Istio в разрезе: что умеет и не умеет самый популярный Service Mesh

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

Istio в разрезе: что умеет и не умеет самый популярный Service Mesh

Slide 3

Slide 3 text

Istio в разрезе: что умеет и не умеет самый популярный Service Mesh

Slide 4

Slide 4 text

Istio в разрезе: что умеет и не умеет самый популярный Service Mesh

Slide 5

Slide 5 text

Istio в разрезе : что умеет и не умеет самый популярный Service Mesh

Slide 6

Slide 6 text

Intro Service Mesh

Slide 7

Slide 7 text

Intro Service Mesh Mutual TLS

Slide 8

Slide 8 text

Intro Service Mesh Mutual TLS Authorization End-user Authentication

Slide 9

Slide 9 text

Intro Service Mesh gRPC Load Balancing Mutual TLS Authorization Locality Load Balancing Weighted Load Balancer End-user Authentication

Slide 10

Slide 10 text

Intro Service Mesh Trafﬁc Shifting gRPC Load Balancing Mutual TLS A/B Tests Authorization Locality Load Balancing Weighted Load Balancer Canary Deployment End-user Authentication Fault Injection

Slide 11

Slide 11 text

Intro Service Mesh Trafﬁc Shifting End-user Authentication gRPC Load Balancing Mutual TLS A/B Tests Authorization Request Timeout Circuit Breaker Locality Load Balancing Canary Deployment Weighted Load Balancer Fault Injection

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Intro Service Mesh Zone-aware Routing Trafﬁc Shifting Metric Exporting & Tracing End-user Authentication Weighted Load Balancer gRPC Load Balancing Mutual TLS A/B Tests Fault Injection Authorization Egress Gateway Request Timeout Circuit Breaker Locality Load Balancing Canary Deployment Multicluster Federation

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Intro

Slide 18

Slide 18 text

Intro

Slide 19

Slide 19 text

Intro

Slide 20

Slide 20 text

Intro

Slide 21

Slide 21 text

Intro

Slide 22

Slide 22 text

Intro

Slide 23

Slide 23 text

Intro

Slide 24

Slide 24 text

Intro PeerAuthentication AuthorizationPolicy VirtualService DestinationRule Sidecar ServiceEntry EnvoyFilter

Slide 25

Slide 25 text

Intro

Slide 26

Slide 26 text

Intro

Slide 27

Slide 27 text

Intro Observability

Slide 28

Slide 28 text

Intro Observability

Slide 29

Slide 29 text

Intro Observability

Slide 30

Slide 30 text

Intro Observability

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

front back db

Slide 33

Slide 33 text

front back db

Slide 34

Slide 34 text

front back db

Slide 35

Slide 35 text

istiod front back db

Slide 36

Slide 36 text

front back db Control Plane istiod

Slide 37

Slide 37 text

istiod front back db

Slide 38

Slide 38 text

istio-proxy istiod front back db istio-proxy istio-proxy

Slide 39

Slide 39 text

istiod front back db Data Plane istio-proxy istio-proxy istio-proxy

Slide 40

Slide 40 text

istio-proxy istiod front back db istio-proxy istio-proxy

Slide 41

Slide 41 text

istio-proxy istiod front back db istio-proxy istio-proxy

Slide 42

Slide 42 text

istio-proxy istiod front back db istio-proxy istio-proxy

Slide 43

Slide 43 text

istio-proxy istiod front back db istio-proxy istio-proxy

Slide 44

Slide 44 text

istio-proxy istiod front back db istio-proxy istio-proxy Weighted Load Balancer gRPC Load Balancing Mutual TLS Authorization Circuit Breaker Locality Load Balancing

Slide 45

Slide 45 text

istio-proxy istiod front back db istio-proxy istio-proxy Weighted Load Balancer gRPC Load Balancing Mutual TLS Authorization Circuit Breaker Locality Load Balancing

Slide 46

Slide 46 text

istio-proxy istiod front back db istio-proxy istio-proxy Weighted Load Balancer gRPC Load Balancing Mutual TLS Authorization Circuit Breaker Locality Load Balancing

Slide 47

Slide 47 text

istio-proxy istiod front back db istio-proxy istio-proxy Weighted Load Balancer gRPC Load Balancing Mutual TLS Authorization Circuit Breaker Locality Load Balancing

Slide 48

Slide 48 text

istiod back db istio-proxy istio-proxy Weighted Load Balancer gRPC Load Balancing Mutual TLS Authorization Circuit Breaker Locality Load Balancing istio-proxy front

