Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Istioと共にマイクロサービスに立ち向かえ!

71d7f6cdf5b1934a1b69f0624f5a7523?s=47 Aya (Igarashi) Ozawa
April 20, 2018
Technology
31
8.5k

 Istioと共にマイクロサービスに立ち向かえ!

Japan Container Days V18.04
PDF: https://drive.google.com/file/d/1BfHG7WEbKY1P1FOG9tpTKxVZ-JeReEU5/view?usp=sharing

71d7f6cdf5b1934a1b69f0624f5a7523?s=128

Aya (Igarashi) Ozawa

April 20, 2018
Tweet

More Decks by Aya (Igarashi) Ozawa

See All by Aya (Igarashi) Ozawa
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
0
92
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
0
45
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
17
6.2k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
3
4k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
5
2.2k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
5
630
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
1
290
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
4
1.7k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
2
2.3k

Other Decks in Technology

See All in Technology
8db3c91c8b3d3e5686f62fbf43c303dd?s=48 satoryu
0
2.1k
9ea422a61c1a69c888786830eee3dbe6?s=48 osonoi
0
160
0f4a27389318ca7087ae12b1593171c1?s=48 saoritakita
0
340
Bee82b2f6e75097641a3ba5ce70c2368?s=48 takem001
0
880
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
1
210
762c4094331850bef09278aae28f1a32?s=48 unifa_dev
0
330
3bd2c1eac6c4d0852c6a788dd835db44?s=48 awsbelaraby
2
140
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
0
330
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
920
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
150
Bf7fe621f4fe1615c228ef8a79b87282?s=48 shirayanagiryuji
1
400
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
0
120

Featured

See All Featured
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
186
14k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
113
25k
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
609
54k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1021
380k
245cee81a9c424266e5e401d844ea881?s=48 lara
16
2.6k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
61
8.3k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
88
3.3k
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
13
1.5k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
4
550
Ecdea9b9714877b86cee08458f085481?s=48 trallard
13
640
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
87
3.9k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
103
4.9k

Transcript

  1. Japan Container Days v18.04 *TUJPͱڞʹ.JDSPTFSWJDFT ʹཱͪ޲͔͑ Aya Igarashi @Ladicle

  2. Software Engineer @Ladicle AYA IGARASHI

  3. Istio x KubernetesͰ͸ ͦΕΒͷ໰୊ΛͲ͏ղܾ ͢Δͷ͔? ࿩͍ͨ͜͠ͱ Istioʹೖ໳͢Δʹ͸? ෳࡶʹͳͬͨ Microservicesύλʔϯ ͷγεςϜ͕࣋ͭ໰୊఺

    1 2 3 ͭΒ͍…. Αͦ͞͏ ΍ͬͯΈΑ͏

  4. ฉ͍ͯ΄͍͜͠ͱ ͯ͠ ͍Δ MicroservicesͰ։ൃ/ӡ༻Λ… IstioʹΑΔղܾํ๏ͱࠓ΍͍ͬͯΔ ํ๏Λൺֱ MicroservicesͰ͋Γ͕ͪͳ໰୊Λؾʹ ͱΊ͓ͯ͘ ͜Ε ͔Β

    ͯ͠ ͍Δ

  5. 2014 Microservices https://martinfowler.com/articles/microservices.html James Lewis & Martin Fowler

