Managing Kubernetes with Istio

Transcript

1. Managing Kubernetes with Istio Mofi Rahman

2. Mofizur Rahman Developer Advocate, IBM Do Container Stuff, Collect Stickers,

   Write go code @moficodes

3. @moficodes Level Set

4. @moficodes Microservices?

5. @moficodes Containers?

6. @moficodes Container Orchestration?

7. @moficodes Kubernetes?

8. @moficodes Kubernetes is Great

9. @moficodes Kubernetes Features • Replicasets • Horizontal Auto Scaling •

   Health Check • Self Healing • Rolling Deployment • Rollback • Resource Quota • Service Discovery • Load Balancing • Networking • Cross Cloud • Secret Management • Batch Execution • Storage orchestration

10. @moficodes So Why this Talk?

11. 11

12. @moficodes Kubernetes is not Enough on its OWN

13. @moficodes Cloud Native applications needs certain things

14. @moficodes Traffic Management

15. @moficodes Observability

16. @moficodes Policy Enforcement

17. @moficodes Security

18. What Do We Do • Ingress and Traffic Management •

    Tracing and Observability • Metrics and Analytics • Identity and Security 18

19. @moficodes That’s a lot of work

20. @moficodes We have to “Manage” Kubernetes

21. @moficodes Now also Manage 4+ 3rd party tool?

22. @moficodes This Doesn’t Seem Right

23. @moficodes What do we do?

24. @moficodes Option 1: Give up!

25. 25

26. @moficodes Option 2: Manage it all

27. @moficodes Won’t be the first Time

28. @moficodes We recreate wheels all the time

29. @moficodes Remember this slide? • Replicasets • Horizontal Auto Scaling

    • Health Check • Self Healing • Rolling Deployment • Rollback • Resource Quota • Service Discovery • Load Balancing • Networking • Cross Cloud • Secret Management • Batch Execution • Storage orchestration

30. @moficodes We had similar features being built at almost every

    org

31. @moficodes Option 3: Use a service mesh!

32. @moficodes What is this service mesh thing you speak of!

33. @moficodes Collection of best in class solutions

34. @moficodes Controlling and monitoring service-to-service traffic

35. @moficodes Invisible to Dev teams

36. @moficodes Lets talk about Istio

37. @moficodes Open source project

38. @moficodes Lyft IBM Google

39. Istio Components 39 Envoy Sidecar Proxy Mixer Enforce Access, Collect

    Metric Pilot Propagate rules to Sidecars Citadel Service to Service and end-user AuthN and AuthZ

40. Istio Features • Traffic Management Fine-grained control with rich routing

    rules, retries, failovers, and fault injection • Observability Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress 40

41. Istio Features • Security Strong identity-based AuthN and AuthZ layer,

    secure by default for ingress, egress and service-to-service traffic • Policy Extensible policy engine supporting access controls, rate limits and quotas 41

42. @moficodes How does it work?

43. Sidecar Proxy 43

44. Sidecar Proxy 44

45. Istio Architecture 45

46. Istio Architecture 46

47. None

48. Envoy High performance proxy which mediates inbound and outbound traffic.

    48 • Dynamic service discovery • Load balancing • TLS termination • HTTP/2 and gRPC proxies • Circuit breakers • Health checks • Split traffic • Fault injection • Rich metrics

49. Istio Architecture 49

50. @moficodes

51. Istio Architecture 51

52. Istio Architecture 52

53. @moficodes Demo

54. Architecture 54

55. Traffic Management • Integrated Ingress and Egress • Error handling,

    retries, circuit breaking • Application knowledge can be leveraged for intelligent routing • Fault injection for end-to-end testing 55

56. Telemetry • Istio’s Mixer is stateless and does not manage

    any persistent storage of its own • Capable of accumulating a large amount of transient ephemeral state • Designed to be a highly reliable, goal is > 99.999% uptime for any individual instance • Many adapters available: Prometheus, Cloud providers, Datadog, Solarwinds… 56

57. Performance and Scalability • Code level micro-benchmarks • Synthetic end-to-end

    benchmarks across various scenarios • Realistic complex app end-to-end benchmarks across various settings • Automation to ensure performance doesn’t regress 57

58. Security • Traffic encryption to defend against the man-in-the-middle attacks

    • Mutual TLS and fine-grained access policies to provide flexible access control • Auditing tools to monitor all of it 58

59. Final Thoughts There is no free lunch in this world.

    Istio gives you a lot of things built in but it uses some CPU resources. Two articles that cover this. • Ivan Sim — Linkerd 2.0 and Istio Performance Benchmark • Michael Kipper — Benchmarking Istio & Linkerd CPU 

60. Takeways • Servicemesh (Istio) extends kubernetes capabilities • It can

    make some very difficult k8s things easier

61. Thank You! I would love to hear your question, comments,

    stories. @moficodes