Slide 49

Slide 49 text

front > Pod

Slide 50

Slide 50 text

istio-proxy front > Pod

Slide 51

Slide 51 text

istio-proxy front > Pod > istio-proxy

Slide 52

Slide 52 text

istio-proxy front > Pod > istio-proxy

Slide 53

Slide 53 text

istio-proxy front > Pod > istio-proxy > envoy

Slide 54

Slide 54 text

> Pod > istio-proxy > envoy

Slide 55

Slide 55 text

> Pod > istio-proxy > envoy

Slide 56

Slide 56 text

> Pod > istio-proxy > envoy downstream HTTP TCP

Slide 57

Slide 57 text

> Pod > istio-proxy > envoy downstream HTTP TCP

Slide 58

Slide 58 text

> Pod > istio-proxy > envoy downstream HTTP TCP upstream

Slide 59

Slide 59 text

> Pod > istio-proxy > envoy downstream HTTP TCP upstream

Slide 60

Slide 60 text

> Pod > istio-proxy > envoy downstream HTTP TCP envoy API upstream

Slide 61

Slide 61 text

downstream upstream > Pod > istio-proxy > envoy

Slide 62

Slide 62 text

downstream upstream handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route listener 10.24.0.8:443 > Pod > istio-proxy > envoy

Slide 63

Slide 63 text

Slide 64

Slide 64 text

Slide 65

Slide 65 text

downstream upstream handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls listener 10.24.0.8:443 > Pod > istio-proxy > envoy

Slide 66

Slide 66 text

Slide 67

Slide 67 text

Slide 68

Slide 68 text

Slide 69

Slide 69 text

downstream upstream handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster foo.example.com > Pod > istio-proxy > envoy

Slide 70

Slide 70 text

Slide 71

Slide 71 text

Slide 72

Slide 72 text

Slide 73

Slide 73 text

Slide 74

Slide 74 text

Slide 75

Slide 75 text

Slide 76

Slide 76 text

istio-proxy > Pod > istio-proxy > envoy front

Slide 77

Slide 77 text

istio-proxy > Pod > istio-proxy front

Slide 78

Slide 78 text

> Pod > istio-proxy istio-proxy front

Slide 79

Slide 79 text

> Pod > istio-proxy istio-proxy front

Slide 80

Slide 80 text

> Pod > istio-proxy front istio-proxy

Slide 81

Slide 81 text

> Pod > istio-proxy istio-proxy front

Slide 82

Slide 82 text

> Pod > istio-proxy istio-proxy front

Slide 83

Slide 83 text

> Pod > istio-proxy istio-proxy front ?

Slide 84

Slide 84 text

> Pod > istio-proxy front istio-proxy ? ?

Slide 85

Slide 85 text

> Pod > istio-proxy front istio-proxy

Slide 86

Slide 86 text

> Pod > istio-proxy front istio-proxy DNAT

Slide 87

Slide 87 text

> Pod > istio-proxy istio-proxy front DNAT --to-destination ???

Slide 88

Slide 88 text

> Pod > istio-proxy front istio-proxy DNAT --to-destination 0.0.0.0:15001 ???

Slide 89

Slide 89 text

> Pod > istio-proxy istio-proxy front DNAT --to-destination 127.0.0.1:15001 0.0.0.0:15001

Slide 90

Slide 90 text

> Pod > istio-proxy front istio-proxy 0.0.0.0:15001 DNAT --to-destination 127.0.0.1:15001 0.0.0.0:15006 DNAT --to-destination 127.0.0.1:15006

Slide 91

Slide 91 text

> Pod > istio-proxy front istio-proxy 0.0.0.0:15001 DNAT --to-destination 127.0.0.1:15001

Slide 92

Slide 92 text

> Pod > istio-proxy istio-proxy 0.0.0.0:15001 front DNAT --to-destination 127.0.0.1:15001 ?

Slide 93

Slide 93 text

> Pod > istio-proxy istio-proxy 0.0.0.0:15001 front DNAT --to-destination 127.0.0.1:15001

Slide 94

Slide 94 text

> Pod > istio-proxy istio-proxy 0.0.0.0:15001 front DNAT --to-destination 127.0.0.1:15001 istio-agent

Slide 95

Slide 95 text

> Pod > istio-proxy istio-proxy 0.0.0.0:15001 front DNAT --to-destination 127.0.0.1:15001 istiod istio-agent XDS

Slide 96

Slide 96 text

> Pod > istio-proxy istio-proxy 0.0.0.0:15001 front DNAT --to-destination 127.0.0.1:15001 istiod istio-agent XDS envoy API

Slide 97

Slide 97 text

> Pod > istio-proxy istio-proxy 0.0.0.0:15001 front DNAT --to-destination 127.0.0.1:15001 istiod istio-agent XDS envoy API

Slide 98

Slide 98 text

istio-proxy istio-proxy front back db istio-proxy

Slide 99

Slide 99 text

istio-proxy istio-proxy front back db istio-proxy

Slide 100

Slide 100 text

istio-proxy istio-proxy front back db istio-proxy clusterIP: 10.222.0.78 ports: - name: http port: 8080 Service front

Slide 101

Slide 101 text

istio-proxy istio-proxy front back db istio-proxy Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service front

