Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Kubernetes with Istio

Mofizur Rahman
September 22, 2020
Technology
0
48

Managing Kubernetes with Istio

Developers are moving away from large monolithic apps in favor of small, focused microservices that speed up implementation and improve resiliency. Microservices and containers changed application design and deployment patterns, but along with them brought challenges like service discovery, routing, failure handling, security and visibility to microservices.

“Service mesh” architecture was born to handle these features. Applications are getting decoupled internally as microservices, and the responsibility of maintaining coupling between these microservices is passed to the service mesh.Istio, a joint collaboration between IBM, Google and Lyft provides an easy way to create a service mesh that will manage many of these complex tasks automatically, without the need to modify the microservices themselves.

In this talk we will see how istio can be used to manage traffic, gather metrics and enforce policies in a demo application running microservices. We will learn why kubernetes need “service mesh” and how does Istio improve managing Kubernetes workload.

Mofizur Rahman

September 22, 2020
Tweet

More Decks by Mofizur Rahman

See All by Mofizur Rahman
Running Batch Workload on K8s at Scale
moficodes
0
48
Building A SMS Sender Microservice
moficodes
0
73
Kubernetes Security Jumpstart
moficodes
0
77
Managing Kubernetes with Istio
moficodes
0
37
KNative: Serverless computing on Kubernetes
moficodes
1
43
Kubernete Second Week
moficodes
0
38
Managing Kubernetes with Istio
moficodes
0
25
Manage Kuberentes Deployment with Istio
moficodes
0
40
The What, Why and How of Knative on Kubernetes
moficodes
0
44

Other Decks in Technology

See All in Technology
スタートアップの技術顧問を3年間続けて発生した事と気付き
biwakonbu
0
160
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
3
810
株式会社EventHub・エンジニア採用資料
eventhub
0
1.9k
Discord とビルダー&チャットボットの使い方 / How to use Discord and Builder & Chatbots
ks91
PRO
0
130
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
740
Databricks:『生成AI World Cup』のご案内
databricksjapan
2
150
Four keys改善の取り組み事例紹介
sansantech
PRO
3
230
社内勉強会運営のコツ
senoo
6
1.1k
Algyan イベント振り返り
linyixian
0
190
DevOpsDays History and my DevOps story
kawaguti
PRO
8
1.6k
The CloudCompare project by Dr. Daniel Girardeau-Montaut
kentaitakura
0
510
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
140

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Agile that works and the tools we love
rasmusluckow
324
20k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
The Cult of Friendly URLs
andyhume
74
5.7k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
Making the Leap to Tech Lead
cromwellryan
123
8.5k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Code Review Best Practice
trishagee
54
15k
The Language of Interfaces
destraynor
151
23k
Learning to Love Humans: Emotional Interface Design
aarron
266
39k

Transcript

  1. Managing Kubernetes with Istio Managing Kubernetes with Istio

  2. @moficodes Level Set

  3. @moficodes Microservices

  4. @moficodes Containers

  5. @moficodes Container Orchestration

  6. @moficodes Kubernetes and Beyond

  7. @moficodes Agenda • Learn what service mesh is • Why

    does Kubernetes need a service mesh? • How does Istio help manage Kubernetes?

  8. Mofizur Rahman Developer Advocate, IBM Do Container Stuff, Collect Stickers,

    Write go code @moficodes

  9. @moficodes Kubernetes is Great

  10. @moficodes Kubernetes Features • Replicasets • Horizontal Auto Scaling •

    Health Check • Self Healing • Rolling Deployment • Rollback • Resource Quota • Service Discovery • Load Balancing • Networking • Cross Cloud • Secret Management • Batch Execution • Storage orchestration

  11. @moficodes So Why this Talk?

  12. @moficodes

  13. @moficodes User Application Database Monolith

  14. @moficodes Monolith (In Reality) User Application Database

  15. @moficodes Microservice User API Gateway Service Database Message Queue

  16. @moficodes Kubernetes is not Enough on its OWN

  17. @moficodes Cloud Native applications needs certain things

  18. @moficodes Traffic Management

  19. @moficodes Observability

  20. @moficodes Policy Enforcement

  21. @moficodes Security

  22. @moficodes What Do We Do • Ingress and Traffic Management

    • Tracing and Observability • Metrics and Analytics • Identity and Security

  23. @moficodes

  24. @moficodes That’s a lot of work

  25. @moficodes We have to “Manage” Kubernetes

  26. @moficodes Now also Manage 4+ 3rd party tool?

  27. @moficodes This Doesn’t Seem Right

  28. @moficodes What do we do?

