like to call me Bobby Tables ▸ I work at Namely (namely.com) ▸ I’m currently a lead on our implementation of Istio on Kubernetes ▸ We’ve been following and trying Istio since 0.1
Istio and its internals ‣ Explain a little bit of the lower level architecture of Istio ‣ All of this will be in the context of Istio + Kubernetes ‣ Following a request through our mesh Istio
Envoy very well done ▸ So well done, in fact, you can sometimes forget Envoy is even there ▸ So when things aren't working it can difficult to know sometimes which part is wrong
Istio Ingress, which is mostly Envoy but configured slightly different than sidecars ▸ Istio has a pod called "istio-ingress" that runs a Envoy process that is configured to retrieve routes from Pilot for ingress rules only ▸ Pilot is listening to the Kubernetes API server and refreshing its cache of ingress rules ▸ Envoy Ingress then retrieves these updates every second (or whatever is configured)
see what view of the world Istio has currently ▸ We'll apply a service and watch Pilot update ▸ We'll then deploy a set of pods and watch Pilot update ▸ We'll then apply an ingress and watch Pilot update
▸ Once the Ingress (Envoy) receives a request, it will find an upstream endpoint to forward the request to ▸ Envoy has many modes for load balancing, by default it uses Round Robin ▸ Once a pod IP is selected, the next step happens.
Istio + Kubernetes, your pods will have a "sidecar" attached inside of it. ▸ This sidecar is running another Envoy instance that is configured to pull from the Pilot API (the same way Ingress works, but in sidecar mode) ▸ This sidecar receives all traffic (ingress and egress) ▸ Istio does this by creating a NAT IP Table rule that redirects all traffic to port 15001 of Envoy
accepts the connection on port 15001, and then looks for an appropriate "listener" that has been configured ▸ The Pilot API gives every sidecar a list of Listeners that Envoy will create internally ▸ For a given sidecar, Pilot will return a listener for the IP and Port for Envoy to forward requests to.
DO ▸ We're going to look at how Envoy listens for traffic by inspecting Pilots LDS endpoint (Listener Discovery Service) ▸ We'll then refresh our ingress a few times to generate traffic ▸ Then we'll see how Envoy logs this traffic on the pod
has an admin page that provides great information ▸ You can port-forward the Envoy endpoint locally to view this ▸ You can view what Envoys state of the world is, IE: Clusters, Listeners, Routes, etc.
wrong, is to look at Pilot logs. ▸ Since Pilot is the source of truth for your service mesh, it's common this is where problems will arise most of the time ▸ When in doubt, restart Pilot.
plane for Envoy. It provides control of most of the features of Envoy currently, with plans to add more. ▸ It's important to keep in mind that all traffic in your cluster goes through Envoy ▸ Istio is only used by Envoy to ask questions, such as "what is this service" and "what port should I listen on?"
bobbytables
tutinoko
tsucchinoko
little_rubyist
murabayashi
polpielladev
manfredsteyer
fadis
takonda
hiroki_yod
mot_techtalk
ivargrimstad
notfounds
tammyeverts
maltzj
honnibal
pedronauck
davidbonilla
rmw
bcantrill
csswizardry
ufuk
hannesfritz
trishagee
addyosmani