Slide 102

Slide 102 text

istio-proxy istio-proxy front back db istio-proxy Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 Service front

Slide 103

Slide 103 text

Slide 104

Slide 104 text

Slide 105

Slide 105 text

Slide 106

Slide 106 text

Slide 107

Slide 107 text

Slide 108

Slide 108 text

istio-proxy istio-proxy istiod front back db istio-proxy Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 Service front 10.111.4.3 10.111.2.5 10.111.2.4 10.111.2.3 10.111.2.5 10.111.2.4 10.111.3.3

Slide 109

Slide 109 text

Slide 110

Slide 110 text

> From kubernetes to envoy handle tls listener 10.24.0.8:443 handle stats authorization route cluster foo.example.com endpoints ip:port ip:port ip:port load balance select endpoint connect outlier detection handle tls handle stats

Slide 111

Slide 111 text

> From kubernetes to envoy listener 10.24.0.8:443 route cluster foo.example.com endpoints ip:port ip:port ip:port

Slide 112

Slide 112 text

> From kubernetes to envoy route listener endpoints cluster ip:port ip:port ip:port

Slide 113

Slide 113 text

> From kubernetes to envoy route listener endpoints cluster ip:port ip:port ip:port

Slide 114

Slide 114 text

> From kubernetes to envoy route listener endpoints cluster ip:port ip:port ip:port

Slide 115

Slide 115 text

Slide 116

Slide 116 text

Slide 117

Slide 117 text

Slide 118

Slide 118 text

Slide 119

Slide 119 text

Service back clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 route listener endpoints cluster ip:port ip:port ip:port clusterIP: 10.222.0.78 ports: - name: http port: 8080 Service front 10.111.2.5 10.111.2.4 10.111.2.3

Slide 120

Slide 120 text

Slide 121

Slide 121 text

Slide 122

Slide 122 text

Slide 123

Slide 123 text

Slide 124

Slide 124 text

Slide 125

Slide 125 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener

Slide 126

Slide 126 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener

Slide 127

Slide 127 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 listener 10.111.3.4:8080 10.111.3.3:8080 route

Slide 128

Slide 128 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener

Slide 129

Slide 129 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener TCP IP:port

Slide 130

Slide 130 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 HTTP Host route listener TCP IP:port

Slide 131

Slide 131 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 HTTP Host route listener TCP IP:port TLS SNI

Slide 132

Slide 132 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 HTTP Host route listener TCP IP:port TLS SNI

Slide 133

Slide 133 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 HTTP Host route listener TCP IP:port TLS SNI

Slide 134

Slide 134 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 HTTP Host route listener TCP IP:port TLS SNI

Slide 135

Slide 135 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 HTTP Host route listener TCP IP:port TLS SNI

Slide 136

Slide 136 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener HTTP Host TCP IP:port TLS SNI

Slide 137

Slide 137 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener

Slide 138

Slide 138 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener route listener 10.222.0.42:3306

Slide 139

Slide 139 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener route listener 10.222.0.42:3306 route

Slide 140

Slide 140 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener listener 10.222.0.42:3306 tcp_proxy

Slide 141

Slide 141 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 listener 10.222.0.42:3306 tcp_proxy route listener 0.0.0.0:8080

Slide 142

Slide 142 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 listener 10.222.0.42:3306 tcp_proxy route listener 0.0.0.0:8080

Slide 143

Slide 143 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener 0.0.0.0:8080 tcp_proxy listener 10.222.0.42:3306

Slide 144

Slide 144 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener 0.0.0.0:8080 tcp_proxy listener 10.222.0.42:3306 istio-proxy 0.0.0.0:15001 front istio-agent

Slide 145

Slide 145 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener 0.0.0.0:8080 tcp_proxy listener 10.222.0.42:3306 istio-proxy 0.0.0.0:15001 front istio-agent

Slide 146

Slide 146 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener 0.0.0.0:8080 tcp_proxy listener 10.222.0.42:3306

Slide 147

Slide 147 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener 0.0.0.0:8080 tcp_proxy listener 10.222.0.42:3306 listener 0.0.0.0:15001

Slide 148

Slide 148 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener 0.0.0.0:8080 tcp_proxy listener 10.222.0.42:3306 listener 0.0.0.0:15001

Slide 149

Slide 149 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener 0.0.0.0:8080 tcp_proxy listener 10.222.0.42:3306 listener 0.0.0.0:15001 use_original_dst

Slide 150

Slide 150 text

Service back clusterIP: 10.222.0.78 ports: - name: http port: 8080 clusterIP: 10.222.0.5 ports: - name: http port: 8080 Service db clusterIP: 10.222.0.42 ports: - name: mysql port: 3306 > From kubernetes to envoy Service front 10.111.2.5 10.111.2.4 10.111.2.3 10.111.3.5 10.111.3.4 10.111.3.3 10.111.4.3 endpoints cluster db 10.111.4.3:3306 endpoints cluster front 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 endpoints cluster back 10.111.3.5:8080 10.111.3.4:8080 10.111.3.3:8080 route listener 0.0.0.0:8080 tcp_proxy listener 10.222.0.42:3306 listener 0.0.0.0:15001 use_original_dst