  6. Monolithic vs. Microservices ༻్ɾ໨త͝ͱʹ খ͞ͳΞϓϦέʔγϣϯΛ࡞Δ Ұຕؠ(Monolitic)ͷΑ͏ʹ ҰͭͷΞϓϦέʔγϣϯΛ࡞Δ

  7. Scale-out ͠΍͍͢ ૿΍͍ͨ͠ΞϓϦέʔγϣϯ͚ͩ Scale-outͰ͖Δ શͯΛҰؾʹ૿΍͢ or Scale-up ͷΈʹରԠ͍ͯ͠Δ

  8. Update มߋ͠΍͍͢ Update Ұ෦ͷΞϓϦέʔγϣϯ͚ͩ ߋ৽͢Δ͜ͱ͕Ͱ͖Δ ModuleͷҰ෦ͷΈͷमਖ਼Ͱ΋ ΞϓϦέʔγϣϯશମ͕ର৅

  9. େਓ਺Ͱ։ൃ͠΍͍͢ API API νʔϜؒ͸APIΛఆٛ͠ ಺෦ͷมߋ͸ಠཱ࣮ͯ͠ࢪͰ͖Δ ίϛϡχέʔγϣϯίετ͕ߴ͘ ։ൃ଎౓͕Լ͕Δ

  10. NO SILVER BULLET

  11. ෳࡶʹͳΓଓ͚ΔγεςϜ 2014 2016 201

  12. ෳࡶͳγεςϜ͕΋ͨΒ͢໰୊఺ 1 2 3 4 γεςϜͷશମ૾͕೺ѲͰ͖ͳ͍ ΞϓϦέʔγϣϯؒͷ௨৴Λ੍ޚ͖͠Εͳ͍ 伴ͱূ໌ॻΛ؅ཧ͖͠Εͳ͍ ো֐࣌ʹԿ͕ى͜Δ͔෼͔Βͳ͍ Traffic

    Management Security Visualization Chaos Engineering

  13. Istio͕͜ΕΒͷ ໰୊Λղܾ͠·͢ʂ

  14. But,

  15. NO SILVER BULLET

  16. Istioͱ͸? “ෳࡶͳαʔϏεϝογϡͷ؅ཧ͕௥͍͔ͭͳ͍” ͱ͍͏໰୊Λղܾ͢ΔͨΊIBM, Google, Lyftʹ Αͬͯ։ൃ͞ΕͨOSSͰ͢ɻ https://github.com/istio/istio (latest: v0.7) ※

    Istio͸ΪϦγϟޠͰൕͱ͍͏ҙຯ

  17. ΞϓϦέʔγϣϯؒͰ ϝογϡঢ়ʹ ௨৴͢ΔωοτϫʔΫͷ͜ͱ Service Meshͱ͸ʁ Mesh

  18. ͲͷΑ͏ʹServiceMeshΛ؅ཧ͍ͯ͠Δͷ͔? Pod App Envoy App Pod Pilot Mixer Auth Istio

    Controle Plane Data Plane Config data ֤ΞϓϦέʔγϣϯͷखલʹϓ ϩΩγαʔόΛஔ͖ɺ͜ͷϓϩ ΩγͷઃఆΛControle Plane͔ ΒAPIܦ༝Ͱ੍ޚ͢Δ Envoy

  19. Envoyͱ͸? App Envoy C++11Ͱॻ͔Εͨ L4/L7 proxy LyftʹΑͬͯ։ൃ͞ΕͨOSS APIܦ༝ͷઃఆมߋ͕Մೳ ઃఆมߋ࣌ʹrestart͕ෆཁ HTTP/2

    & GRPC ʹ΋ରԠ Proxy in/out-bound Traffic

  20. Problem 1 ServiceMeshΛ੍ޚ͖͠Εͳ͍

  21. ໰୊1 ServiceMeshΛ੍ޚ͖͠Εͳ͍ Complex ServiceMesh ΞϓϦέʔγϣϯͷίʔυʹServiceMesh ͷઃఆ͕ຒΊࠐ·Ε͍ͯΔ৔߹ ↪︎ मਖ਼ຖʹ࠶σϓϩΠ͕ඞཁ ↪︎ ӡ༻/։ൃνʔϜͷ૒ํʹෛՙ

  22. ղܾࡦ1 ServiceMeshͷઃఆΛ෼཭ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService …. spec: # ϦΫΤετͷѼઌΛࢦఆ

    hosts: - myapp http: - match: - uri: # URI ʹ /v1/oldHome Λ͍࣋ͬͯΔ # ϦΫΤετʹϚον exact: /v1/oldHome redirect: # /v1/newHome ʹϦμΠϨΫτ uri: /v1/newHome authority: myapp.default.svc.cluster.local ServiceMeshͷઃఆ͕ΞϓϦέʔγϣ ϯίʔυʹґଘ͠ͳ͍ L7LBʹΑͬͯॊೈͳϧʔςΟϯά͕ Ͱ͖Δ ։ൃऀͱӡ༻ऀ͕෼ۀ͠΍͍͢ • ΧφϦΞʔϦϦʔεͰ҆৺ͳupgrade • ϦΫΤετΛϓϩμΫγϣϯͱ εςʔδϯά؀ڥ΁ͷϛϥʔ • pathʹΑͬͯΞϓϦέʔγϣϯΛ෼͚Δ • ܞଳͱPCͳͲΫϥΠΞϯτʹԠͨ͡ৼΓ෼͚

