Что ждать от внедрения Istio?

View Slide

Андрей Половов
Архитектор проектов
t.me/andreypolovov
andrey.polovov@flant.com
Флант
DevOps и Kubernetes,
обслуживание 24×7
habr.com/ru/company/flant
youtube.com/c/Флант
flant.ru t.me/flant_ru

View Slide

Что ждать
от внедрения Istio?

View Slide

Что ждать
Istio = Service Mesh

View Slide

Istio = Service Mesh
Что ждать

View Slide

front back db

View Slide

front back db
cache

View Slide

front back db
admin
cache

View Slide

front back db
images admin
cache

View Slide

front back db
images admin
cache
queue
consumer
consumer
consumer

View Slide

front back db
images admin
docs docdb
cache
queue
consumer
consumer
consumer

View Slide

front back db
images admin
docs docdb
cache
queue
consumer
consumer
consumer
warehouse

View Slide

db
images admin
docs docdb
cache
queue
consumer
consumer
consumer
warehouse
front back

View Slide

front–5cd968978d-zqlrb back–69d499c5b6-5xcjt
back–69d499c5b6-cbl6r
back–69d499c5b6-q8trc

View Slide

Circuit Breaking

View Slide


View Slide

back

View Slide

back–79f976997d-a8tff

View Slide

back–79f976997d-k4bax

View Slide

front–5cd968978d-zqlrb back–79f976997d-6zhea

View Slide


View Slide

Canary Deployment

View Slide

back–79f976997d-6zhea
front–5cd968978d-zqlrb back–79f976997d-k4bax

View Slide

back–79f976997d-6zhea
front–5cd968978d-zqlrb
front–5cd968978d-zqlrb

View Slide

front–5cd968978d-zqlrb back–79f976997d-a8tff

View Slide

ru-central1-a
ru-central1-b
ru-central1-b

View Slide

ru-central1-a
ru-central1-b
ru-central1-b
Locality Load Balancing

View Slide

Circuit Breaker
Canary Deployment

View Slide

Zone-aware Routing
Trafﬁc Shifting
Metric Exporting & Tracing
End-user Authentication
Weighted Load Balancer
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Mirroring Authorization
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment
front back

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment
front back
if ($code == 500) {
$backend.suspend();
...

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment

View Slide

Service Mesh
Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment

View Slide

Zone-aware Routing
Trafﬁc Shifting
M
etric
Exporting
&
Tracing
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Mirroring
Authorization
Egress Gateway
Request Timeout
Circuit Breaker
Locality
Load
Balancing
Canary Deployment

View Slide

Zone-aw
are
Routing
Trafﬁc Shifting
Mutual TLS
A
/B
Tests
Fault Injection
M
irroring
Circuit Breaker
Locality
Load
Balancing
gRPC Load Balancing
Authorization
Egress Gateway
Request Timeout
Canary Deployment

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout Circuit Breaker
Canary Deployment

View Slide

View Slide

Фреймворк управления трафиком
Service Mesh =

View Slide

Service Mesh
HTTP, gRPC
и любой
другой TCP
=

View Slide

Service Mesh
HTTP, gRPC
и любой
другой TCP
Декларативный
язык
=

View Slide

Service Mesh
HTTP, gRPC
и любой
другой TCP
язык
Мониторинг
Observability
+
=

View Slide

front back db
images admin
docs docdb
cache
queue
consumer
consumer
consumer
warehouse

View Slide

front back db
images admin
docs docdb
cache
queue
consumer
consumer
consumer
warehouse
if ($code == 500) {
$backend.suspend();
...

View Slide

front back db
images admin
docs docdb
cache
queue
consumer
consumer
consumer
warehouse
if ($code == 500) {
$backend.suspend();
...
$ openssl req ...

View Slide

...
ssl = {
‘cert’: ‘client-cert.pem’,
‘key’: ‘client-key.pem’}
conn = MySQLdb.connect(ssl=ssl, ...
front back db
images admin
docs docdb
cache
queue
consumer
consumer
consumer
warehouse
if ($code == 500) {
$backend.suspend();
...
$ openssl req ...

View Slide

...
ssl = {
‘cert’: ‘client-cert.pem’,
‘key’: ‘client-key.pem’}
conn = MySQLdb.connect(ssl=ssl, ...
front back db
images admin
docs docdb
cache
queue
consumer
consumer
consumer
warehouse
if ($code == 500) {
$backend.suspend();
...
$ openssl req ...
[mysqld]
tls_version=TLSv1.3
ssl_ca=ca.pem
ssl_cert=server-cert.pem
ssl_key=server-key.pem
...

