Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Service Mesh: Istio vs Linkerd

Guto Carvalho
February 09, 2022

Service Mesh: Istio vs Linkerd

Guto Carvalho

February 09, 2022
Tweet

More Decks by Guto Carvalho

Other Decks in Technology

Transcript

  1. 1
    Service mesh
    L E T ' S U N D E R S T A N D I T

    View Slide

  2. Which is better for Stack.io clients and projects?
    ISTIO or Linkerd?

    View Slide

  3. 3
    Flato Presentation
    Service Mesh
    Let's understand it
    Guto Carvalho
    Cloud Engineer
    When to use it?
    Service Mesh Projects
    Istio
    Linkerd
    Comparing
    When not use it
    Final notes
    Service mesh

    View Slide

  4. Introduction
    Service Mesh

    View Slide

  5. Service Mesh
    What is it?
    5
    Service mesh introduction
    You have probably heard about it, and usually in the same sentence that someone
    mentions "service mesh" there is typically the word "Istio" or "Linkerd", both prevalent
    implementations of this network abstraction layer.


    Service Mesh is an infrastructure layer created to control and handle all service-to-
    service communication needs in a micro services architecture.


    It controls the
    fl
    ow of the requests to the services, acts as a load balancer, encrypts
    data, discovers services, and aggregates them to your load balancer.


    Although you can determine the communication logic of your micro service in your
    code, the service mesh acts as an abstraction of this logic in a parallel infrastructure
    layer dedicated to it. The way it works is quite simple, and it uses just a proxy sidecar in
    each service pod to control it and provide information for your cluster.


    The sidecar proxy provides data and allows the exchange of information between
    services, with that you can focus on your business logic and leave the communication
    policies and routes to the service mesh controller.


    View Slide

  6. Bene
    fi
    ts
    6
    Service mesh introduction
    Observability


    Typically teams use di
    ff
    erent methods and
    technologies to maintain tra
    ff
    i
    c visibility, logs,
    metrics, tracing, and security controls. The
    service mesh already brings all this in a
    centralized and organized way.
    Resilience


    Service mesh o
    ff
    ers mechanisms like Circuit
    Breaker, Latency-aware Load Balancing, a very
    consistent, enhanced, and robust service
    discovery. It allows you to con
    fi
    gure settings
    like retries, timeout, and deadlines in these
    services.
    Tra
    ffi
    c Control


    We can work with a very granular
    network tra
    ff
    i
    c control which permits an
    accurate and objective way to determine
    where the requests will be routed.
    Security


    Most service meshes o
    ff
    er a CA
    mechanism that dynamically generates
    certi
    fi
    cates for each service, ensuring
    s e c u r e s e r v i c e - t o - s e r v i c e
    communication.
    Delay & Fault Injection


    Most service meshes o
    ff
    er a way to
    con
    fi
    gure latency and failures to
    simulate what would happen in the real
    world. That way, you can analyze the
    behavior of your services in the case of a
    similar scenario.
    Less code for devs


    The features o
    ff
    ered by service mesh will reduce the amount of code that
    your dev team must write for your app. Many of your requirements for app
    controls and policies are already available in the service mesh features.
    Service Mesh

    View Slide

  7. When to use it
    Service Mesh

    View Slide

  8. Service Mesh
    When I need to use it?
    8
    Many Micro services


    If you have a large scale application
    composed of micro services


    Visibility + Tracing + Metrics


    If you need to answer quickly and
    proactively regarding changes in
    customers behavior


    Deploy Strategies


    When you need controlled deployment
    methods like Canary and Blue/Green
    without the complexity of build that on
    top of k8s
    Security


    If you need or want to secure the
    communication between your services.


    View Slide

  9. Service Mesh
    When I need to use it?
    9
    Developer Focus
    If you want Developers getting to focus
    on what they do best, business code

    View Slide

  10. Service Mesh
    When I need to use it?
    10
    Performance & Routing


    Suppose that you have an application that meets a huge demand, and this
    application is composed of several micro services communicating with each
    other. In these case, the communication
    fl
    ow can become a challenge since
    the requests between services can grow exponentially.


    You will probably need a sophisticated and intelligent routing strategy to
    keep the communication
    fl
    owing correctly and especially to maintain
    performance within the expected standards, avoiding degrading the
    communication between your services.

    View Slide

  11. General information
    Projects

    View Slide

  12. Istio is an open-source service mesh implementation created by
    Google and IBM in partnership with Envoy Lyft team. Istio uses
    Envoy as a core component for your proxy sidecar strategy.


