Service Mesh: Istio vs Linkerd

Transcript

1. 1 Service mesh L E T ' S U N

   D E R S T A N D I T

2. Which is better for Stack.io clients and projects? ISTIO or

   Linkerd?

3. 3 Flato Presentation Service Mesh Let's understand it Guto Carvalho

   Cloud Engineer When to use it? Service Mesh Projects Istio Linkerd Comparing When not use it Final notes Service mesh

4. Introduction Service Mesh

5. Service Mesh What is it? 5 Service mesh introduction You

   have probably heard about it, and usually in the same sentence that someone mentions "service mesh" there is typically the word "Istio" or "Linkerd", both prevalent implementations of this network abstraction layer. 
 
 Service Mesh is an infrastructure layer created to control and handle all service-to- service communication needs in a micro services architecture. It controls the fl ow of the requests to the services, acts as a load balancer, encrypts data, discovers services, and aggregates them to your load balancer. Although you can determine the communication logic of your micro service in your code, the service mesh acts as an abstraction of this logic in a parallel infrastructure layer dedicated to it. The way it works is quite simple, and it uses just a proxy sidecar in each service pod to control it and provide information for your cluster. The sidecar proxy provides data and allows the exchange of information between services, with that you can focus on your business logic and leave the communication policies and routes to the service mesh controller.

6. Bene fi ts 6 Service mesh introduction Observability Typically teams

   use di ff erent methods and technologies to maintain tra ff i c visibility, logs, metrics, tracing, and security controls. The service mesh already brings all this in a centralized and organized way. Resilience Service mesh o ff ers mechanisms like Circuit Breaker, Latency-aware Load Balancing, a very consistent, enhanced, and robust service discovery. It allows you to con fi gure settings like retries, timeout, and deadlines in these services. Tra ffi c Control We can work with a very granular network tra ff i c control which permits an accurate and objective way to determine where the requests will be routed. Security Most service meshes o ff er a CA mechanism that dynamically generates certi fi cates for each service, ensuring s e c u r e s e r v i c e - t o - s e r v i c e communication. Delay & Fault Injection Most service meshes o ff er a way to con fi gure latency and failures to simulate what would happen in the real world. That way, you can analyze the behavior of your services in the case of a similar scenario. Less code for devs The features o ff ered by service mesh will reduce the amount of code that your dev team must write for your app. Many of your requirements for app controls and policies are already available in the service mesh features. Service Mesh

7. When to use it Service Mesh

8. Service Mesh When I need to use it? 8 Many

   Micro services If you have a large scale application composed of micro services Visibility + Tracing + Metrics If you need to answer quickly and proactively regarding changes in customers behavior Deploy Strategies When you need controlled deployment methods like Canary and Blue/Green without the complexity of build that on top of k8s Security If you need or want to secure the communication between your services.

9. Service Mesh When I need to use it? 9 Developer

   Focus If you want Developers getting to focus on what they do best, business code

10. Service Mesh When I need to use it? 10 Performance

    & Routing Suppose that you have an application that meets a huge demand, and this application is composed of several micro services communicating with each other. In these case, the communication fl ow can become a challenge since the requests between services can grow exponentially. 
 
 You will probably need a sophisticated and intelligent routing strategy to keep the communication fl owing correctly and especially to maintain performance within the expected standards, avoiding degrading the communication between your services.

11. General information Projects

12. Istio is an open-source service mesh implementation created by Google

    and IBM in partnership with Envoy Lyft team. Istio uses Envoy as a core component for your proxy sidecar strategy. 
 
 Envoy is a distributed service proxy explicitly designed to work with micro services and mesh architectures. Istio General Information 12 About GitHub Starts 28.700+ GitHub Contributors 700+ License Apache 2.0 Version 1.9.x since jan/2019

13. Linkerd is a service mesh for Kubernetes. It makes running

    services easier and safer by giving you runtime debugging, observability, reliability, and security—all without requiring any changes to your code. 
 
 Linkerd is fully open source, licensed under Apache v2, and is a Cloud Native Computing Foundation graduated project. Linkerd is developed in the open in the Linkerd GitHub organization. Linkerd General Information 13 GitHub Starts 7000+ GitHub Contributors 200+ License Apache 2.0 Version 2.1.x About since fev/2016

14. Project details and analyses ISTIO

15. Istio 15 Kubernetes How to install it ? - istioctl

    
 - istio operator 
 - helm packages Not at the moment Some, not well maintained What is required to bring Istio to clients? Have an o ffi cial terraform module? Have a community terraform module? We just need an operational k8s cluster

16. Istio 16 Cert-manager Integrations and features that is interesting to

    test and use Istio can use cert-manager to create mTLS certs ArgoCD Deploy strategies made easy like Canary and Blue/Green using Istio Tra ff i c Split features alongside ArgoCD Keptn Quality gateway to delivery APPs based on SLOs and rollback an app if a SLO rule is o ff ended Chaos Engineering We can test the resilience of our clusters with "service outage" simulations, chaosengineering-kit has a plugin for istio

17. Project details and analyses Linkerd

18. Linkerd What is required to bring linkerd to clients? 18

    Kubernetes How to install it ? - linkerd binary 
 - helm packages 
 - operator? no! Have an o ffi cial terraform module? We just need an operational k8s cluster Have a community terraform module? Not at the moment Some, not well maintained

19. Project details and analyses Comparing

20. ISTIO vs Linkerd Details 20 Dashboard Linkerd Istio Native web

    dashboard Yes No Saas dasboard Yes No Other No Yes Communication Security Linkerd Istio Authorization Yes Yes Autentication Yes Yes mTLS Yes Yes Certi fi cate Management Yes Yes Kiali