View Slide

front back db
images admin
docs docdb
cache
queue
consumer
consumer
consumer
warehouse

View Slide

images admin
docs docdb
cache
queue
consumer
consumer
consumer
warehouse
front back db
Service Mesh
Mutual TLS Circuit Breaker

View Slide

Service Mesh
HTTP, gRPC
и любой
другой TCP
язык
Мониторинг
Observability
+
=

View Slide

Service Mesh

View Slide

Super Mesh

View Slide

app

View Slide

app
netns

View Slide

app
netns
DNAT

View Slide

app
netns
DNAT DNAT

View Slide

app
netns
DNAT DNAT
eBPF eBPF

View Slide

app
netns
DNAT DNAT

View Slide

app
DNAT DNAT
Pod

View Slide

app
Pod
DNAT DNAT

View Slide

app
Pod
DNAT DNAT
sidecar

View Slide

app
Pod
DNAT DNAT

View Slide

app
Pod
DNAT DNAT
ECDS
LDS
CDS
SRDS
EDS
SDS
VCDS
RTDS RDS
Envoy APIs

View Slide

app
Pod
DNAT DNAT

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment
Разработчик

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment
Mutual TLS

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment

View Slide


View Slide

supermeshd

View Slide

supermeshd
Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment
supermeshd
Control Plane

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment
supermeshd
Control Plane
Data Plane

View Slide

Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment
supermeshd

View Slide

ServiceComb-mesher

View Slide

© CNCF Survey Report 2020
https://www.cncf.io/wp-content/uploads/2020/11/CNCF_Survey_Report_2020.pdf

View Slide

View Slide

Что ждать

View Slide

View Slide

Как повлияет на приложение?

View Slide

А как на кластер?

View Slide

Так ли безопасен
Mutual TLS?

View Slide

Mutual TLS?
Что-то там было
про федерацию...

View Slide

Mutual TLS?
Какие возможности
Observability?

View Slide

Что если что-то сломается?
Mutual TLS?
Observability?

View Slide

Mutual TLS?
Observability?
Как его правильно засетапить?

View Slide

Mutual TLS?
Observability?
А обновить?

View Slide

front back

View Slide

front back
1

View Slide

front back
1 2

View Slide

front back

View Slide

front back
sidecar-proxy sidecar-proxy

View Slide

front back
1

View Slide

front back
1
2
× 1

View Slide

front back
1
2
3
× 1

View Slide

front back
1
2
3
4
× 2

View Slide

front back
1
2
3
4
5
× 3

View Slide

front back
1
2
3
4
5
Время – деньги!
× 3

View Slide

front back
1
2
3
4
5
Время – деньги!
Latency – деньги!
× 3

View Slide

The Envoy proxy adds 2.65 ms
to the 90th percentile latency.
https://istio.io/latest/docs/ops/deployment/performance-and-scalability/

View Slide

client server

View Slide

client server
10 000 запросов
с предварительным
прогревом

View Slide

client server
kube-node-0 kube-node-1
10 000 запросов
с предварительным
прогревом

View Slide

View Slide

client server
pure

View Slide

client server
client server
envoy
pure

View Slide

client server
client server
envoy
pure
client server
istio

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz
1000 x AuthorizationPolicy

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz

View Slide

client
client
client
pure
envoy
istio
istio-auth
client server
server
server
server
TLS
TLS
TLS

View Slide

TLS
TLS
client
client server
server
envoy
pure
client server
istio
client server
istio-auth
1.2/1.3
TLS

View Slide

client
client
client
client server
server
envoy
pure
server
istio
server
istio-auth HTTP/2
HTTP/2
HTTP/2

View Slide

server
server
envoy
pure
server
istio
server
istio-auth
client
client
client
TCP
keepalive
TCP
keepalive
TCP
keepalive
client
TCP
keepalive

View Slide

client
client
client
client server
server
envoy
pure
server
istio
server
istio-auth TCP
keepalive
TCP
keepalive
TCP
keepalive

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz

View Slide

client
client
envoy
pure
client
istio
client
istio-auth
server
server
server
server

View Slide

server
Small
500 B
Medium
200 KiB
Large
1.7 MiB

View Slide

server
JSON JSON JSON
Small
500 B
Medium
200 KiB
Large
1.7 MiB

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz
JSON
JSON
JSON
JSON
TCP
keepalive
TCP
keepalive
TCP
keepalive
TCP
keepalive
TCP
keepalive
TCP
keepalive
TCP
keepalive
HTTP/2
HTTP/2
HTTP/2
TLS
TLS
TLS
1.2/1.3

