Save 37% off PRO during our Black Friday Sale! »

Istioと共にマイクロサービスに立ち向かえ!

71d7f6cdf5b1934a1b69f0624f5a7523?s=47 Aya (Igarashi) Ozawa
April 20, 2018
Technology
31
10k

 Istioと共にマイクロサービスに立ち向かえ!

Japan Container Days V18.04
PDF: https://drive.google.com/file/d/1BfHG7WEbKY1P1FOG9tpTKxVZ-JeReEU5/view?usp=sharing

71d7f6cdf5b1934a1b69f0624f5a7523?s=128

Aya (Igarashi) Ozawa

April 20, 2018
Tweet

More Decks by Aya (Igarashi) Ozawa

See All by Aya (Igarashi) Ozawa
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
0
81
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
0
130
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
0
92
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
17
6.6k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
3
4.2k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
5
2.6k
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
5
770
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
1
400
71d7f6cdf5b1934a1b69f0624f5a7523?s=48 ladicle
4
1.8k

Other Decks in Technology

See All in Technology
D2d151b1f646128e4875038282acd953?s=48 humanresociarpa
1
11k
3933b943fb70400bbc26f3cb78d8204c?s=48 sakiengineer
2
930
5d9cd19df0e91caac118b793b4f803d5?s=48 takefumiyoshii
7
4.1k
D4380e6758ea5901e2612d9e81eb01bc?s=48 ambrinc
3
520
2bedb1eb8f841cd3c3ae584600b016e0?s=48 okunokentaro
1
430
C082aa76a5e47f5f99e74043452d4ffe?s=48 akakou
1
260
997716e957fe4db19491b2794346a7ce?s=48 airreader
0
330
73c9d1065e0075a9da6e404e08fe77fb?s=48 siroitori0413
0
160
8d0803aa4572615f7bce5f5288e6b716?s=48 mochan_tk
0
1k
Ef2327689a92d784d7d63803140e833e?s=48 yulstat
0
130
88b514e6413838c0d0cfb3257cefd19d?s=48 kamata_shingo
5
710
6271a2c3d1c1f6d23f0d758bdf47626c?s=48 sunaotabata
18
35k

Featured

See All Featured
Aff5641764408271f7bc398f2097edd0?s=48 denniskardys
223
120k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1352
200k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
688
180k
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
129
22k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1021
410k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
32
1.2k
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
6
28k
8ec1383b240b5ba15ffb9743fceb3c0e?s=48 philnash
23
1.2k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
208
20k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.7k
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
17
1.2k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
498
130k

Transcript

  1. Japan Container Days v18.04 *TUJPͱڞʹ.JDSPTFSWJDFT ʹཱͪ޲͔͑ Aya Igarashi @Ladicle

  2. Software Engineer @Ladicle AYA IGARASHI

  3. Istio x KubernetesͰ͸ ͦΕΒͷ໰୊ΛͲ͏ղܾ ͢Δͷ͔? ࿩͍ͨ͜͠ͱ Istioʹೖ໳͢Δʹ͸? ෳࡶʹͳͬͨ Microservicesύλʔϯ ͷγεςϜ͕࣋ͭ໰୊఺

    1 2 3 ͭΒ͍…. Αͦ͞͏ ΍ͬͯΈΑ͏

  4. ฉ͍ͯ΄͍͜͠ͱ ͯ͠ ͍Δ MicroservicesͰ։ൃ/ӡ༻Λ… IstioʹΑΔղܾํ๏ͱࠓ΍͍ͬͯΔ ํ๏Λൺֱ MicroservicesͰ͋Γ͕ͪͳ໰୊Λؾʹ ͱΊ͓ͯ͘ ͜Ε ͔Β

    ͯ͠ ͍Δ

  5. 2014 Microservices https://martinfowler.com/articles/microservices.html James Lewis & Martin Fowler

