Slide 1
Slide 1 text
Jun Sakata
Google Developers Expert, Cloud
@sakajunquality
Istio 1.5 Updates
2020.03.12
#GCPUG Istio 1.5 Day
Slide 2
Slide 2 text
Agenda
Istio 1.5 Updates!
- Istio Releases
- Istio 1.5 Overview
- Isito 1.5 Features
- Demo?
- Tips
Slide 3
Slide 3 text
Istio Releases
Release Histories
Slide 4
Slide 4 text
Istio Releases
Quarterly release since 1.1
- 1.0
- July 31, 2018
- Theme: Production Use
- 1.1
- March 19, 2019
- Theme: Enterprise Ready
- 1.2
- June 18, 2019
- Theme: Predictable Releases
Slide 5
Slide 5 text
Istio Releases
Quarterly release since 1.1
- 1.3
- September 12, 2019
- Theme: User Experience
- 1.4
- November 14, 2019
- Theme: User Experience, Performance
- 1.5 New!
- March 5, 2020
- Theme: istiod, WASM
Slide 6
Slide 6 text
1.5
https://istio.io/news/releases/1.5.x/announcing-1.5/
Slide 7
Slide 7 text
Istio 1.5 Overview
What’s new in 1.5
Slide 8
Slide 8 text
“The Istio project is really heading in the right
direction!
Improved lifecycle management, better performance, and
Wasm based extensibility in Envoy -- you'll be able to
write extensions in not C++
On top of all that, a single binary control plane.”
- Kelsey Hightower
https://twitter.com/kelseyhightower/status/1235449975565254656
Slide 9
Slide 9 text
“The Istio project is really heading in the right
direction!
Improved lifecycle management, better performance, and
Wasm based extensibility in Envoy -- you'll be able to
write extensions in not C++
On top of all that, a single binary control plane.”
- Kelsey Hightower
https://twitter.com/kelseyhightower/status/1235449975565254656
Slide 10
Slide 10 text
Istio Roadmap 2020
https://istio.io/blog/2020/tradewinds-2020/
Slide 11
Slide 11 text
Istio Roadmap 2020
- Performance
- Mixer to proxy
- Extensibility
- More capabilities in sidecar proxies
- Simplifying Control Plane
- Component
- Lifecycle Management
- Install / Upgrade
- User Experience
- istioctl
Slide 12
Slide 12 text
istiod
https://github.com/istio/community
Slide 13
Slide 13 text
istiod
A single binary for control plane
Slide 14
Slide 14 text
How Istio works
Slide 15
Slide 15 text
How it worked prior to 1.5
Slide 16
Slide 16 text
How it works from 1.5
Slide 17
Slide 17 text
Istio Architecture
Slide 18
Slide 18 text
Resources in 1.4 (demo profile)
kubectl -n istio-system get deploy,service
Slide 19
Slide 19 text
Resources in 1.5 (demo profile)
kubectl -n istio-system get deploy,service
Slide 20
Slide 20 text
~1.4 Components in 1.5
isitod
- Pilot -> istiod
- Sidecar injection -> istiod
- Galley
- Configuration Validation -> istiod
- X features -> still remains as isito-galley
- Citadel -> isitod
- Mixer -> Deprecated
Slide 21
Slide 21 text
e.g. Sidecar Injection
In ~1.4
$ k get MutatingWebhookConfiguration istio-sidecar-injector -o yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
name: istio-sidecar-injector
...
webhooks:
- admissionReviewVersions:
...
service:
name: istio-sidecar-injector
namespace: istio-system
path: /inject
port: 443
...
Slide 22
Slide 22 text
e.g. Sidecar Injection
In 1.5
$ k get MutatingWebhookConfiguration istio-sidecar-injector -o yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
name: istio-sidecar-injector
...
webhooks:
- admissionReviewVersions:
...
service:
name: istiod
namespace: istio-system
path: /inject
port: 443
...
