Tweet
Tweet

Slide 1

Slide 1 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 1/58 Istio Service Mesh Introduction 1 / 58

Slide 2

Slide 2 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 2/58 Kyohei Mizumoto(@kyohmizu) C# Software Engineer Interests Docker/Kubernetes Go Security whoami 2 / 58

Slide 3

Slide 3 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 3/58 Required Basic knowledge of Kubernetes Targets People who: don't know Service Mesh have never used Istio 3 / 58

Slide 4

Slide 4 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 4/58 Contents 1. What is Service Mesh? 2. What is Istio? 3. Setup using Istio on GKE 4. Traffic Management 4 / 58

Slide 5

Slide 5 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 5/58 What is Service Mesh? 5 / 58

Slide 6

Slide 6 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 6/58 Microservices? Loosely coupled Independently deployable Organized around business capabilities Implemented using different programming languages Continuous delivery/deployment of large, complex applications 6 / 58

Slide 7

Slide 7 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 7/58 Service Mesh? Describe the network of microservices that make up applications and the interactions between them Service Discovery Load Balancing Failure Recovery Metrics and Monitoring 7 / 58

Slide 8

Slide 8 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 8/58 Service Mesh? More complex operational requirements A/B Testing Canary Rollouts Rate Limiting Access Control End-to-end Authentication 8 / 58

Slide 9

Slide 9 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 9/58 What is Istio? 9 / 58

Slide 10

Slide 10 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 10/58 Open source independent service mesh Deployed as sidecars in the Pods CNCF hosted project(Envoy) Istio 10 / 58

Slide 11

Slide 11 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 11/58 Istio Connect, secure, control, and observe services 11 / 58

Slide 12

Slide 12 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 12/58 Architecture 12 / 58

Slide 13

Slide 13 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 13/58 Architecture Data plane Envoy Control plane Mixer Pilot Citadel Galley 13 / 58

Slide 14

Slide 14 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 14/58 Deployed as a sidecar in the Kubernetes Pod Add to an existing deployment with no need to rearchitect or rewrite code Envoy A high-performance proxy developed in C++ 14 / 58

Slide 15

Slide 15 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 15/58 Envoy Features Dynamic Service Discovery Load Balancing TLS Termination HTTP/2 and gRPC proxies 15 / 58

Slide 16

Slide 16 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 16/58 Envoy Circuit Breakers Health Checks Staged Rollouts with %-based Traffic Split Fault Injection Rich Metrics 16 / 58

Slide 17

Slide 17 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 17/58 Mixer Responsible for providing policy controls and telemetry collection Enforces access control and usage policies across the service mesh Collects telemetry data from the Envoy proxy and other services Includes a flexible plugin model 17 / 58

Slide 18

Slide 18 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 18/58 Mixer 18 / 58

Slide 19

Slide 19 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 19/58 Pilot Provides service discovery for: Envoy sidecars Traffic management capabilities for intelligent routing (e.g. A/B Tests, Canary Rollouts) Resiliency (e.g. Timeouts, Retries, Circuit Breakers) 19 / 58

Slide 20

Slide 20 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 20/58 Pilot 20 / 58

Slide 21

Slide 21 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 21/58 Citadel Strong service-to-service/end-user authentication with built-in identity and credential management Galley Istio’s configuration validation, ingestion, processing and distribution component 21 / 58

Slide 22

Slide 22 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 22/58 Setup using Istio on GKE 22 / 58

Slide 23

Slide 23 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 23/58 Set IAM Set the default compute service account to include: roles/container.admin (Kubernetes Engine Admin) Editor (on by default) 23 / 58

Slide 24

Slide 24 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 24/58 Set IAM 24 / 58

Slide 25

Slide 25 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 25/58 Create a Cluster Need 4 nodes Check "Enable Istio (beta)" on Advanced options 25 / 58

Slide 26

Slide 26 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 26/58 Istio Resources $ kubectl get svc -n istio-system or $ kubectl get po -n istio-system 26 / 58

Slide 27

Slide 27 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 27/58 Install Istio 1. Go to the Istio release page to download the installation file 2. Extract the downloaded installation file 3. Change directory to the root of the Istio installation 4. Add the istioctl client to the PATH: $ export PATH=$PWD/bin:$PATH 27 / 58

Slide 28

Slide 28 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 28/58 Sample Application 28 / 58

Slide 29

Slide 29 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 29/58 Bookinfo Ratings Details Ruby Product page Reviews-v3 Reviews-v2 Reviews-v1 Requests 29 / 58

Slide 30

Slide 30 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 30/58 Bookinfo 4 separate microservices: Productpage Details Reviews Ratings 30 / 58

Slide 31

Slide 31 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 31/58 Bookinfo 3 versions of the Reviews microservice: Version v1 doesn’t call the ratings service Version v2 calls the ratings service, and displays black stars Version v3 calls the ratings service, and displays red stars 31 / 58

Slide 32

Slide 32 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 32/58 Deploy Enable automatic sidecar injection: $ kubectl label namespace default \ istio-injection=enabled Deploy the application using kubectl: $ kubectl apply -f \ samples/bookinfo/platform/kube/bookinfo.yaml 32 / 58

Slide 33

Slide 33 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 33/58 Resources Confirm all services and pods are running: $ kubectl get po,svc 33 / 58