  23. TrafficΛEnvoyʹྲྀ͢࢓૊Έ Init Istio App K8s 1. Deploy App initContainers: -

    name: istio-init image: docker.io/istio/proxy_init …. containers: - name: istio-proxy image: docker.io/istio/proxy_debug securityContext: runAsUser: 1337 args: - -p - “15001” …. - name: App image: docker.io/ladicle/myapp ...... 3.Change iptables rules Redirect In&Out bound Traffic UID: 1337 2. Create istio-init 4. Create App and istio-proxy proxy Istio

  24. istio-initʹΑΔiptablesͷมߋ istio-proxy@productpage-v1-5f9b797dfc-n6rn4:/$ sudo iptables -t nat -n -L -v Chain

    PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ISTIO_REDIRECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* istio/install-istio-prerouting */ …. Chain OUTPUT (policy ACCEPT 1024 packets, 96005 bytes) pkts bytes target prot opt in out source destination 21 1260 ISTIO_OUTPUT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* istio/install-istio-output */ …. Chain ISTIO_OUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ISTIO_REDIRECT all -- * lo 0.0.0.0/0 !127.0.0.1 /* istio/redirect-implicit-loopback */ 19 1140 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1337 /* istio/bypass-envoy */ 0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.1 /* istio/bypass-explicit-loopback */ 2 120 ISTIO_REDIRECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* istio/redirect-default-outbound */ Chain ISTIO_REDIRECT (3 references) pkts bytes target prot opt in out source destination 2 120 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* istio/redirect-to-envoy-port */ redir ports 15001 Redirect all Traffic to Envoy Except own & lo

  25. K8s ServiceMeshͷઃఆΛม͑Δ App 1. Call Rules API proxy Istio 3.

    Call Envoy API Pilot 2. Detect changes of service-account 4. Update Envoy Config listeners: - address: socket_address: address: 0.0.0.0 port_value: 15004 filter_chains: - filters: …. http_filters: - config: default_destination_service: istio-pol service_configs: istio-policy.{{ .PodNamespace }}.svc disable_check_calls: true mixer_attributes: attributes:

  26. Problem 2 伴ͱূ໌ॻΛ؅ཧ͖͠Εͳ͍

  27. ໰୊2 伴ͱূ໌ॻΛ؅ཧ͖͠Εͳ͍ γεςϜʹΑͬͯ͸ΞϓϦέʔγϣϯؒ௨ ৴ͷ҉߸Խ͸ඞਢ ΞϓϦέʔγϣϯ਺͕ଟ͘ͳΔͱɺ Difficult Key & Certificate Management

    ҰͭҰͭ伴΍ূ໌ॻͷੜ੒ɺ഑෍ɺߋ৽ɺ ແޮԽʹରԠ͢Δ͕࣌ؒͳ͘ͳΔ

  28. ղܾࡦ2 伴ͱূ໌ॻͷ؅ཧΛࣗಈԽ 伴ͱূ໌ॻͷੜ੒, ഑෍, ߋ৽, ഇࢭʹରԠ͍ͯ͠Δ K8s 1. Deploy App

    3. Generate self signed key & cert 7. Push Secure Naming 5. Deploy Pod with Secret 2. Detect service account change CA Istio 4. Store to Secret Pilot 6. Watch Secure Naming Foo proxy Istio (SD) Mutual TLS(૬ޓTLS)Λαϙʔτ SAN: “spiffe://…/foo” mTLS Bar proxy Istio SAN: “spiffe://…/bar” ref: https://spiffe.io/

  29. Problem 3 γεςϜͷશମ૾͕೺ѲͰ͖ͳ͍ Observability, observability, observability!

  30. ໰୊3 γεςϜͷશମ૾͕೺ѲͰ͖ͳ͍ ? ΞϓϦέʔγϣϯͷ਺͕େ͖͘ͳΓɺ೔ʑ Ͳ͔͜Ͱमਖ਼͕Ճ͑ΒΕ͍ͯΔ৔߹ɺ ↪︎ ߏ੒ਤͷखಈυΩϡϝϯτ͸஗Ε͕ͪ ↪︎ σόοά΍ো֐ղੳ͢Δʹ΋ϩά͚ͩͰ͸ Ͳ͜·Ͱ੒ޭͨ͠ͷ͔೺Ѳͮ͠Β͍

