Open source, ultralight service mesh for Kubernetes Oliver Gould @olix0r CTO, Buoyant 

conduit.io Today’s talk ‣ Who am I? ‣ What is Conduit? ‣ What is a service mesh? ‣ How did we get here? ‣ How can I do cool things with Condut? ‣ Demotime 

conduit.io Who am I? ‣ Twitter engineer 2010—2015 ‣ Creator of Linkerd ‣ CTO @ Buoyant ‣ Occasional tweeter: @olix0r ‣ Dog enthusiast 

conduit.io Who am I? ‣ Twitter engineer 2010—2015 ‣ Creator of Linkerd ‣ CTO @ Buoyant ‣ Occasional tweeter: @olix0r ‣ Dog enthusiast 

conduit.io What is Conduit? 

conduit.io ‣ Ultralight, ultra fast service mesh for Kubernetes ‣ Purpose-built for security & performance: ‣ Data plane proxy in Rust ‣ Control plane services in Go ‣ Open Source: Apache v2; developed in the open 

conduit.io Goal: Improve visibility, reliability, and security for any application in Kubernetes without config or code 

conduit.io What is a service mesh? 

conduit.io The service mesh Service C Service B Service A linkerd Service C Service B Service A linkerd Service C Service B Service A linkerd application HTTP proxied HTTP monitoring & control Node 1 Node 2 Node 3 “Mesh” of user space network proxies, deployed alongside application code. • Lightweight,
 Horizontally scalable • Low operational impact • Centralized control & visibility 

conduit.io Why? ‣ Add reliability, security, visibility to cloud native apps, without changing code. ‣ Move operational ownership from service owner to platform operator. ‣ Make runtime operations as easy as Kubernetes has made deploy-time ops ‣ Features: request routing, retries, timeouts, circuit breaking, deadlines, distributed tracing, instrumentation, service discovery, TLS, service auth, … 

conduit.io Uniform visibility 

conduit.io Uniform reliability ‣ Load balance over requests
 not connections ‣ LB algorithms have an enormous impact on your oncall! 

conduit.io Uniform, dynamic policy timeout=400ms retries=3 timeout=400ms retries=2 timeout=200ms retries=3 timelines users web db 800ms 600ms 

conduit.io Processes Guy with the spreadsheet of machines Hardware redundancy Servers IP addresses and DNS Server monitoring Big monolithic application TCP/IP connections “Containers” Orchestrated environment Design for failure Services Service discovery Service monitoring Microservices RPC calls How did we get here? Sys Admin Cloud Native 

conduit.io This brought a whole new set of problems 

conduit.io Evolution of the service mesh • Twitter: Finagle
 Google: Stubby
 Netflix: Hysterix • Buoyant: the Service Mesh
 Language- and deployment-agnostic Goal is the same: Solve operational challenges that are fundamental to cloud native architectures. 

conduit.io ‣ ~2 years old ‣ 1400+ Slack channel members ‣ 3500+ Github stars ‣ 1.5m+ Docker Hub pulls ‣ 60+ contributors 

conduit.io Why Conduit? 

conduit.io JVM pros and cons Linkerd is on the JVM. There are some great things about the JVM: ‣ Secure memory model ‣ Plugin architecture ‣ Performance at scale ‣ Rich ecosystem! (Finagle + Scala + Netty) But… The JVM takes a ton of resources! This can be tough for microservices. 

conduit.io Getting off the JVM Motivation for Conduit: service mesh but without the resource cost. ‣ Minimize resource requirements, maximize performance. (=> Native code) ‣ Provide security and reliability by default. (=> Zero config) ‣ Provide a clear centralized API. (=> Decoupled control plane) ‣ Fits into existing cloud native ecosystem (=> Kubernetes) 

conduit.io Conduit’s architecture Conduit API Prometheus … Control plane {namespace: “conduit”} app: birds proxy app: rabbits proxy Pod 2 app: dogs proxy Pod 3 … Your app, plus Conduit data plane Pod 1 

conduit.io Conduit control plane Control plane written is written in Go. ‣ Kinda fast! Well, fast enough for control plane purposes. ‣ Kinda lightweight! Well, compared to the JVM. ‣ No modern features! Oh well. But it’s the lingua franca of Kubernetes, and most importantly: Go is easy to learn and Go projects are easy to get involved in! 

conduit.io Conduit data plane Data plane written is a proxy written in Rust. ‣ Fast: Native performance, ‣ Type- & Memory-safe: Doesn’t link against C libraries like OpenSSL. ‣ No GC! Very important for proxies where tail latencies are critical to performance. Result: <2mb RSS, <1ms p99, designed for HTTP/2 

conduit.io Data plane Rust stack ‣ mio: cross-platform API for epoll. Foundation for non-blocking sockets. ‣ futures: Promises/Futures implementation. Zero-cost abstractions on async code ‣ tokio: async I/O ‣ hyper, h2: HTTP libraries ‣ tower: Finagle-esque remote call framework ‣ tower-grpc: gRPC framework All open source libraries available on GitHub. 

conduit.io Demo time! 

conduit.io Get involved ‣ Conduit 0.3.1 released today! ‣ Current status: alpha, but rapidly approaching beta ‣ Works with most applications on Kubernetes 1.8+ ‣ github.com/runconduit ‣ [email protected]
 [email protected]
 [email protected] ‣ slack.linkerd.io #conduit channel 

Thank you! Oliver Gould | CTO | @olix0r conduit.io