Service Mesh and the future of networking

Transcript

1. Service Mesh …and the future of Networking #SCBCN19 - VII

   Edition

2. PLATINUM GOLD SILVER SUPPORTERS

3. Journey to the chaos

4. None
5. None
6. None
7. None

8. Micro-services

9. Failure happens

10. And shit hits the fan

11. Frameworks and tools to the rescue

12. Must-have primitives • Service discovery • Fault tolerance • Circuit

    breakers • Back-pressure • Tracing

13. Apps are still coupled to the network

14. Heterogeneous environments

15. Heterogeneous environments

16. Let’s get some perspective

17. Quite some time ago… We managed to let Server A

    send packets to Server B

18. And we made it in a reliable way

19. But we are dealing with the same kind of problems

    again…

20. But we are dealing with the same kind of problems

    again… at the application layer

21. Service Mesh

22. Main Features • Separate the network from the applications •

    Consistency across the fleet • Centralized control • Fast to change (apply config to affect change; not redeploy)

23. Platform abstractions • Networking • Observability • Security Focus on

    creating services and providing value

24. Data plane

25. Envoy Proxy • L7 proxy built for today’s SOA •

    Deployment agnostic, lightweight • L3/L4 filter’s at core, rich L7 filters • Built-In HTTP/2 support • Protocol extensibility (Mongo, Redis, MySQL, etc) • Programmability (xDS APIs) • Push based model

26. Control plane

27. Networking

28. Traffic management 80% 20% 50 req/sec

29. Observability

30. Telemetry reporting

31. Security

32. Policy enforcement (AuthZ)

33. The network is still not secure

34. Identity

35. SPIFFE • A naming scheme to encode workload identities •

    How to encode those names in a X.509 certificate (SVID) • How a peer (client or server) validates the X.509 certificate to authenticate the SPIFFE identity inside of it spiffe://trust-domain/path spiffe://k8s.example.com/ns/staging/sa/default

36. AuthN and encryption in transit mTLS

37. Identity is not only about mTLS • Finally break the

    L3/L4 dependency • L7 policies • Multi-cloud & cloud-agnostic applications

38. Let’s interconnect a hybrid environment

39. Secure connections with VPNs VPN

40. Expensive and hard to scale VPN

41. VPN Use the primitives the Mesh provides! mTLS

42. Unified identity domain authN/authZ

43. Recap

44. Traffic routing • Service discovery • Application level overlay network

    • L7 addressing • Canaries • Traffic shifting • Protocol transcoding

45. Traffic management • (Client-side) Load balancing • Failure detection •

    Circuit breakers • Retries • Deadlines • Rate limiting • Fault injection

46. Observability • Logs • Metrics • Distributed tracing • Consistency

    for monitoring tools

47. Security • Runtime policy enforcement • Trusted Identity • Transparent

    mTLS • Authentication and Authorization

48. Help build the future!

49. Let’s contribute! • https://github.com/envoyproxy/envoy • https://linkerd.io/community/ • https://istio.io/about/community/join/ • https://www.consul.io/community.html

    • https://spiffe.io/community/

50. Thanks!