  31. ໰୊3 ՄࢹԽπʔϧͱͷ࿈ܞ Metrics Traces Prometheus × Grafana Zipkin ServiceGraph Graphviz

    x Prometheus

  32. IstioͱPrometheus͕Ͳ͏࿈ܞ͢Δͷ͔? # Rule to send metric instances to a Prometheus

    handler apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: mongoprom namespace: default spec: match: context.protocol == "tcp" && destination.service == "mongodb.default.svc.cluster.local" actions: - handler: mongohandler.prometheus instances: - mongoreceivedbytes.metric - mongosentbytes.metric # Configuration for a Prometheus han apiVersion: "config.istio.io/v1alpha2" kind: prometheus metadata: name: mongohandler namespace: default spec: metrics: - name: mongo_sent_bytes # Prometh instance_name: mongosentbytes.me kind: COUNTER label_names: - source_service - source_version - destination_version - name: mongo_received_bytes # Prom instance_name: mongoreceivedbytes ௨৴ܥͷMetrics͸উखʹ औͬͯ͘ΕΔ σϑΥϧτͷMetrics͔Β ServiceGraphΛੜ੒Ͱ͖Δ

  33. Distributed Tracingͱ͸? ϦΫΤετΛड͚औ͔ͬͯΒॲཧ͕׬ྃ͢Δ·ͰͷظؒΛSpanͱ͠ ͯDAGͰදݱ͠ɺ͜ΕΛ࣌ܥྻʹฒ΂ͨ΋ͷΛτϨʔε݁Ռͱͯ͠ දࣔ͢ΔɻશͯͷSpan͸໊લͱ։࢝࣌ؒɺܧଓ࣌ؒɺଞͷSpanͱ ͷRelationΛ͍࣋ͬͯΔɻ ΞϓϦέʔγϣϯؒͷϦΫΤετͷྲྀΕ΍࣌ؒΛՄࢹԽ͢Δπʔϧ Client LB Auth

    App DB 1, 8 2, 3 4, 7 5, 6 Time

  34. IstioͱTraces͕Ͳ͏࿈ܞ͢Δͷ͔? ࣗಈతʹεύϯΛૹ৴Ͱ͖Δ τϨʔεશମΛؔ࿈͚ͮΔ͜ͱ͸Ͱ͖ͳ͍ ҎԼͷϔομΛࢠʹ఻ൖͤ͞Δ͜ͱͰؔ࿈͚ͮͰ͖Δ • x-request-id • x-b3-traceid • x-b3-spanid

    • x-b3-parentspanid • x-b3-sampled • x-b3-flags • x-ot-span-context def getForwardHeaders(request): headers = {} user_cookie = request.cookies.get("user") if user_cookie: headers['Cookie'] = 'user=' + user_cookie incoming_headers = [ 'x-request-id', 'x-b3-traceid', 'x-b3-spanid', 'x-b3-parentspanid', 'x-b3-sampled', 'x-b3-flags', 'x-ot-span-context' ] for ihdr in incoming_headers: val = request.headers.get(ihdr) if val is not None: headers[ihdr] = val

  35. Mixer͕Backendͱ࿈ܞ͢Δ࢓૊Έ App proxy Istio K8s Update Mixer Config Mixer Adapters

    Report attributes Backends ΞϓϦέʔγϣϯίʔυͱBackendΛ஥հ MixterΛڬΉ͜ͱͰӡ༻ऀ੍͕ޚͰ͖Δ AdapterΛ௥Ճͯ͠ಠࣗͷBackendΛ૿΍ͤΔ

  36. MixtureͷϦΫΤετͷྲྀΕ

  37. Problem 4 ো֐࣌ʹԿ͕ى͜Δ͔Θ͔Βͳ͍

  38. ໰୊4 ো֐࣌ʹԿ͕ى͜Δ͔Θ͔Βͳ͍ γεςϜʹো֐͸͖ͭ΋ͷɻ ͔͠͠ɺো֐Λى͜͢ࢼݧ͸खಈͰ΍Δ ͱଓ͔ͣɺಠࣗʹ࣮૷͢Δͱଟ͘ͷίετ ͕͔͔Δɻ݁Ռɺޙճ͠ʹ͞Ε͕ͪ !? ↪︎ ো֐͕ى͜Δ·Ͱରࡦ͕ଧͨΕͳ͍