Slide 151

Slide 151 text

istio-proxy istio-proxy front back db istio-proxy

Slide 152

Slide 152 text

> Request lifecycle istio-proxy back db istio-proxy istio-proxy front

Slide 153

Slide 153 text

> Request lifecycle istio-proxy front istio-agent

Slide 154

Slide 154 text

> Request lifecycle istio-proxy front istio-agent listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 155

Slide 155 text

> Request lifecycle istio-proxy front istio-agent listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 156

Slide 156 text

> Request lifecycle istio-proxy front istio-agent listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 157

Slide 157 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 158

Slide 158 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 159

Slide 159 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 160

Slide 160 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 161

Slide 161 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 162

Slide 162 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 163

Slide 163 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 164

Slide 164 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 165

Slide 165 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 166

Slide 166 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 listener 0.0.0.0:8080 listener 10.222.0.42:3306

Slide 167

Slide 167 text

> Request lifecycle listener 10.222.0.42:3306 istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 listener 0.0.0.0:8080

Slide 168

Slide 168 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route listener 0.0.0.0:8080

Slide 169

Slide 169 text

Slide 170

Slide 170 text

Slide 171

Slide 171 text

Slide 172

Slide 172 text

Slide 173

Slide 173 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls listener 0.0.0.0:8080 handle stats authorization route cluster back cluster front istio-agent

Slide 174

Slide 174 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls listener 0.0.0.0:8080 handle stats authorization route cluster back cluster front istio-agent

Slide 175

Slide 175 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back istio-agent

Slide 176

Slide 176 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back istio-agent

Slide 177

Slide 177 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back load balance istio-agent

Slide 178

Slide 178 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back load balance select endpoint istio-agent

Slide 179

Slide 179 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints load balance select endpoint 10.111.2.5:8080 10.111.2.4:8080 10.111.3.3:8080 istio-agent

Slide 180

Slide 180 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints load balance select endpoint 10.111.2.5:8080 10.111.2.4:8080 10.111.3.3:8080 istio-agent

Slide 181

Slide 181 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints load balance select endpoint connect 10.111.2.5:8080 10.111.2.4:8080 10.111.3.3:8080 istio-agent

Slide 182

Slide 182 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints load balance select endpoint connect outlier detection 10.111.2.5:8080 10.111.2.4:8080 10.111.3.3:8080 istio-agent

Slide 183

Slide 183 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints load balance select endpoint connect outlier detection handle tls 10.111.2.5:8080 10.111.2.4:8080 10.111.3.3:8080 istio-agent

Slide 184

Slide 184 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints load balance select endpoint connect outlier detection handle tls handle stats 10.111.2.5:8080 10.111.2.4:8080 10.111.3.3:8080 istio-agent

Slide 185

Slide 185 text

> Request lifecycle istio-proxy front 0.0.0.0:15001 GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance handle tls listener 0.0.0.0:8080 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints load balance select endpoint connect outlier detection handle tls handle stats istio-proxy back 10.111.3.3:8080 10.111.2.5:8080 10.111.2.4:8080 10.111.3.3:8080 istio-agent

Slide 186

Slide 186 text

istio-proxy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle stats 10.111.2.5:8080 istio-proxy 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 back handle tls authorization route load balance select endpoint connect outlier detection handle tls

Slide 187

Slide 187 text

> Istio API front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle stats 10.111.2.5:8080 istio-proxy 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 back authorization route load balance select endpoint connect outlier detection handle tls handle tls PeerAuthentication

Slide 188

Slide 188 text

Slide 189

Slide 189 text

Slide 190

Slide 190 text

Slide 191

Slide 191 text

Slide 192

Slide 192 text

> Istio API > PeerAuthentication front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle stats 10.111.2.5:8080 istio-proxy 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 back authorization route load balance select endpoint connect outlier detection handle tls AuthorizationPolicy VirtualService DestinationRule handle tls PeerAuthentication

Slide 193

Slide 193 text

> Istio API > PeerAuthentication PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: XXX

Slide 194

Slide 194 text

PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: XXX > Istio API > PeerAuthentication

Slide 195

Slide 195 text

PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: XXX > Istio API > PeerAuthentication

Slide 196

Slide 196 text

> Istio API > PeerAuthentication PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: XXX

Slide 197

Slide 197 text

> Istio API > PeerAuthentication PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: XXX

Slide 198

Slide 198 text

> Istio API > PeerAuthentication PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: XXX FTP SMTP MYSQL … +

Slide 199

Slide 199 text

PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: XXX + FTP SMTP MYSQL … > Istio API > PeerAuthentication =