  6. Monolithic vs. Microservices ༻్ɾ໨త͝ͱʹ খ͞ͳΞϓϦέʔγϣϯΛ࡞Δ Ұຕؠ(Monolitic)ͷΑ͏ʹ ҰͭͷΞϓϦέʔγϣϯΛ࡞Δ

  7. Scale-out ͠΍͍͢ ૿΍͍ͨ͠ΞϓϦέʔγϣϯ͚ͩ Scale-outͰ͖Δ શͯΛҰؾʹ૿΍͢ or Scale-up ͷΈʹରԠ͍ͯ͠Δ

  8. Update มߋ͠΍͍͢ Update Ұ෦ͷΞϓϦέʔγϣϯ͚ͩ ߋ৽͢Δ͜ͱ͕Ͱ͖Δ ModuleͷҰ෦ͷΈͷमਖ਼Ͱ΋ ΞϓϦέʔγϣϯશମ͕ର৅

  9. େਓ਺Ͱ։ൃ͠΍͍͢ API API νʔϜؒ͸APIΛఆٛ͠ ಺෦ͷมߋ͸ಠཱ࣮ͯ͠ࢪͰ͖Δ ίϛϡχέʔγϣϯίετ͕ߴ͘ ։ൃ଎౓͕Լ͕Δ

  10. NO SILVER BULLET

  11. ෳࡶʹͳΓଓ͚ΔγεςϜ 2014 2016 201

  12. ෳࡶͳγεςϜ͕΋ͨΒ͢໰୊఺ 1 2 3 4 γεςϜͷશମ૾͕೺ѲͰ͖ͳ͍ ΞϓϦέʔγϣϯؒͷ௨৴Λ੍ޚ͖͠Εͳ͍ 伴ͱূ໌ॻΛ؅ཧ͖͠Εͳ͍ ো֐࣌ʹԿ͕ى͜Δ͔෼͔Βͳ͍ Traffic

    Management Security Visualization Chaos Engineering

  13. Istio͕͜ΕΒͷ ໰୊Λղܾ͠·͢ʂ

  14. But,

  15. NO SILVER BULLET

  16. Istioͱ͸? “ෳࡶͳαʔϏεϝογϡͷ؅ཧ͕௥͍͔ͭͳ͍” ͱ͍͏໰୊Λղܾ͢ΔͨΊIBM, Google, Lyftʹ Αͬͯ։ൃ͞ΕͨOSSͰ͢ɻ https://github.com/istio/istio (latest: v0.7) ※

    Istio͸ΪϦγϟޠͰൕͱ͍͏ҙຯ

  17. ΞϓϦέʔγϣϯؒͰ ϝογϡঢ়ʹ ௨৴͢ΔωοτϫʔΫͷ͜ͱ Service Meshͱ͸ʁ Mesh

  18. ͲͷΑ͏ʹServiceMeshΛ؅ཧ͍ͯ͠Δͷ͔? Pod App Envoy App Pod Pilot Mixer Auth Istio

    Controle Plane Data Plane Config data ֤ΞϓϦέʔγϣϯͷखલʹϓ ϩΩγαʔόΛஔ͖ɺ͜ͷϓϩ ΩγͷઃఆΛControle Plane͔ ΒAPIܦ༝Ͱ੍ޚ͢Δ Envoy

  19. Envoyͱ͸? App Envoy C++11Ͱॻ͔Εͨ L4/L7 proxy LyftʹΑͬͯ։ൃ͞ΕͨOSS APIܦ༝ͷઃఆมߋ͕Մೳ ઃఆมߋ࣌ʹrestart͕ෆཁ HTTP/2

    & GRPC ʹ΋ରԠ Proxy in/out-bound Traffic

  20. Problem 1 ServiceMeshΛ੍ޚ͖͠Εͳ͍

  21. ໰୊1 ServiceMeshΛ੍ޚ͖͠Εͳ͍ Complex ServiceMesh ΞϓϦέʔγϣϯͷίʔυʹServiceMesh ͷઃఆ͕ຒΊࠐ·Ε͍ͯΔ৔߹ ↪︎ मਖ਼ຖʹ࠶σϓϩΠ͕ඞཁ ↪︎ ӡ༻/։ൃνʔϜͷ૒ํʹෛՙ

  22. ղܾࡦ1 ServiceMeshͷઃఆΛ෼཭ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService …. spec: # ϦΫΤετͷѼઌΛࢦఆ

    hosts: - myapp http: - match: - uri: # URI ʹ /v1/oldHome Λ͍࣋ͬͯΔ # ϦΫΤετʹϚον exact: /v1/oldHome redirect: # /v1/newHome ʹϦμΠϨΫτ uri: /v1/newHome authority: myapp.default.svc.cluster.local ServiceMeshͷઃఆ͕ΞϓϦέʔγϣ ϯίʔυʹґଘ͠ͳ͍ L7LBʹΑͬͯॊೈͳϧʔςΟϯά͕ Ͱ͖Δ ։ൃऀͱӡ༻ऀ͕෼ۀ͠΍͍͢ • ΧφϦΞʔϦϦʔεͰ҆৺ͳupgrade • ϦΫΤετΛϓϩμΫγϣϯͱ εςʔδϯά؀ڥ΁ͷϛϥʔ • pathʹΑͬͯΞϓϦέʔγϣϯΛ෼͚Δ • ܞଳͱPCͳͲΫϥΠΞϯτʹԠͨ͡ৼΓ෼͚

