Manage Kuberentes Deployment with Istio

Transcript

1. Managing Kubernetes Deployment with Istio Mofizur Rahman Developer Advocate, IBM

2. Level Set • Microservices • Containers in Production • Kubernetes

   2

3. Agenda • Learn what Istio is • Understanding app deployment

   in the kubernetes world. • See why we need Istio.

4. Mofizur Rahman (Mofi) Developer Advocate @IBM Works On Container And

   Cloud Native Technologies Favorite Programming Language Is Golang. Collect Stickers @moficodes

5. Monolithic Applications 5 Users Application Database

6. Monolithic Applications 6 Users Application Database

7. Microservices • Microservices are the de facto standard for cloud

   native software • Microservices allow development teams to deploy portable and scalable applications 7

8. Microservices 8 Users Cart Orders Database Cluster Reports

9. Microservices • Microservices can put a significant burden on Ops

   and DevOps teams 9
10. None

11. Docker • Docker changed the way we build and ship

    software • Application and host are decoupled, making application services portable • Containers are an implementation detail, but a critical one 11

12. Containerizing an APP 12

13. Dockerfile 13 FROM ruby:2.3-slim COPY details.rb /opt/microservices/ ARG service_version ENV

    SERVICE_VERSION ${service_version:-v1} ARG enable_external_book_service ENV ENABLE_EXTERNAL_BOOK_SERVICE ${enable_external_book_service:-false} EXPOSE 9080 WORKDIR /opt/microservices CMD ruby details.rb 9080

14. Docker Is a Start But, once we abstract the host

    away by using containers, we no longer have our hands on an organized platform. 14

15. Who you Gonna call? 15

16. 16

17. Kubernetes Kubernetes provides abstractions for deploying software in containers at

    scale 17

18. Kubernetes as a Platform • Infrastructure resource abstraction • Cluster

    architecture where one or more masters control worker nodes • Scheduler deploys work to the nodes • Work is deployed in groups of containers 18

19. Kubernetize our App 19 apiVersion: v1 kind: Service metadata: name:

    details labels: app: details service: details spec: ports: - port: 9080 name: http selector: app: details apiVersion: extensions/v1beta1 kind: Deployment metadata: name: details-v1 labels: app: details version: v1 spec: replicas: 1 template: metadata: labels: app: details version: v1 spec: containers: - name: details image: istio/examples-bookinfo-details-v1:1.10.1 imagePullPolicy: IfNotPresent ports: - containerPort: 9080

20. Migration from the Old World… 20 Users Application Database

21. …to Cloud Native Kubernetes Hotness • Microservices running in orchestrated

    containers • Everybody's happy • What happens now? 21 Load balancer Service Service Database Service Queue

22. …to Cloud Native Kubernetes Hotness • Microservices running in orchestrated

    containers • Everybody's happy • What happens now? 22 Load balancer Service Service Service Service Service Database Service Queue

23. Day Two 23

24. 24

25. 25

26. Kubernetes Deployment Built in deployment primitive Rolling deployment Multiple deployment

    being targeted from single service

27. Advanced Deployment Blue/Green Deployment Canary Deployment A/B testing

28. In Kubernetes • Load balance all pods under service Traffic

    Routing is Round-Robin • 3 V1 pod and 1 V2 pod means 75% - 25% split Controlled by Pod Numbers

29. Multiversioned Services •Features, compatibility, regional Might want a Service with

    Few Versions •Experimental Features, Browser etc Choose Route Based on App Requirements

30. Wishlist We want fine grain control Rollback on demand

31. Table Stakes for Services at Cloud Scale 31 We require

    a method to simply and repeatably deploy software, and simply and recoverably modify deployments We require telemetry, observability, and diagnosability for our software if we hope to run at cloud scale

32. Abstract Requirements Traffic Management 32 Policy Security Observability

33. Hard Things are Hard 33

34. These are Hard Problems™, and some software may address one

    of them well. 34

35. What Do We Do Ingress and Traffic Management 35 Metrics

    and Analytics Tracing and Observability Identity and Security

36. Service Mesh • This is not a new solution which

    solves all the world’s problems, but a different way to apply existing solutions • Enables integration of existing (as well as future) best-in-class solutions for All The Things 36

37. What Is a Service Mesh? • Infrastructure layer for controlling

    and monitoring service-to-service traffic • A data plane deployed alongside application services, and a control plane used to manage the mesh 37

38. Service Mesh • Provides DevOps teams a stable and extensible

    platform to monitor and maintain deployed services • For the most part, invisible to development teams 38

39. Let’s Talk About Istio Istio is a service mesh that

    allows us to connect, secure, control and observe services at scale, often requiring no service code modification 39

40. Istio Components • Envoy • Sidecar proxy • Pilot •

    Propagates rules to sidecars 40 • Mixer – Enforces access control, collects telemetry data • Citadel – Service-to-service and end-user AuthN and AuthZ

41. Istio Features • Traffic Management • Fine-grained control with rich

    routing rules, retries, failovers, and fault injection • Observability • Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress 41

42. Istio Features • Security • Strong identity-based AuthN and AuthZ

    layer, secure by default for ingress, egress and service-to-service traffic • Policy • Extensible policy engine supporting access controls, rate limits and quotas 42

43. Sidecar Proxy 43

44. Sidecar Proxy 44

45. Istio Architecture 45

46. Istio Architecture 46

47. None

48. Envoy High performance proxy which mediates inbound and outbound traffic.

    48 • Dynamic service discovery • Load balancing • TLS termination • HTTP/2 and gRPC proxies • Circuit breakers • Health checks • Split traffic • Fault injection • Rich metrics

49. Istio Architecture 49

50. Istio Architecture 50

51. Architecture 51

52. DEMO

53. Goal Shift Traffic from V1 of review to V3 of

    review (Blue/Green) Do traffic routing based on specific user

54. Traffic Management • Integrated Ingress and Egress • Error handling,

    retries, circuit breaking • Application knowledge can be leveraged for intelligent routing • Fault injection for end-to-end testing 54

55. Telemetry • Istio’s Mixer is stateless and does not manage

    any persistent storage of its own • Capable of accumulating a large amount of transient ephemeral state • Designed to be a highly reliable, goal is > 99.999% uptime for any individual instance • Many adapters available: Prometheus, Cloud providers, Datadog, Solarwinds… 55

56. Performance and Scalability • Code level micro-benchmarks • Synthetic end-to-end

    benchmarks across various scenarios • Realistic complex app end-to-end benchmarks across various settings • Automation to ensure performance doesn’t regress 56

57. Security • Traffic encryption to defend against the man- in-the-middle

    attacks • Mutual TLS and fine-grained access policies to provide flexible access control • Auditing tools to monitor all of it 57

58. Final Thoughts There is no free lunch in this world.

    Istio gives you a lot of things built in but it uses some CPU resources. Two articles that cover this. • Ivan Sim —Linkerd 2.0 and Istio Performance Benchmark • Michael Kipper— Benchmarking Istio & Linkerd CPU

59. Takeways • Servicemesh (Istio) extends kubernetes capabilities • It can

    make some very difficult k8s things easier

60. Thank You! I would love to hear your question, comments,

    stories. @moficodes