Slide 200

Slide 200 text

> Istio API > PeerAuthentication PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: XXX

Slide 201

Slide 201 text

> Istio API > PeerAuthentication PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: STRICT

Slide 202

Slide 202 text

> Istio API > PeerAuthentication front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle stats 10.111.2.5:8080 istio-proxy 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 back authorization route load balance select endpoint connect outlier detection handle tls handle tls AuthorizationPolicy VirtualService DestinationRule PeerAuthentication handle tls

Slide 203

Slide 203 text

Slide 204

Slide 204 text

> Istio API > DestinationRule front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle stats 10.111.2.5:8080 istio-proxy 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 handle tls load balance select endpoint connect outlier detection back authorization route AuthorizationPolicy VirtualService handle tls DestinationRule

Slide 205

Slide 205 text

> Istio API > DestinationRule DestinationRule DestinationRule

Slide 206

Slide 206 text

> Istio API > DestinationRule DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mtls-on namespace: myns spec: host: *.myns.svc trafficPolicy: tls: mode: ISTIO-MUTUAL apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mtls-on namespace: myns spec: host: *.myns.svc trafficPolicy: tls: mode: XXX

Slide 207

Slide 207 text

Slide 208

Slide 208 text

> Istio API > DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mtls-on namespace: myns spec: host: *.myns.svc trafficPolicy: tls: mode: ISTIO-MUTUAL apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mtls-on namespace: myns spec: host: *.myns.svc trafficPolicy: tls: mode: XXX DestinationRule

Slide 209

Slide 209 text

Slide 210

Slide 210 text

Slide 211

Slide 211 text

Slide 212

Slide 212 text

Slide 213

Slide 213 text

> Istio API > DestinationRule PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: STRICT DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mtls-on namespace: myns spec: host: *.myns.svc trafficPolicy: tls: mode: ISTIO-MUTUAL apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mtls-on namespace: myns spec: host: *.myns.svc trafficPolicy: tls: mode: ISTIO_MUTUAL

Slide 214

Slide 214 text

Slide 215

Slide 215 text

> Istio API > DestinationRule Mutual TLS PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: STRICT DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mtls-on namespace: myns spec: host: *.myns.svc trafficPolicy: tls: mode: ISTIO-MUTUAL apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mtls-on namespace: myns spec: host: *.myns.svc trafficPolicy: tls: mode: ISTIO_MUTUAL

Slide 216

Slide 216 text

PeerAuthentication apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-on namespace: myns spec: mtls: mode: STRICT DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mtls-on namespace: myns spec: host: *.myns.svc trafficPolicy: tls: mode: ISTIO-MUTUAL apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mtls-on namespace: myns spec: host: *.myns.svc trafficPolicy: tls: mode: ISTIO-MUTUAL > Istio API > DestinationRule Mutual TLS

Slide 217

Slide 217 text

Slide 218

Slide 218 text

back > Istio API > DestinationRule front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle stats 10.111.2.5:8080 istio-proxy 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 handle tls load balance select endpoint connect outlier detection authorization route handle tls DestinationRule

Slide 219

Slide 219 text

Slide 220

Slide 220 text

Slide 221

Slide 221 text

Slide 222

Slide 222 text

> Istio API > DestinationRule DestinationRule

Slide 223

Slide 223 text

> Istio API > DestinationRule DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: mypolicy spec: host: back trafficPolicy: loadBalancer: consistentHash: httpCookie: name: user ttl: 0s connectionPool: tcp: maxConnections: 1 http: maxRequestsPerConnection: 10 outlierDetection: consecutive5xxErrors: 7 interval: 5m baseEjectionTime: 15m

Slide 224

Slide 224 text

Slide 225

Slide 225 text

Slide 226

Slide 226 text

Slide 227

Slide 227 text

Slide 228

Slide 228 text

Slide 229

Slide 229 text

Slide 230

Slide 230 text

Slide 231

Slide 231 text

istio-proxy front back istio-proxy > Istio API > DestinationRule

Slide 232

Slide 232 text

istio-proxy front back istio-proxy > Istio API > DestinationRule

Slide 233

Slide 233 text

istio-proxy front back istio-proxy istio-proxy front istio-proxy front > Istio API > DestinationRule

Slide 234

Slide 234 text

istio-proxy front back istio-proxy istio-proxy front istio-proxy front > Istio API > DestinationRule

Slide 235

Slide 235 text

Slide 236

Slide 236 text

Slide 237

Slide 237 text

Slide 238

Slide 238 text

Slide 239

Slide 239 text

back > Istio API front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle tls DestinationRule handle stats 10.111.2.5:8080 istio-proxy 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 handle tls load balance select endpoint connect outlier detection authorization route

Slide 240

Slide 240 text

Slide 241

Slide 241 text

> Istio API > AuthorizationPolicy front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle tls DestinationRule handle stats 10.111.2.5:8080 istio-proxy back 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 handle tls load balance select endpoint connect outlier detection authorization route authorization AuthorizationPolicy Авторизация

