrics port to scrape metrics What happens under the hood How About Metrics?
  11. THE CLOUD CONNECTIVITY COMPANY 14 © Kong Inc. - Whenever

    a pod is added/removed or goes unhealthy the CP recomputes the configuration of all of the service’s clients - All this usually happens in < 1 second - Load balancing algorithm is configurable What happens under the hood Endpoint discovery / load balancing
  12. THE CLOUD CONNECTIVITY COMPANY 15 © Kong Inc. - Exclude

    endpoints for some time if the failure rate jumps over a threshold - When setting it to 15% we see the endpoint that has 81% success won’t receive requests What happens under the hood Outlier detection
  13. THE CLOUD CONNECTIVITY COMPANY 16 © Kong Inc. - Raising

    the threshold to 5% - Now 2 endpoints are outliers and won’t receive requests What happens under the hood Lowering the threshold
  14. THE CLOUD CONNECTIVITY COMPANY 17 © Kong Inc. - When

    playing with endpoint health always set fail safe to avoid ending with too few endpoints. - In this case maxEjectionPercent does this. If less than 50% of the endpoints are outliers consider no-one as an outlier What happens under the hood Avoiding Shooting Yourself in the Foot
  15. THE CLOUD CONNECTIVITY COMPANY 18 © Kong Inc. - Sidecars

    implement complex algorithms - Envoy is very mature so you can trust these algorithms - Whenever evaluating the overhead of the mesh take into account the features it brings - Use kumactl inspect (or the UI) to figure out how things work What happens under the hood Conclusion
  16. THE CLOUD CONNECTIVITY COMPANY 19 © Kong Inc. 1 9

    Scan To Get Kong Mesh Thanks! Please ask me any questions