  29. @moficodes Option 1: Give up!

  30. @moficodes

  31. @moficodes We are problem solvers

  32. @moficodes Option 2: Manage it all

  33. @moficodes Won’t be the first Time

  34. @moficodes We recreate wheels all the time

  35. @moficodes Remember this slide? • Replicasets • Horizontal Auto Scaling

    • Health Check • Self Healing • Rolling Deployment • Rollback • Resource Quota • Service Discovery • Load Balancing • Networking • Cross Cloud • Secret Management • Batch Execution • Storage orchestration

  36. @moficodes We had similar features being built at almost every

    org

  37. @moficodes Skill is not the issue, time is.

  38. @moficodes Option 3: Use a service mesh!

  39. @moficodes What is this service mesh thing you speak of!

  40. @moficodes Collection of best in class solutions

  41. @moficodes Control and monitor service-to-service traffic

  42. @moficodes Invisible to Dev teams

  43. @moficodes Let’s talk about Istio

  44. @moficodes Open source project

  45. @moficodes Lyft IBM Google

  46. @moficodes Istio Components Envoy Sidecar Proxy Mixer Enforce Access, Collect

    Metric Pilot Propagate rules to Sidecars Citadel Service to Service and end-user AuthN and AuthZ

  47. @moficodes Istio Features 47 Traffic Management Fine-grained control with rich

    routing rules, retries, failovers, and fault injection Observability Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress

  48. @moficodes Istio Features 48 Security Strong identity-based AuthN and AuthZ

    layer, secure by default for ingress, egress and service-to-service traffic Policy Enforcement Extensible policy engine supporting access controls, rate limits and quotas.

  49. @moficodes How does it work?

  50. @moficodes Sidecar Proxy

  51. @moficodes Sidecar Proxy

  52. @moficodes Istio Architecture

  53. @moficodes

  54. @moficodes Envoy High performance proxy which mediates inbound and outbound

    traffic. • Dynamic service discovery • Load balancing • TLS termination • HTTP/2 and gRPC proxies • Circuit breakers • Health checks • Split traffic • Fault injection • Rich metrics

  55. @moficodes Istio Architecture

  56. @moficodes

  57. @moficodes Istio Architecture Istiod

  58. @moficodes Istio Architecture Istiod

  59. @moficodes Traffic Management • Integrated Ingress and Egress • Error

    handling, retries, circuit breaking • Application knowledge can be leveraged for intelligent routing • Fault injection for end-to-end testing

  60. @moficodes VirtualService Defines the rules that control how requests for

    a service are routed within an Istio service mesh.

  61. @moficodes DestinationRule Configures the set of policies to be applied

    to a request after VirtualService routing has occurred.

  62. @moficodes ServiceEntry Is commonly used to enable requests to services

    outside of an Istio service mesh.

  63. @moficodes Gateway Configures a load balancer operating at the edge

    of the mesh for HTTP/TCP ingress traffic to a mesh application or egress traffic to external services.

  64. @moficodes Sidecar Configures one or more sidecar proxies attached to

    application workloads running inside the mesh.

  65. @moficodes Telemetry • Istio’s Mixer is stateless and does not

    manage any persistent storage of its own • Capable of accumulating a large amount of transient ephemeral state • Designed to be a highly reliable, goal is > 99.999% uptime for any individual instance • Many adapters available: Prometheus, Cloud providers, Datadog, Solarwinds…

  66. @moficodes Adapters Modular and extensible component to abstract the details

    of different policy and telemetry backend systems

  67. @moficodes Performance and Scalability • Code level micro-benchmarks • Synthetic

    end-to-end benchmarks across various scenarios • Realistic complex app end-to-end benchmarks across various settings • Automation to ensure performance doesn’t regress

  68. @moficodes Security • Traffic encryption to defend against the man-in-the-middle

    attacks • Mutual TLS and fine-grained access policies to provide flexible access control • Auditing tools to monitor all of it

  69. @moficodes Installing Istio

  70. @moficodes Manually istioctl Operator Managed

  71. @moficodes

  72. @moficodes Demo github.com/IBM/bee-travels-istio

  73. @moficodes

  74. @moficodes

  75. @moficodes

  76. @moficodes Final Thoughts There is no free lunch in this

    world. Istio gives you a lot of things built in but it uses some CPU and memory resources.

  77. @moficodes Takeaways • Servicemesh (Istio) extends kubernetes capabilities • It

    can make some very difficult k8s things easier

  78. @moficodes Thank You! I would love to hear your question,

    comments, stories. @moficodes