Slide 242

Slide 242 text

> Istio API > AuthorizationPolicy AuthorizationPolicy

Slide 243

Slide 243 text

> Istio API > AuthorizationPolicy AuthorizationPolicy apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: httpbin namespace: foo spec: selector: matchLabels: app: httpbin action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/sleep"] - source: namespaces: ["test"] to: - operation: methods: ["GET"] paths: ["/info*"] when: - key: request.auth.claims[iss] values: ["https://accounts.google.com"] - key: request.headers[X-Secret] values: ["la-resistance"]

Slide 244

Slide 244 text

Slide 245

Slide 245 text

Slide 246

Slide 246 text

Slide 247

Slide 247 text

Slide 248

Slide 248 text

Slide 249

Slide 249 text

Slide 250

Slide 250 text

Slide 251

Slide 251 text

Slide 252

Slide 252 text

> Istio API > AuthorizationPolicy AuthorizationPolicy Алгоритм принятия решения apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: httpbin namespace: foo spec: selector: matchLabels: app: httpbin action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/sleep"] - source: namespaces: ["test"] to: - operation: methods: ["GET"] paths: ["/info*"] when: - key: request.auth.claims[iss] values: ["https://accounts.google.com"] - key: request.headers[X-Secret] values: ["la-resistance"] deckhouse.ru deckhouse.ru

Slide 253

Slide 253 text

istio-proxy front back istio-proxy > Istio API > AuthorizationPolicy

Slide 254

Slide 254 text

istio-proxy front back istio-proxy > Istio API > AuthorizationPolicy

Slide 255

Slide 255 text

istio-proxy front back istio-proxy > Istio API > AuthorizationPolicy

Slide 256

Slide 256 text

Slide 257

Slide 257 text

> Istio API front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle tls DestinationRule handle stats 10.111.2.5:8080 istio-proxy back 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 handle tls load balance select endpoint connect outlier detection authorization route authorization

Slide 258

Slide 258 text

> Istio API front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle tls DestinationRule handle stats 10.111.2.5:8080 istio-proxy back 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 handle tls load balance select endpoint connect outlier detection authorization route authorization Хитрая маршрутизация

Slide 259

Slide 259 text

> Istio API front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle tls DestinationRule handle stats 10.111.2.5:8080 istio-proxy back 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 handle tls load balance select endpoint connect outlier detection authorization route authorization Хитрая маршрутизация route VirtualService

Slide 260

Slide 260 text

istio-proxy front > Istio API > VirtualService

Slide 261

Slide 261 text

istio-proxy front Service back > Istio API > VirtualService

Slide 262

Slide 262 text

back back istio-proxy front Service back back > Istio API > VirtualService

Slide 263

Slide 263 text

back back istio-proxy front Service back back / > Istio API > VirtualService

Slide 264

Slide 264 text

back back istio-proxy front Service back back / > Istio API > VirtualService back Service admin admin

Slide 265

Slide 265 text

back back istio-proxy front Service back back / > Istio API > VirtualService back Service admin admin admin /

Slide 266

Slide 266 text

back back istio-proxy front Service back back > Istio API > VirtualService back Service admin admin / VirtualService / admin /

Slide 267

Slide 267 text

back back istio-proxy front Service back back > Istio API > VirtualService back Service admin admin / VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back spec: hosts: - back http: - match: - uri: prefix: "/admin" route: - destination: host: admin - route: - destination: host: back / admin /

Slide 268

Slide 268 text

back back istio-proxy front Service back back > Istio API > VirtualService back Service admin admin VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back spec: hosts: - back http: - match: - uri: prefix: "/admin" route: - destination: host: admin - route: - destination: host: back / admin /

Slide 269

Slide 269 text

Slide 270

Slide 270 text

Slide 271

Slide 271 text

Slide 272

Slide 272 text

Slide 273

Slide 273 text

Slide 274

Slide 274 text

Slide 275

Slide 275 text

back back istio-proxy front Service back back > Istio API > VirtualService /

Slide 276

Slide 276 text

back back istio-proxy front Service back back > Istio API > VirtualService back /

Slide 277

Slide 277 text

back back istio-proxy front Service back back > Istio API > VirtualService back /

Slide 278

Slide 278 text

back back istio-proxy front Service back back > Istio API > VirtualService back Canary Deployment /

Slide 279

Slide 279 text

back back istio-proxy front Service back back > Istio API > VirtualService > Canary back /

Slide 280

Slide 280 text

back back istio-proxy front Service back back > Istio API > VirtualService > Canary back /

Slide 281

Slide 281 text

back back istio-proxy front Service back back > Istio API > VirtualService > Canary back-canary /

Slide 282

Slide 282 text

back back istio-proxy front Service back back > Istio API > VirtualService > Canary back-canary /

