Conduit: Open source, Ultralight Service Mesh for Kubernetes

Transcript

1. Open source, ultralight service mesh for Kubernetes Oliver Gould @olix0r

   CTO, Buoyant

2. conduit.io Today’s talk ‣ Who am I? ‣ What is

   Conduit? ‣ What is a service mesh? ‣ How did we get here? ‣ How can I do cool things with Condut? ‣ Demotime

3. conduit.io Who am I? ‣ Twitter engineer 2010—2015 ‣ Creator

   of Linkerd ‣ CTO @ Buoyant ‣ Occasional tweeter: @olix0r ‣ Dog enthusiast

4. conduit.io Who am I? ‣ Twitter engineer 2010—2015 ‣ Creator

   of Linkerd ‣ CTO @ Buoyant ‣ Occasional tweeter: @olix0r ‣ Dog enthusiast

5. conduit.io What is Conduit?

6. conduit.io ‣ Ultralight, ultra fast service mesh for Kubernetes ‣

   Purpose-built for security & performance: ‣ Data plane proxy in Rust ‣ Control plane services in Go ‣ Open Source: Apache v2; developed in the open

7. conduit.io Goal: Improve visibility, reliability, and security for any application

   in Kubernetes without config or code

8. conduit.io What is a service mesh?

9. conduit.io The service mesh Service C Service B Service A

   linkerd Service C Service B Service A linkerd Service C Service B Service A linkerd application HTTP proxied HTTP monitoring & control Node 1 Node 2 Node 3 “Mesh” of user space network proxies, deployed alongside application code. • Lightweight,
 Horizontally scalable • Low operational impact • Centralized control & visibility

10. conduit.io Why? ‣ Add reliability, security, visibility to cloud native

    apps, without changing code. ‣ Move operational ownership from service owner to platform operator. ‣ Make runtime operations as easy as Kubernetes has made deploy-time ops ‣ Features: request routing, retries, timeouts, circuit breaking, deadlines, distributed tracing, instrumentation, service discovery, TLS, service auth, …

11. conduit.io Uniform visibility

12. conduit.io Uniform reliability ‣ Load balance over requests
 not connections

    ‣ LB algorithms have an enormous impact on your oncall!

13. conduit.io Uniform, dynamic policy timeout=400ms retries=3 timeout=400ms retries=2 timeout=200ms retries=3

    timelines users web db 800ms 600ms

14. conduit.io Processes Guy with the spreadsheet of machines Hardware redundancy

    Servers IP addresses and DNS Server monitoring Big monolithic application TCP/IP connections “Containers” Orchestrated environment Design for failure Services Service discovery Service monitoring Microservices RPC calls How did we get here? Sys Admin Cloud Native

15. conduit.io This brought a whole new set of problems

16. conduit.io Evolution of the service mesh • Twitter: Finagle
 Google:

    Stubby
 Netflix: Hysterix • Buoyant: the Service Mesh
 Language- and deployment-agnostic Goal is the same: Solve operational challenges that are fundamental to cloud native architectures.

17. conduit.io ‣ ~2 years old ‣ 1400+ Slack channel members

    ‣ 3500+ Github stars ‣ 1.5m+ Docker Hub pulls ‣ 60+ contributors

18. conduit.io Why Conduit?

19. conduit.io JVM pros and cons Linkerd is on the JVM.

    There are some great things about the JVM: ‣ Secure memory model ‣ Plugin architecture ‣ Performance at scale ‣ Rich ecosystem! (Finagle + Scala + Netty) But… The JVM takes a ton of resources! This can be tough for microservices.

20. conduit.io Getting off the JVM Motivation for Conduit: service mesh

    but without the resource cost. ‣ Minimize resource requirements, maximize performance. (=> Native code) ‣ Provide security and reliability by default. (=> Zero config) ‣ Provide a clear centralized API. (=> Decoupled control plane) ‣ Fits into existing cloud native ecosystem (=> Kubernetes)

21. conduit.io Conduit’s architecture Conduit API Prometheus … Control plane {namespace:

    “conduit”} app: birds proxy app: rabbits proxy Pod 2 app: dogs proxy Pod 3 … Your app, plus Conduit data plane Pod 1

22. conduit.io Conduit control plane Control plane written is written in

    Go. ‣ Kinda fast! Well, fast enough for control plane purposes. ‣ Kinda lightweight! Well, compared to the JVM. ‣ No modern features! Oh well. But it’s the lingua franca of Kubernetes, and most importantly: Go is easy to learn and Go projects are easy to get involved in!

23. conduit.io Conduit data plane Data plane written is a proxy

    written in Rust. ‣ Fast: Native performance, ‣ Type- & Memory-safe: Doesn’t link against C libraries like OpenSSL. ‣ No GC! Very important for proxies where tail latencies are critical to performance. Result: <2mb RSS, <1ms p99, designed for HTTP/2

24. conduit.io Data plane Rust stack ‣ mio: cross-platform API for

    epoll. Foundation for non-blocking sockets. ‣ futures: Promises/Futures implementation. Zero-cost abstractions on async code ‣ tokio: async I/O ‣ hyper, h2: HTTP libraries ‣ tower: Finagle-esque remote call framework ‣ tower-grpc: gRPC framework All open source libraries available on GitHub.

25. conduit.io Demo time!

26. conduit.io Get involved ‣ Conduit 0.3.1 released today! ‣ Current

    status: alpha, but rapidly approaching beta ‣ Works with most applications on Kubernetes 1.8+ ‣ github.com/runconduit ‣ [email protected]
 [email protected]
 [email protected] ‣ slack.linkerd.io #conduit channel

27. Thank you! Oliver Gould | CTO | @olix0r conduit.io