  23. TrafficΛEnvoyʹྲྀ͢࢓૊Έ Init Istio App K8s 1. Deploy App initContainers: -

    name: istio-init image: docker.io/istio/proxy_init …. containers: - name: istio-proxy image: docker.io/istio/proxy_debug securityContext: runAsUser: 1337 args: - -p - “15001” …. - name: App image: docker.io/ladicle/myapp ...... 3.Change iptables rules Redirect In&Out bound Traffic UID: 1337 2. Create istio-init 4. Create App and istio-proxy proxy Istio

  24. istio-initʹΑΔiptablesͷมߋ istio-proxy@productpage-v1-5f9b797dfc-n6rn4:/$ sudo iptables -t nat -n -L -v Chain

    PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ISTIO_REDIRECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* istio/install-istio-prerouting */ …. Chain OUTPUT (policy ACCEPT 1024 packets, 96005 bytes) pkts bytes target prot opt in out source destination 21 1260 ISTIO_OUTPUT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* istio/install-istio-output */ …. Chain ISTIO_OUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ISTIO_REDIRECT all -- * lo 0.0.0.0/0 !127.0.0.1 /* istio/redirect-implicit-loopback */ 19 1140 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1337 /* istio/bypass-envoy */ 0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.1 /* istio/bypass-explicit-loopback */ 2 120 ISTIO_REDIRECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* istio/redirect-default-outbound */ Chain ISTIO_REDIRECT (3 references) pkts bytes target prot opt in out source destination 2 120 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* istio/redirect-to-envoy-port */ redir ports 15001 Redirect all Traffic to Envoy Except own & lo

  25. K8s ServiceMeshͷઃఆΛม͑Δ App 1. Call Rules API proxy Istio 3.

    Call Envoy API Pilot 2. Detect changes of service-account 4. Update Envoy Config listeners: - address: socket_address: address: 0.0.0.0 port_value: 15004 filter_chains: - filters: …. http_filters: - config: default_destination_service: istio-pol service_configs: istio-policy.{{ .PodNamespace }}.svc disable_check_calls: true mixer_attributes: attributes:

  26. Problem 2 伴ͱূ໌ॻΛ؅ཧ͖͠Εͳ͍

  27. ໰୊2 伴ͱূ໌ॻΛ؅ཧ͖͠Εͳ͍ γεςϜʹΑͬͯ͸ΞϓϦέʔγϣϯؒ௨ ৴ͷ҉߸Խ͸ඞਢ ΞϓϦέʔγϣϯ਺͕ଟ͘ͳΔͱɺ Difficult Key & Certificate Management

    ҰͭҰͭ伴΍ূ໌ॻͷੜ੒ɺ഑෍ɺߋ৽ɺ ແޮԽʹରԠ͢Δ͕࣌ؒͳ͘ͳΔ

  28. ղܾࡦ2 伴ͱূ໌ॻͷ؅ཧΛࣗಈԽ 伴ͱূ໌ॻͷੜ੒, ഑෍, ߋ৽, ഇࢭʹରԠ͍ͯ͠Δ K8s 1. Deploy App

    3. Generate self signed key & cert 7. Push Secure Naming 5. Deploy Pod with Secret 2. Detect service account change CA Istio 4. Store to Secret Pilot 6. Watch Secure Naming Foo proxy Istio (SD) Mutual TLS(૬ޓTLS)Λαϙʔτ SAN: “spiffe://…/foo” mTLS Bar proxy Istio SAN: “spiffe://…/bar” ref: https://spiffe.io/

  29. Problem 3 γεςϜͷશମ૾͕೺ѲͰ͖ͳ͍ Observability, observability, observability!

  30. ໰୊3 γεςϜͷશମ૾͕೺ѲͰ͖ͳ͍ ? ΞϓϦέʔγϣϯͷ਺͕େ͖͘ͳΓɺ೔ʑ Ͳ͔͜Ͱमਖ਼͕Ճ͑ΒΕ͍ͯΔ৔߹ɺ ↪︎ ߏ੒ਤͷखಈυΩϡϝϯτ͸஗Ε͕ͪ ↪︎ σόοά΍ো֐ղੳ͢Δʹ΋ϩά͚ͩͰ͸ Ͳ͜·Ͱ੒ޭͨ͠ͷ͔೺Ѳͮ͠Β͍