21. ISTIO vs Linkerd Details 21 Communication Protocols Linkerd Istio TCP

    Proxy Yes Yes HTTPv1 Proxy Yes Yes HTTPv2 Proxy Yes Yes gRPC Proxy Yes Yes

22. ISTIO vs Linkerd Details 22 Monitoring & Tests Linkerd Istio

    Metrics Yes Yes Health Checks Yes Yes Prometheus Integration Yes Yes Grafana Integration Yes Yes Distribuited Tracing Yes Yes Chaos Monkey Test Ready No Yes

23. ISTIO vs Linkerd Details 23 Other Monitorings Linkerd Istio Service

    Graphs Yes Yes S2S Latency Yes Yes Reponse Codes Yes Yes Jaeger Integration Yes Yes

24. ISTIO vs Linkerd Details 24 Tra ffi c Management Linkerd

    Istio Load Balancing Yes Yes Green/Blue Deployment Yes Yes Canary Deployment Yes Yes Circuit Breaker Yes Yes Faulty Injection Yes Yes Dark Launch No Yes Rate Limit Yes Yes Retries Yes Yes Timeouts Yes Yes

25. ISTIO vs Linkerd Details 25 Installation Methods Linkerd Istio Binary

    Yes Yes Helm Yes Yes Operator No Yes Complexity Low Regular

26. ISTIO vs Linkerd Details 26 Performance & Security Linkerd Istio

    Latency Low Regular Use of cluster resources Low High Security Good Good Sometimes Istio Proxy can consume more resources than the pod app itself, fact. Is it a problem? 
 
 It depends. Istio can o ff er essential information or at least provide more availability for your service. If resources or cost is not a problem at all, then it's no problem. It's just a condition to run it. If cloud cost is an important variable, you should go with Linkerd, it's cheaper in terms of cloud costs.

27. ISTIO vs Linkerd Details 27 More Linkerd Istio Can use

    any ingress? Yes No O ff er its own ingress? No Yes Single point of failure No No HA Yes Yes CNI Plugin Option Yes Yes CLI Yes Yes

28. ISTIO vs Linkerd Details 28 Information Linkerd Istio License Apache

    v2 Apache v2 Core Language rust/go go GitHub Stars 7k+ 28k+ GitHub Contributors 200 700 GitHub First Release fev/16 jan/19 GitHub Latest Release 2.11.1 1.11.4 GitHub Releases 284 221 CVE Records 2021 0 6 Learning curve Low High Operation complexity Low regular > high Istio has more CVE records in 2021, and it also has more users and production cases. It's normal to fi nd issues when you have a large user base. Both are very secure projects.

29. When not to use it Service Mesh

30. Service Mesh When not to use it 30 > When

    you don't know what it is > When you don't know how it'll help your operation > When you don't know how it'll help your app performance 
 
 > When you don't know how it'll help your app availability > When you don't know how it'll improve your business strategy > When the default k8s service discovery is enough for your needs 
 
 > When the default k8s rollout is enough for your needs > When you don't have a large number of micro services to manage 
 
 > When you don't have any micro services at all > When you don't have a massive tra ff i c fl ow for your services > When you don't need to secure the communication between your services

31. Service Mesh Final notes

32. Service Mesh Drawbacks 32 For the client that want mesh

    > Can be costly depending of the technology 
 > Can be complex to the client understand how it works and to see the bene fi ts For our operation and team > It's simple to install, but complex to customize > The learning curve can be challenging 
 > It's more complex to fi nd and fi x problems 
 > It may change the way we deploy apps, requiring pipelines adjustments 
 > It's one more system to deal, operate, update and also one more to fail 
 The main projects related to service MESH are constantly evolving. A ton of new features are being created, tested, and delivered on each version. We're going to sail over these releases with a lot of new things to consider and try. Updates can be challenging as technology evolves. It's still evolving

33. Service Mesh Drawbacks 33 Tests executed with Linkerd > Binary

    installation and test 
 > Dashboard installation and test 
 > Mesh injection on a service (emojivoto app) 
 > Fail injection test (book app) 
 > Retries con fi guration using service pro fi les 
 > Timeout con fi guration using service pro fi les Notes We have followed the Linkerd documentation to install, test, and try some features. Everything works as expected without any problems. The retries and timeout tests needed a swagger pro fi le for the APP, this can be tricky if the client doesn't have it ready for use. 
 
 Another important information is that Linkerd can use any ingress, helping to minimise changes in your cluster and deployments con fi gurations.

34. Final notes Service Mesh R&D 34 In my opinion, if

    the business requirements for a service mesh matches with Linkerd features, we should use it. It's simpler, lighter, faster and also it's very secure. 
 
 In terms of cost, can be cheaper if we're looking to reduce the client cloud bills. 
 If the costs is not an essential variable, and if the complexity is well considered and accepted by the client, Istio can be a great solution for the project because of the integrations and extra features. 
 
 We need to consider that Istio is very popular and our clients will probably ask for it, we have to be ready to install it and maintain it. 
 Consul is also another widespread service mesh implementation that we should consider and understand how it works at least. 
 
 In the end, our team should master Istio and Linkerd and know how to work with Consul in production.

35. [email protected] Photos: 
 Unsplash 
 Kubecon

36. Flato Add your header here 36 Add Your Sub-header Here

    Lorem Ipsum Flato Presentation Thank You