    Envoy is a distributed service proxy explicitly designed to work with
    micro services and mesh architectures.


    Istio
    General Information
    12
    About
    GitHub Starts
    28.700+


    GitHub Contributors
    700+


    License
    Apache 2.0


    Version
    1.9.x
    since jan/2019


    View Slide

  13. Linkerd is a service mesh for Kubernetes. It makes running services
    easier and safer by giving you runtime debugging, observability,
    reliability, and security—all without requiring any changes to your
    code.


    Linkerd is fully open source, licensed under Apache v2, and is a Cloud
    Native Computing Foundation graduated project. Linkerd is
    developed in the open in the Linkerd GitHub organization.


    Linkerd
    General Information
    13
    GitHub Starts
    7000+


    GitHub Contributors
    200+


    License
    Apache 2.0


    Version
    2.1.x
    About
    since fev/2016


    View Slide

  14. Project details and analyses
    ISTIO

    View Slide

  15. Istio
    15
    Kubernetes
    How to install it ?
    - istioctl

    - istio operator

    - helm packages


    Not at the moment
    Some, not well maintained


    What is required to bring Istio to clients?
    Have an o
    ffi
    cial terraform module?
    Have a community terraform module?
    We just need an operational k8s cluster


    View Slide

  16. Istio
    16
    Cert-manager
    Integrations and features that is interesting to test and use
    Istio can use cert-manager to create mTLS certs


    ArgoCD
    Deploy strategies made easy like Canary and Blue/Green using Istio
    Tra
    ff i
    c Split features alongside ArgoCD
    Keptn
    Quality gateway to delivery APPs based on SLOs and rollback an app
    if a SLO rule is o
    ff
    ended


    Chaos Engineering
    We can test the resilience of our clusters with "service outage"
    simulations, chaosengineering-kit has a plugin for istio


    View Slide

  17. Project details and analyses
    Linkerd

    View Slide

  18. Linkerd
    What is required to bring linkerd to clients?
    18
    Kubernetes
    How to install it ?
    - linkerd binary

    - helm packages

    - operator? no!


    Have an o
    ffi
    cial terraform module?
    We just need an operational k8s cluster


    Have a community terraform module?
    Not at the moment
    Some, not well maintained


    View Slide

  19. Project details and analyses
    Comparing

    View Slide

  20. ISTIO vs Linkerd
    Details
    20
    Dashboard Linkerd Istio
    Native web dashboard Yes No
    Saas dasboard
    Yes


    No
    Other No Yes
    Communication Security Linkerd Istio
    Authorization Yes Yes
    Autentication Yes Yes
    mTLS Yes Yes
    Certi
    fi
    cate Management Yes Yes
    Kiali

    View Slide

  21. ISTIO vs Linkerd
    Details
    21
    Communication Protocols Linkerd Istio
    TCP Proxy Yes Yes
    HTTPv1 Proxy Yes Yes
    HTTPv2 Proxy Yes Yes
    gRPC Proxy Yes Yes

    View Slide

  22. ISTIO vs Linkerd
    Details
    22
    Monitoring & Tests Linkerd Istio
    Metrics Yes Yes
    Health Checks Yes Yes
    Prometheus Integration Yes Yes
    Grafana Integration Yes Yes
    Distribuited Tracing Yes Yes
    Chaos Monkey Test Ready No Yes

    View Slide

  23. ISTIO vs Linkerd
    Details
    23
    Other Monitorings Linkerd Istio
    Service Graphs Yes Yes
    S2S Latency Yes Yes
    Reponse Codes Yes Yes
    Jaeger Integration Yes Yes

    View Slide

  24. ISTIO vs Linkerd
    Details
    24
    Tra
    ffi
    c Management Linkerd Istio
    Load Balancing Yes Yes
    Green/Blue Deployment Yes Yes
    Canary Deployment Yes Yes
    Circuit Breaker Yes Yes
    Faulty Injection Yes Yes
    Dark Launch No Yes
    Rate Limit Yes Yes
    Retries Yes Yes
    Timeouts Yes Yes

    View Slide

  25. ISTIO vs Linkerd
    Details
    25
    Installation Methods Linkerd Istio
    Binary Yes Yes
    Helm Yes Yes
    Operator No Yes
    Complexity Low Regular

    View Slide

  26. ISTIO vs Linkerd
    Details
    26
    Performance & Security Linkerd Istio
    Latency Low Regular
    Use of cluster resources Low High
    Security Good Good
    Sometimes Istio Proxy can consume more resources than the pod app itself, fact.