  39. ղܾࡦ4 Fault InjectionͰো֐ʹඋ͑Δ ର৅ൣғͱো֐಺༰Λࢦఆ͢Δ͚ͩͰ खܰʹো֐Λ࣮ݧͰ͖Δ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata:

    name: reviews-route spec: …. fault: delay: percent: 10 fixedDelay: 5s …. fault: abort: percent: 10 httpStatus: 400 ࢦఆ͞Εׂͨ߹ͷϦΫΤετʹରͯ͠ Delay: ࢦఆ͞Ε͚ͨ࣌ؒͩ஗ΒͤΔ Abort: ֘౰ͷεςʔλείʔυΛฦ͢ Chaos http2Error grpcStatus΋࣮૷༧ఆ

  40. ղܾࡦ4 Circuit BrakerͰো֐Λ࠷খݶʹ཈͑Δ apiVersion: config.istio.io/v1alpha2 kind: RouteRule metadata: name: ratings-delay

    spec: … httpFault: delay: percent: 10 fixedDelay: 5s apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule … trafficPolicy: connectionPool: tcp: maxConnections: 100 http: http2MaxRequests: 1000 maxRequestPerConnection: 10 outlinerDetection: http: consecutiveErrors: 7 Interval: 5m baseEjectionTime: 10 ίʔυΛॻ͔ͣʹΤϥʔ͕ଓ͘ΞϓϦ έʔγϣϯ΁ͷϦΫΤετΛःஅ͢Δ Add x-envoy-overloaded Block Block Break

  41. ͓͞Β͍ 1 2 3 4 γεςϜͷશମ૾͕೺ѲͰ͖ͳ͍ ServiceMeshΛ੍ޚ͖͠Εͳ͍ 伴ͱূ໌ॻΛ؅ཧ͖͠Εͳ͍ ো֐࣌ʹԿ͕ى͜Δ͔Θ͔Βͳ͍ ՄࢹԽπʔϧͱ࿈ܞ

    & ࣗಈԽΛαϙʔτ ServiceMeshͷઃఆΛ෼཭͢Δ ηΩϡΞ௨৴ͷͨΊͷ伴Λ؅ཧ͖͠Εͳ͍ FIT & CircuitBrakerͰো֐ʹඋ͑Δ

  42. ଞʹ΋ ৭ʑͰ͖·͢! Policy Enforcement Role Base Access Control Rate Limit

    Control Ingress Traffic Control Egress Traffic Integrate Bare Metal Logging Request Timeout Deploy to Eureka ɹɹɹɹɹMesos, CF

  43. Istioʹೖ໳͢Δ

  44. ೖ໳νϟʔτ C B D Start ͜ͷϓϨθϯ Λฉ͍ͯ֓ཁ Λ೺Ѳͨ͠ Istio؀ڥΛ ηοτΞοϓ

    ͨ͠ ڭ͑ͯཉ͍͠ ͜ͷൃදͰ ؾʹͳΔ Topic͕͋Δ A YES YES YES Istio ॳ৺ऀͩ IstioΛ׬શʹ ཧղ͍ͯ͠Δ NO YES NO NO ৸ͯͨͱ͜Ζ͸ SpeakerDeckΛcheck! https://speakerdeck.com/ladicle YES E QuickStartΛࢀߟʹ IstioΛΠϯετʔϧ https://istio.io/docs/setup/ kubernetes/quick-start.html GKEͷQuick Start͕Φεεϝ ֘౰͢ΔTasksΛࢼ͢ https://istio.io/docs/tasks/ NO ໢ཏతͳGuidsͷ νϡʔτϦΞϧΛࢼ͢ https://istio.io/docs/guides/

  45. ࠔͬͨ࣌͸ʁ 1 2 3 4 ͓ࢼ͠தʹτϥϒͬͨ ࣭໰͕͋Δ 2Ͱ΋ղܾ͠ͳ͍࣭໰͕͋Δ τϥγϡʔΨΠυΛࢀর https://istio.io/help/troubleshooting.html

    όάΛݟ͚ͭͨ ॆ࣮ͷFAQΛࢀর https://istio.io/help/faq ҆ఆͷStack Overflow https://stackoverflow.com/questions/tagged/istio GitHubͷIssue΁ https://github.com/istio/issues/issues/

  46. WE ARE HIRING!

  47. THANK YOU For you time & we’ll see you soon

    @ladicle