  31. ໰୊3 ՄࢹԽπʔϧͱͷ࿈ܞ Metrics Traces Prometheus × Grafana Zipkin ServiceGraph Graphviz

    x Prometheus

  32. IstioͱPrometheus͕Ͳ͏࿈ܞ͢Δͷ͔? # Rule to send metric instances to a Prometheus

    handler apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: mongoprom namespace: default spec: match: context.protocol == "tcp" && destination.service == "mongodb.default.svc.cluster.local" actions: - handler: mongohandler.prometheus instances: - mongoreceivedbytes.metric - mongosentbytes.metric # Configuration for a Prometheus han apiVersion: "config.istio.io/v1alpha2" kind: prometheus metadata: name: mongohandler namespace: default spec: metrics: - name: mongo_sent_bytes # Prometh instance_name: mongosentbytes.me kind: COUNTER label_names: - source_service - source_version - destination_version - name: mongo_received_bytes # Prom instance_name: mongoreceivedbytes ௨৴ܥͷMetrics͸উखʹ औͬͯ͘ΕΔ σϑΥϧτͷMetrics͔Β ServiceGraphΛੜ੒Ͱ͖Δ

  33. Distributed Tracingͱ͸? ϦΫΤετΛड͚औ͔ͬͯΒॲཧ͕׬ྃ͢Δ·ͰͷظؒΛSpanͱ͠ ͯDAGͰදݱ͠ɺ͜ΕΛ࣌ܥྻʹฒ΂ͨ΋ͷΛτϨʔε݁Ռͱͯ͠ දࣔ͢ΔɻશͯͷSpan͸໊લͱ։࢝࣌ؒɺܧଓ࣌ؒɺଞͷSpanͱ ͷRelationΛ͍࣋ͬͯΔɻ ΞϓϦέʔγϣϯؒͷϦΫΤετͷྲྀΕ΍࣌ؒΛՄࢹԽ͢Δπʔϧ Client LB Auth

    App DB 1, 8 2, 3 4, 7 5, 6 Time

  34. IstioͱTraces͕Ͳ͏࿈ܞ͢Δͷ͔? ࣗಈతʹεύϯΛૹ৴Ͱ͖Δ τϨʔεશମΛؔ࿈͚ͮΔ͜ͱ͸Ͱ͖ͳ͍ ҎԼͷϔομΛࢠʹ఻ൖͤ͞Δ͜ͱͰؔ࿈͚ͮͰ͖Δ • x-request-id • x-b3-traceid • x-b3-spanid

    • x-b3-parentspanid • x-b3-sampled • x-b3-flags • x-ot-span-context def getForwardHeaders(request): headers = {} user_cookie = request.cookies.get("user") if user_cookie: headers['Cookie'] = 'user=' + user_cookie incoming_headers = [ 'x-request-id', 'x-b3-traceid', 'x-b3-spanid', 'x-b3-parentspanid', 'x-b3-sampled', 'x-b3-flags', 'x-ot-span-context' ] for ihdr in incoming_headers: val = request.headers.get(ihdr) if val is not None: headers[ihdr] = val

  35. Mixer͕Backendͱ࿈ܞ͢Δ࢓૊Έ App proxy Istio K8s Update Mixer Config Mixer Adapters

    Report attributes Backends ΞϓϦέʔγϣϯίʔυͱBackendΛ஥հ MixterΛڬΉ͜ͱͰӡ༻ऀ੍͕ޚͰ͖Δ AdapterΛ௥Ճͯ͠ಠࣗͷBackendΛ૿΍ͤΔ

  36. MixtureͷϦΫΤετͷྲྀΕ

  37. Problem 4 ো֐࣌ʹԿ͕ى͜Δ͔Θ͔Βͳ͍

  38. ໰୊4 ো֐࣌ʹԿ͕ى͜Δ͔Θ͔Βͳ͍ γεςϜʹো֐͸͖ͭ΋ͷɻ ͔͠͠ɺো֐Λى͜͢ࢼݧ͸खಈͰ΍Δ ͱଓ͔ͣɺಠࣗʹ࣮૷͢Δͱଟ͘ͷίετ ͕͔͔Δɻ݁Ռɺޙճ͠ʹ͞Ε͕ͪ !? ↪︎ ো֐͕ى͜Δ·Ͱରࡦ͕ଧͨΕͳ͍