Slide 34

Slide 34 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 34/58 Define Ingress Gateway $ kubectl apply -f \ samples/bookinfo/networking/bookinfo-gateway.yaml $ kubectl get gateway NAME AGE bookinfo-gateway 17s 34 / 58

Slide 35

Slide 35 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 35/58 Control Ingress Traffic 35 / 58

Slide 36

Slide 36 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 36/58 Httpbin HTTP testing service that can be used for experimenting with all kinds of Istio features $ kubectl apply -f samples/httpbin/httpbin.yaml 36 / 58

Slide 37

Slide 37 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 37/58 Set variables Set the ingress IP and ports: $ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway \ -o jsonpath='{.status.loadBalancer.ingress[0].ip}') $ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway \ -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') $ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service \ istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}') 37 / 58

Slide 38

Slide 38 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 38/58 Create an Istio Gateway kubectl apply -f - <

Slide 39

Slide 39 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 39/58 Configure routes kubectl apply -f - <

Slide 40

Slide 40 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 40/58 Virtual Service Contains the route rules that Allows traffic for path /headers All other external requests will be rejected $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT $ $ curl -I http://$GATEWAY_URL/headers HTTP/1.1 200 OK ... $ $ curl -I http://$GATEWAY_URL/status HTTP/1.1 404 Not Found ... 40 / 58

Slide 41

Slide 41 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 41/58 Bookinfo Web Page http://$GATEWAY_URL/productpage 41 / 58

Slide 42

Slide 42 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 42/58 Bookinfo Web Page If you refresh the page several times, you should see different versions of reviews shown in productpage, presented in a round robin style red stars black stars no stars since we haven’t yet used Istio to control the version routing. 42 / 58

Slide 43

Slide 43 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 43/58 Apply default destination rules Create default destination rules for the Bookinfo services: $ kubectl apply -f \ samples/bookinfo/networking/destination-rule-all.yaml Display the destination rules: $ kubectl get destinationrules -o yaml 43 / 58

Slide 44

Slide 44 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 44/58 Traffic Management 44 / 58

Slide 45

Slide 45 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 45/58 Request routing Introduces the concept of a service version: Versions (v1, v2) Environment (staging, prod) Choose service version dynamically based on the routing rules that specified by using Pilot 45 / 58

Slide 46

Slide 46 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 46/58 Request routing 46 / 58

Slide 47

Slide 47 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 47/58 Request routing Route to v1: $ kubectl apply -f \ samples/bookinfo/networking/virtual-service-all-v1.yaml Display the defined routes: $ kubectl get virtualservices -o yaml 47 / 58

Slide 48

Slide 48 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 48/58 Discovery and load balancing HTTP traffic is automatically re-routed through Envoy 3 load balancing modes: Round robin Random Weighted least request Checks the health of each instance 48 / 58

Slide 49

Slide 49 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 49/58 Discovery and load balancing 49 / 58

Slide 50

Slide 50 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 50/58 Discovery and load balancing Apply weight-based routing: Transfer 50% of the traffic from reviews:v1 to reviews:v3 $ kubectl apply -f \ samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml Route based on user identity: $ kubectl apply -f \ samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml 50 / 58

Slide 51

Slide 51 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 51/58 Handling failures Timeouts Bounded retries with timeout budgets and variable jitter between retries Limits on number of concurrent connections and requests to upstream services Active (periodic) health checks on each member of the load balancing pool Fine-grained circuit breakers (passive health checks) 51 / 58

Slide 52

Slide 52 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 52/58 Fault injection Test the end-to-end failure recovery capability Protocol-specific fault injection into the network instead of deleting pods/ delaying/ corrupting packets 2 types of faults Delays: Timing failures (Increased network latency/ Overloaded upstream service) Aborts: Crash failures (HTTP error codes/ TCP connection failures) 52 / 58

Slide 53

Slide 53 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 53/58 Canary rollout Introduce a new version of a service by first testing it using a small percentage of user traffic. Kubernetes provides features that support canary rollout: Uses instance scaling to manage the traffic distribution Only supports a simple (random percentage) canary rollout 53 / 58

Slide 54

Slide 54 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 54/58 Canary rollout With Istio: The number of pods are orthogonal to the control of version traffic routing Control fine grain traffic percentages (e.g. route 1% of traffic without requiring 100 pods) Control traffic using other criteria (e.g. route traffic for specific users) 54 / 58

Slide 55

Slide 55 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 55/58 Books 55 / 58

Slide 56

Slide 56 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 56/58 Links Microservice Architecture https://microservices.io/index.html Istio.io https://istio.io/ Istio Solutions | Google Cloud https://cloud.google.com/istio/ Istioサービスメッシュ⼊⾨ https://www.slideshare.net/yokawasa/istio-114360124 56 / 58

Slide 57

Slide 57 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 57/58 Links Installing Istio on GKE https://cloud.google.com/istio/docs/istio-on-gke/installing Install Istio on the Google Kubernetes Engine https://istio.io/docs/setup/kubernetes/install/platform/gke/ Bookinfo Application https://istio.io/docs/examples/bookinfo/ 57 / 58

Slide 58

Slide 58 text

2019/4/4 Istio Service Mesh Introduction 127.0.0.1:5500/#54 58/58 Thank You! 58 / 58