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz
JSON
JSON
JSON
JSON
TCP
keepalive
TCP
keepalive
TCP
keepalive
TCP
keepalive
TCP
keepalive
TCP
keepalive
TCP
keepalive
HTTP/2
HTTP/2
HTTP/2
TLS
TLS
TLS
1.2/1.3
252
теста

View Slide

Классический сетап

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz
TCP
keepalive
TCP
keepalive
TCP
keepalive
TCP
keepalive

View Slide

Single-Thread — client TCP keepalive OFF
JSON
JSON
JSON

View Slide

JSON
JSON
JSON
0.78ms
1.09ms
1.75ms

View Slide

JSON
JSON
JSON
0.78ms
1.09ms
1.75ms
339%
403%
427%

View Slide

JSON
JSON
JSON

View Slide

JSON
JSON
JSON
0.77ms
214%

View Slide

JSON
JSON
JSON
0.77ms
214%
0.74ms
74%

View Slide

JSON
JSON
JSON

View Slide

JSON
JSON
JSON
0.23ms

View Slide

JSON
JSON
JSON
0.23ms + 2ms

View Slide

0.23ms + 2ms = 800%
JSON
JSON
JSON

View Slide

0.23ms + 2ms = 800%
JSON
JSON
JSON
20ms

View Slide

0.23ms + 2ms = 800%
JSON
JSON
JSON
20ms + 2ms

View Slide

0.23ms + 2ms = 800%
JSON
JSON
JSON
20ms + 2ms = 10%

View Slide

JSON
JSON
JSON

View Slide

JSON
JSON
JSON
1000 x AuthorizationPolicy

View Slide

JSON
JSON
JSON

View Slide

pure
istio

View Slide

pure
istio
0.18ms
78%
1.08ms
83%

View Slide

Mutual TLS

View Slide

client
client
client
pure
envoy
istio
istio-auth
client server
server
server
server
TLS
TLS
TLS

View Slide

client
istio
server
TLS

View Slide

JSON
JSON
JSON
TLS OFF vs ON

View Slide

Любопытные
наблюдения

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz

View Slide

client server
client server
envoy
pure
client server
istio
client server
istio-authz
TCP
keepalive
TCP
keepalive
TCP
keepalive
TCP
keepalive

View Slide

client server
istio
TCP
keepalive

View Slide

JSON
JSON
JSON
Single-Thread — TCP keepalive OFF vs ON

View Slide

client server
istio
TCP
keepalive

View Slide

JSON
JSON
JSON
Multi-Thread — TCP keepalive OFF vs ON

View Slide

https://blog.cloudﬂare.com/keepalives-considered-harmful/
TCP
keepalive
Не всегда хорошо!

View Slide

Mutual TLS?
Observability?

View Slide


View Slide

Перехват трафика — не бесплатен

View Slide

Перехват трафика — не бесплатен ± 2.5 ms

View Slide

Перехват трафика — не бесплатен
Больше естественный latency — меньше относительный overhead
± 2.5 ms

View Slide

Mutual TLS?
Observability?

View Slide

supermeshd

View Slide

supermeshd
= istiod

View Slide

supermeshd
= istiod
Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment

View Slide

supermeshd
= istiod
Zone-aware Routing
Trafﬁc Shifting
gRPC Load Balancing
Mutual TLS
A/B Tests
Fault Injection
Egress Gateway
Request Timeout
Circuit Breaker
Canary Deployment
=
AuthorizationPolicy
EnvoyFilter
IstioOperator
DestinationRule
PeerAuthentication
VirtualService
WorkloadEntry
ServiceEntry
Gateway
Sidecar
WorkloadGroup

View Slide

istiod
AuthorizationPolicy
EnvoyFilter
IstioOperator
DestinationRule
PeerAuthentication
VirtualService
WorkloadEntry
ServiceEntry
Gateway
Sidecar
WorkloadGroup

View Slide

istiod
AuthorizationPolicy
EnvoyFilter
IstioOperator
DestinationRule
PeerAuthentication
VirtualService
WorkloadEntry
ServiceEntry
Gateway
Sidecar
WorkloadGroup
Service
Endpoint
Namespace
Node
Secret
Pod

View Slide

Mutual TLS?
Observability?

View Slide

Observability?
Mutual TLS?

View Slide

View Slide

Структура

View Slide

Структура Графики

View Slide

Структура Графики Трассировка

View Slide

Трассировка
Структура Графики

View Slide

Структура Графики Трассировка

View Slide

Observability?
Mutual TLS?