    Is it a problem?


    It depends. Istio can o
    ff
    er essential information or at least provide more availability for your
    service. If resources or cost is not a problem at all, then it's no problem. It's just a condition to
    run it.




    If cloud cost is an important variable, you should go with Linkerd, it's cheaper in terms of
    cloud costs.

    View Slide

  27. ISTIO vs Linkerd
    Details
    27
    More Linkerd Istio
    Can use any ingress? Yes No
    O
    ff
    er its own ingress? No Yes
    Single point of failure No No
    HA Yes Yes
    CNI Plugin Option Yes Yes
    CLI Yes Yes

    View Slide

  28. ISTIO vs Linkerd
    Details
    28
    Information Linkerd Istio
    License Apache v2 Apache v2
    Core Language rust/go go
    GitHub Stars 7k+ 28k+


    GitHub Contributors 200 700
    GitHub First Release fev/16 jan/19
    GitHub Latest Release 2.11.1 1.11.4
    GitHub Releases 284 221
    CVE Records 2021 0 6
    Learning curve Low High
    Operation complexity Low regular > high
    Istio has more CVE records in 2021, and it also has more users and production cases. It's normal to
    fi
    nd
    issues when you have a large user base. Both are very secure projects.

    View Slide

  29. When not to use it
    Service Mesh

    View Slide

  30. Service Mesh
    When not to use it
    30
    > When you don't know what it is


    > When you don't know how it'll help your operation


    > When you don't know how it'll help your app performance


    > When you don't know how it'll help your app availability


    > When you don't know how it'll improve your business strategy


    > When the default k8s service discovery is enough for your needs


    > When the default k8s rollout is enough for your needs


    > When you don't have a large number of micro services to manage


    > When you don't have any micro services at all


    > When you don't have a massive tra
    ff
    i
    c
    fl
    ow for your services


    > When you don't need to secure the communication between your services

    View Slide

  31. Service Mesh
    Final notes

    View Slide

  32. Service Mesh
    Drawbacks
    32
    For the client that want mesh
    > Can be costly depending of the technology

    > Can be complex to the client understand how it works and to see the bene
    fi
    ts
    For our operation and team
    > It's simple to install, but complex to customize


    > The learning curve can be challenging

    > It's more complex to
    fi
    nd and
    fi
    x problems

    > It may change the way we deploy apps, requiring pipelines adjustments

    > It's one more system to deal, operate, update and also one more to fail

    The main projects related to service MESH are constantly evolving. A ton of new
    features are being created, tested, and delivered on each version. We're going to
    sail over these releases with a lot of new things to consider and try. Updates
    can be challenging as technology evolves.


    It's still evolving

    View Slide

  33. Service Mesh
    Drawbacks
    33
    Tests executed with Linkerd
    > Binary installation and test

    > Dashboard installation and test

    > Mesh injection on a service (emojivoto app)

    > Fail injection test (book app)

    > Retries con
    fi
    guration using service pro
    fi
    les

    > Timeout con
    fi
    guration using service pro
    fi
    les
    Notes
    We have followed the Linkerd documentation to install, test, and try
    some features. Everything works as expected without any problems.
    The retries and timeout tests needed a swagger pro
    fi
    le for the APP,
    this can be tricky if the client doesn't have it ready for use.


    Another important information is that Linkerd can use any ingress,
    helping to minimise changes in your cluster and deployments
    con
    fi
    gurations.

    View Slide

  34. Final notes
    Service Mesh R&D
    34
    In my opinion, if the business requirements for a service mesh
    matches with Linkerd features, we should use it. It's simpler, lighter,
    faster and also it's very secure.


    In terms of cost, can be cheaper if we're looking to reduce the client
    cloud bills.



    If the costs is not an essential variable, and if the complexity is well
    considered and accepted by the client, Istio can be a great solution
    for the project because of the integrations and extra features.


    We need to consider that Istio is very popular and our clients will
    probably ask for it, we have to be ready to install it and maintain it.



    Consul is also another widespread service mesh implementation
    that we should consider and understand how it works at least.


    In the end, our team should master Istio and Linkerd and know how
    to work with Consul in production.

    View Slide

  35. [email protected]
    Photos:

    Unsplash

    Kubecon

    View Slide

  36. Flato
    Add your header here
    36
    Add Your Sub-header Here Lorem Ipsum
    Flato Presentation
    Thank You

    View Slide