Slide 283

Slide 283 text

back back istio-proxy front Service back back back / > Istio API > VirtualService > Canary back-canary

Slide 284

Slide 284 text

back back istio-proxy front Service back back back / > Istio API > VirtualService > Canary endpoints 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 back-canary

Slide 285

Slide 285 text

back back istio-proxy front Service back back back / > Istio API > VirtualService > Canary endpoints 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 10.111.9.7:8080 back-canary

Slide 286

Slide 286 text

back back istio-proxy front Service back back back / > Istio API > VirtualService > Canary endpoints 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 10.111.9.7:8080 LB back-canary

Slide 287

Slide 287 text

back back istio-proxy front Service back back back / > Istio API > VirtualService > Canary endpoints 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 10.111.9.7:8080 LB back-canary

Slide 288

Slide 288 text

back back istio-proxy front Service back back back / > Istio API > VirtualService > Canary endpoints 10.111.2.5:8080 10.111.2.4:8080 10.111.2.3:8080 10.111.9.7:8080 LB back-canary

Slide 289

Slide 289 text

back back istio-proxy front Service back back back / > Istio API > VirtualService > Canary back-canary

Slide 290

Slide 290 text

back back istio-proxy front Service back back back / > Istio API > VirtualService > Canary back-canary

Slide 291

Slide 291 text

back back istio-proxy front Service back back back back-canary / > Istio API > VirtualService > Canary

Slide 292

Slide 292 text

back back istio-proxy front Service back back back Service back-canary back-canary / > Istio API > VirtualService > Canary

Slide 293

Slide 293 text

back back istio-proxy front Service back back back Service back-canary back-canary / back-canary > Istio API > VirtualService > Canary

Slide 294

Slide 294 text

istio-proxy front Service back-canary back-canary / back-canary > Istio API > VirtualService > Canary back back Service back back back

Slide 295

Slide 295 text

istio-proxy front Service back-canary back-canary / back-canary > Istio API > VirtualService > Canary back back Service back back back VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back-canary

Slide 296

Slide 296 text

Slide 297

Slide 297 text

Slide 298

Slide 298 text

Slide 299

Slide 299 text

Slide 300

Slide 300 text

Slide 301

Slide 301 text

Slide 302

Slide 302 text

istio-proxy front Service back-canary back-canary / VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back-canary back-canary > Istio API > VirtualService > Canary back back Service back back back

Slide 303

Slide 303 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back back back-canary

Slide 304

Slide 304 text

istio-proxy front back-canary / > Istio API > VirtualService > Canary > Istio-way back back Service back back back back

Slide 305

Slide 305 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back back back back-canary

Slide 306

Slide 306 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back back back back-canary

Slide 307

Slide 307 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back back back back-canary endpoints load balance select endpoint connect outlier detection handle tls

Slide 308

Slide 308 text

back istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back back back-canary endpoints load balance select endpoint connect outlier detection handle tls

Slide 309

Slide 309 text

load balance select endpoint connect outlier detection handle tls back istio-proxy front endpoints / > Istio API > VirtualService > Canary > Istio-way back back Service back back back back-canary endpoints load balance select endpoint connect outlier detection handle tls

Slide 310

Slide 310 text

Slide 311

Slide 311 text

Slide 312

Slide 312 text

Slide 313

Slide 313 text

Slide 314

Slide 314 text

Slide 315

Slide 315 text

Slide 316

Slide 316 text

Slide 317

Slide 317 text

Slide 318

Slide 318 text

> Istio API > VirtualService > Canary > Istio-way front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle stats 10.111.2.5:8080 istio-proxy 10.111.3.3:8080 10.111.2.4:8080 authorization handle tls handle tls PeerAuthentication AuthorizationPolicy 10.111.3.3:8080 back load balance select endpoint connect outlier detection DestinationRule Хитрая маршрутизация route VirtualService

Slide 319

Slide 319 text

> Istio API > VirtualService > Canary > Istio-way front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back handle stats authorization route handle tls PeerAuthentication AuthorizationPolicy istio-proxy 10.111.3.3:8080 back load balance select endpoint connect outlier detection handle tls DestinationRule Хитрая маршрутизация route VirtualService endpoints 10.111.2.5:8080 10.111.2.4:8080 10.111.3.3:8080

Slide 320

Slide 320 text

Slide 321

Slide 321 text

Slide 322

Slide 322 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new endpoints load balance select endpoint connect outlier detection handle tls back

Slide 323

Slide 323 text

Slide 324

Slide 324 text

Slide 325

Slide 325 text

Slide 326

Slide 326 text

Slide 327

Slide 327 text

istio-proxy front > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary / DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new

Slide 328

Slide 328 text

Slide 329

Slide 329 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back subset: canary

Slide 330

Slide 330 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back subset: canary

Slide 331

Slide 331 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back subset: canary

Slide 332

Slide 332 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back subset: canary

Slide 333

Slide 333 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back subset: canary

Slide 334

Slide 334 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back subset: canary