View Slide

client server

View Slide

client server
Привет,
server!

View Slide

client server

View Slide

client server
Привет,
client!

View Slide

client server

View Slide

client server
Привет,
server!

View Slide

client server

View Slide

client server
Ты кто такой,
*&^*$*???!

View Slide

client server
OKAY

View Slide

client server

View Slide

client server
SAN: spiffe://cluster.local/ns/foo/sa/client

View Slide

client server
principal

View Slide

client server

View Slide

client server
ServiceAccount

View Slide

client server

View Slide

client server
istiod

View Slide

client server
istiod
root

View Slide

ca.crt
!=
client server
istiod
root

View Slide

client server
istiod
root

View Slide

istiod
root
server
client

View Slide

istiod
root
client server

View Slide

client
istiod
root
server
Pod

View Slide

client
istiod
root
server
Pod
Super Mesh

View Slide

client
server
Pod
istiod
root
Super Mesh

View Slide

client
server
Pod
Super Mesh
istiod
root

View Slide

client
server
Pod
istiod
root
Super Mesh

View Slide

client
Pod
server
istiod
root

View Slide

istiod
root
Pod
server

View Slide

istiod
root
Pod
CSR
server

View Slide

server
istiod
root
Pod
CSR

View Slide

server
istiod
root
Pod
ServiceAccount
CSR

View Slide

View Slide

mypod
Pod

View Slide

mysa
ServiceAccount
mypod
Pod

View Slide

mysa
ServiceAccount
mypod
Pod
apiVersion: v1
kind: ServiceAccount
metadata:
name: mysa
namespace: foo

View Slide

mysa
ServiceAccount
mypod
Pod
{
"namespace": "foo",
"name": "mysa",
...
}
apiVersion: v1
metadata:
name: mysa
namespace: foo

View Slide

mysa
ServiceAccount
mypod
Pod
mysa-token-123
Secret
apiVersion: v1
metadata:
name: mysa
namespace: foo
{
"namespace": "foo",
"name": "mysa",
...
}

View Slide

mysa
ServiceAccount
mypod
Pod
apiVersion: v1
metadata:
name: mysa
namespace: foo
secrets:
- name: mysa-token-123
mysa-token-123
Secret
{
"namespace": "foo",
"name": "mysa",
...
}

View Slide

mysa
ServiceAccount
mypod
Pod
apiVersion: v1
metadata:
name: mysa
namespace: foo
secrets:
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: foo
spec:
serviceAccountName: mysa
... mysa-token-123
Secret
{
"namespace": "foo",
"name": "mysa",
...
}

View Slide

mysa
ServiceAccount
mypod
Pod
apiVersion: v1
metadata:
name: mysa
namespace: foo
secrets:
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: foo
spec:
...
{
"namespace": "foo",
"name": "mysa",
...
}
mysa-token-123
Secret

View Slide

mysa
ServiceAccount
mypod
Pod
apiVersion: v1
metadata:
name: mysa
namespace: foo
secrets:
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: foo
spec:
...
{
"namespace": "foo",
"name": "mysa",
...
}
mysa-token-123
Secret
/run/secrets/kubernetes.io/serviceaccount/token

View Slide

server
istiod
root
Pod
ServiceAccount
CSR

View Slide

istiod
root
Pod
CSR
server

View Slide

istiod
root
Pod
CSR
TokenReview
server

View Slide

istiod
root
Pod
CSR
server

View Slide

server
Pod
istiod
root
CSR

View Slide

server
Pod
istiod
root

View Slide

Pod
istiod
root
server

View Slide

server
Pod
istiod
root

View Slide

Observability?
Mutual TLS?

View Slide

View Slide

за 8 минут!

View Slide

за 8 минут!
150+ кластеров под управлением

View Slide

за 8 минут!
deckhouse.io
Ранний доступ
150+ кластеров под управлением

View Slide

Acknowledgements
Дмитрий Столяров
За помощь с подготовкой контента
Антон Климов
За помощь с оформлением презентации

View Slide

Спасибо!
deckhouse.io
Полностью идентичный
Kubernetes где угодно
Успех с Kubernetes
с первого дня
Флант
DevOps и Kubernetes,
обслуживание 24×7
habr.com/ru/company/flant
youtube.com/c/Флант
flant.ru t.me/flant_ru
t.me/andreypolovov
andrey.polovov@flant.com

View Slide

Что ждать от внедрения Istio?

Что ждать от внедрения Istio?

flant

More Decks by flant

Other Decks in Technology

Featured

Transcript