Slide 23
Slide 23 text
Mixer
1.4
Slide 24
Slide 24 text
Mixer
Deprecated in 1.5, supported until 1.7
- istio-policy
- Policy enforcement
- disabled by default since Istio 1.3
- istio-telemetry
- Telemetry Report
- disabled by default since Istio 1.5
Slide 25
Slide 25 text
Telemetry V2
Telemetry through proxy, without Mixer
- Telemetry is directly exported by proxy
- Currently compiled in istio proxy
- To be on Wasm runtime
Slide 26
Slide 26 text
Telemetry V2
https://istio.io/docs/reference/config/telemetry/metrics/
Slide 27
Slide 27 text
Telemetry V2
Telemetry through proxy
- 1.3
- Experimental Feature
- HTTP telemetry (Alpha)
- 1.4
- Simpler Installation
- HTTP telemetry (Beta), TCP telemetry(Alpha)
- 1.5
- Installed by Default
Slide 28
Slide 28 text
Feature Status
Alpha -> Beta -> Stable
https://istio.io/about/feature-stages/
Slide 29
Slide 29 text
WebAssembly
https://istio.io/blog/2020/wasm-announce/
Slide 30
Slide 30 text
WebAssembly(WASM)
- Need for more extensibility
- Extensions without WASM
- Envoy -> Filters written in C++
- Istio -> Mixer
- WASM
- Ecosystems
- Memory-safe and sandboxed runtime
Slide 31
Slide 31 text
WebAssemblyHub
https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/
Slide 32
Slide 32 text
Istio 1.5 Features
Slide 33
Slide 33 text
Features
- Authentication Policy
- istioctl analyze
- Telemetry v2
- Operator Install
- Auto mTLS
- Kiali
Slide 34
Slide 34 text
Authentication Policy
PeerAuthentication and RequestAuthentication
- Policy and MeshPolicy is being replaced by
- PeerAuthentication and RequestAuthentication
- Docs
- 1.5 https://istio.io/docs/tasks/security/authentication/authn-policy/
- 1.4 https://archive.istio.io/v1.4/docs/tasks/security/authentication/authn-policy/
Slide 35
Slide 35 text
Authentication Policy
e.g. global mTLS STRICT
// 1.4
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
spec:
peers:
- mtls: {}
// 1.5
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "istio-system"
spec:
mtls:
mode: STRICT
Slide 36
Slide 36 text
istioctl analyze
More capabilities
- Introduced in 1.4
- Out of Experimental
- More analyzers
- mutual TLS, JWT, ServiceAssociation, Secret, sidecar image, port name and policy deprecated
- -L to display
- -k (current cluster) by default
- -A|--all-namespaces flag
- Print namespace
- stdin / files from directory
- istioctl analyze a.yaml b.yaml my-app-config/ , xxx | istioctl analyze
Slide 37
Slide 37 text
istioctl analyze
e.g. istioctl analyze -A
Slide 38
Slide 38 text
Telemetry v2
TCP Support
- HTTP Support in 1.3
- TCP Support in 1.5
- mTLS only
Slide 39
Slide 39 text
Operator Install
IstioControlPlane -> IstioOperator
- istioctl operator {init, remove}
- CRD IstioControlPlane in 1.4 is renamed to IstioOperator in 1.5
Slide 40
Slide 40 text
Istio install
istioctl, Operator, Helm
- istioctl
- istioctl manifest apply
- Standardalone Operator
- istioctl operator init
- Helm
- Default before 1.3
- Will be deprecated!
Slide 41
Slide 41 text
Istio install
istioctl, Operator
- istioctl
- Human-triggered
- Standardalone Operator
- Machine-triggered
- CRD’s reconcile loop
- Planned for canarying rollout of control plane
Slide 42
Slide 42 text
Auto mTLS (mutualTLS)
Alpha -> Beta
- Introduced in 1.4
- Enabled by default
Slide 43
Slide 43 text
Newer version of Kiali
$ istioctl dashboard kiali
Slide 44
Slide 44 text
Tips
Slide 45
Slide 45 text
Install demo profile
istioctl manifest apply --set profile=demo
Slide 46
Slide 46 text
Firewalls for Private Clusters
Slide 47
Slide 47 text
Firewalls for Private Clusters
Slide 48
Slide 48 text
Try Again
istioctl manifest apply --set profile=demo
Slide 49
Slide 49 text
Demo?
Slide 50
Slide 50 text
Thank You!
Jun Sakata
Google Developers Expert, Cloud
@sakajunquality