Slide 335

Slide 335 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back subset: canary

Slide 336

Slide 336 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back subset: canary

Slide 337

Slide 337 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back subset: canary

Slide 338

Slide 338 text

istio-proxy front / > Istio API > VirtualService > Canary > Istio-way back back Service back back endpoints load balance select endpoint connect outlier detection handle tls back endpoints load balance select endpoint connect outlier detection handle tls canary back-canary DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: back-canary spec: host: back subsets: - name: canary labels: version: new VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: back-canary spec: hosts: - back http: - route: - weight: 90 destination: host: back - weight: 10 destination: host: back subset: canary

Slide 339

Slide 339 text

> Istio API > VirtualService front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle stats 10.111.2.5:8080 istio-proxy 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 authorization route handle tls back route load balance select endpoint connect outlier detection handle tls VirtualService DestinationRule endpoints 10.111.2.5:8080 10.111.2.4:8080 10.111.3.3:8080 Хитрая маршрутизация

Slide 340

Slide 340 text

> Istio API front 0.0.0.0:15001 istio-agent GET http://back:8080 10.222.0.78 handle tls Listener 10.24.0.8:443 handle stats authorization route handle tls Listener 10.24.0.8:443 handle stats authorization route connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance listener 0.0.0.0:8080 handle stats connect Cluster foo.example.c om outlier detection handle tls handle stats select endpoint endpoints ip:port ip:port ip:port load balance cluster back endpoints handle stats 10.111.2.5:8080 istio-proxy 10.111.3.3:8080 10.111.2.4:8080 10.111.3.3:8080 back route load balance select endpoint connect outlier detection handle tls endpoints 10.111.2.5:8080 10.111.2.4:8080 authorization route handle tls 10.111.3.3:8080

Slide 341

Slide 341 text

Slide 342

Slide 342 text

Slide 343

Slide 343 text

Observability

Slide 344

Slide 344 text

Observability

Slide 345

Slide 345 text

No content

Slide 346

Slide 346 text

● Что с latency?

Slide 347

Slide 347 text

● Что с latency? ● Что с безопасностью?

Slide 348

Slide 348 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с latency?

Slide 349

Slide 349 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency?

Slide 350

Slide 350 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency?

Slide 351

Slide 351 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency?

Slide 352

Slide 352 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency? ~2.5ms / request

Slide 353

Slide 353 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency? ~2.5ms / request

Slide 354

Slide 354 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency? ~2.5ms / request

Slide 355

Slide 355 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency? API Server ~2.5ms / request

Slide 356

Slide 356 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency? Root CA API Server ~2.5ms / request

Slide 357

Slide 357 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency? Root CA SA token API Server ~2.5ms / request

Slide 358

Slide 358 text

Root CA SA token API Server ● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency? ~2.5ms / request

Slide 359

Slide 359 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency?

Slide 360

Slide 360 text

> Ломаем компоненты

Slide 361

Slide 361 text

istio-proxy istiod front back db istio-proxy istio-proxy > Ломаем компоненты

Slide 362

Slide 362 text

istio-proxy istiod front back db istio-proxy istio-proxy > Ломаем компоненты

Slide 363

Slide 363 text

istio-proxy istiod front back db istio-proxy istio-proxy > Ломаем компоненты

Slide 364

Slide 364 text

istio-proxy istiod front back db istio-proxy istio-proxy > Ломаем компоненты

Slide 365

Slide 365 text

istio-proxy istiod front back db istio-proxy istio-proxy > Ломаем компоненты

Slide 366

Slide 366 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты

Slide 367

Slide 367 text

istio-proxy front back db istio-proxy istio-proxy checkout istiod > Ломаем компоненты

Slide 368

Slide 368 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты

Slide 369

Slide 369 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты

Slide 370

Slide 370 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты

Slide 371

Slide 371 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты

Slide 372

Slide 372 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты

Slide 373

Slide 373 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты

Slide 374

Slide 374 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты istio-proxy admin

Slide 375

Slide 375 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты istio-proxy admin

Slide 376

Slide 376 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты istio-proxy admin Pending…

Slide 377

Slide 377 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты istio-proxy admin Pending…

Slide 378

Slide 378 text

istio-proxy front back db istio-proxy istio-proxy checkout > Ломаем компоненты istiod istio-proxy admin Pending…

Slide 379

Slide 379 text

istio-proxy istiod front back db istio-proxy istio-proxy checkout > Ломаем компоненты istio-proxy admin Pending…

Slide 380

Slide 380 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency?

Slide 381

Slide 381 text

● Что с безопасностью? ● Что, если что-то сломается? ● Что с масштабированием? ● Что с latency?

Slide 382

Slide 382 text

> Масштабирование

Slide 383

Slide 383 text

istio-proxy istiod front back db istio-proxy istio-proxy > Масштабирование

Slide 384