  39. ղܾࡦ4 Fault InjectionͰো֐ʹඋ͑Δ ର৅ൣғͱো֐಺༰Λࢦఆ͢Δ͚ͩͰ खܰʹো֐Λ࣮ݧͰ͖Δ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata:

    name: reviews-route spec: …. fault: delay: percent: 10 fixedDelay: 5s …. fault: abort: percent: 10 httpStatus: 400 ࢦఆ͞Εׂͨ߹ͷϦΫΤετʹରͯ͠ Delay: ࢦఆ͞Ε͚ͨ࣌ؒͩ஗ΒͤΔ Abort: ֘౰ͷεςʔλείʔυΛฦ͢ Chaos http2Error grpcStatus΋࣮૷༧ఆ

  40. ղܾࡦ4 Circuit BrakerͰো֐Λ࠷খݶʹ཈͑Δ apiVersion: config.istio.io/v1alpha2 kind: RouteRule metadata: name: ratings-delay

    spec: … httpFault: delay: percent: 10 fixedDelay: 5s apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule … trafficPolicy: connectionPool: tcp: maxConnections: 100 http: http2MaxRequests: 1000 maxRequestPerConnection: 10 outlinerDetection: http: consecutiveErrors: 7 Interval: 5m baseEjectionTime: 10 ίʔυΛॻ͔ͣʹΤϥʔ͕ଓ͘ΞϓϦ έʔγϣϯ΁ͷϦΫΤετΛःஅ͢Δ Add x-envoy-overloaded Block Block Break

  41. ͓͞Β͍ 1 2 3 4 γεςϜͷશମ૾͕೺ѲͰ͖ͳ͍ ServiceMeshΛ੍ޚ͖͠Εͳ͍ 伴ͱূ໌ॻΛ؅ཧ͖͠Εͳ͍ ো֐࣌ʹԿ͕ى͜Δ͔Θ͔Βͳ͍ ՄࢹԽπʔϧͱ࿈ܞ

    & ࣗಈԽΛαϙʔτ ServiceMeshͷઃఆΛ෼཭͢Δ ηΩϡΞ௨৴ͷͨΊͷ伴Λ؅ཧ͖͠Εͳ͍ FIT & CircuitBrakerͰো֐ʹඋ͑Δ

  42. ଞʹ΋ ৭ʑͰ͖·͢! Policy Enforcement Role Base Access Control Rate Limit

    Control Ingress Traffic Control Egress Traffic Integrate Bare Metal Logging Request Timeout Deploy to Eureka ɹɹɹɹɹMesos, CF

  43. Istioʹೖ໳͢Δ

  44. ೖ໳νϟʔτ C B D Start ͜ͷϓϨθϯ Λฉ͍ͯ֓ཁ Λ೺Ѳͨ͠ Istio؀ڥΛ ηοτΞοϓ

    ͨ͠ ڭ͑ͯཉ͍͠ ͜ͷൃදͰ ؾʹͳΔ Topic͕͋Δ A YES YES YES Istio ॳ৺ऀͩ IstioΛ׬શʹ ཧղ͍ͯ͠Δ NO YES NO NO ৸ͯͨͱ͜Ζ͸ SpeakerDeckΛcheck! https://speakerdeck.com/ladicle YES E QuickStartΛࢀߟʹ IstioΛΠϯετʔϧ https://istio.io/docs/setup/ kubernetes/quick-start.html GKEͷQuick Start͕Φεεϝ ֘౰͢ΔTasksΛࢼ͢ https://istio.io/docs/tasks/ NO ໢ཏతͳGuidsͷ νϡʔτϦΞϧΛࢼ͢ https://istio.io/docs/guides/

  45. ࠔͬͨ࣌͸ʁ 1 2 3 4 ͓ࢼ͠தʹτϥϒͬͨ ࣭໰͕͋Δ 2Ͱ΋ղܾ͠ͳ͍࣭໰͕͋Δ τϥγϡʔΨΠυΛࢀর https://istio.io/help/troubleshooting.html

    όάΛݟ͚ͭͨ ॆ࣮ͷFAQΛࢀর https://istio.io/help/faq ҆ఆͷStack Overflow https://stackoverflow.com/questions/tagged/istio GitHubͷIssue΁ https://github.com/istio/issues/issues/

  46. WE ARE HIRING!

  47. THANK YOU For you time & we’ll see you soon

    @ladicle