Basics of Istio - Speaker Deck

Slide 1

Slide 1 text

Prepared by: Christopher M Luciano Getting a Handle on your Services with Istio

Slide 2

Slide 2 text

Agenda • Common Production Issues • Basics of Istio • Key Istio features & demos

Slide 3

Slide 3 text

bash whoami • Software Developer @IBM • Envoy • Istio • Kubernetes • Contact • Github: github.com/cmluciano • Slack: cmluciano • Speakerdeck: speakerdeck.com/cmluciano • Twitter: @cmluciano_

Slide 4

Slide 4 text

Building an Application My Special Application Users Developers

Slide 5

Slide 5 text

Is It Working Production Graphs Oh, It's Working It's Not Working 0 20 40 60 80 100 Time % Working 0 20 40 60 80 100 Graph That Helped One Time

Slide 6

Slide 6 text

Failure Recovery Runbook 32C 1.Run check_metric.sh 2.See if check_metric.sh returns anything 3.Restart server Runbook 15R 1.If it is Wednesday and snowing, return to Runbook 16 step 1

Slide 7

Slide 7 text

Single Application Nirvana Hand Crafted in Madagascar Organic Apple Juice Great Success!!!

Slide 8

Slide 8 text

Microservices – Breaking up the Monolith § More traffic § More power My Special Application Service Service Service Service Service Service

Slide 9

Slide 9 text

Even more "Is It Working Production Graphs" Oh, It's Working It's Not Working 0 20 40 60 80 100 Time % Working 0 20 40 60 80 100 Graph That Helped One Time

Slide 10

Slide 10 text

Speech Feature Rollout https://blogs.unity3d.com/2018/02/20/bringing-the-power- of-ai-to-developers-with-the-ibm-watson-unity-sdk/

Slide 11

Slide 11 text

Speech Feature Rollout https://assetstore.unity.com/packages/tools/ai/ibm-watson- unity-sdk-108831

Slide 12

Slide 12 text

Speech Feature Rollout

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

A Quick Reminder... § Pods are groups of containers that share resources & lifecycle § Typically, one user-defined container per Pod Pod Container Service Container

Slide 15

Slide 15 text

Istio Components

Slide 16

Slide 16 text

Sidecar? § A secondary container in a Pod § Intercept & manages network traffic § Security/Identity § Pluggability § Shared library for teams § Language Agnostic

Slide 17

Slide 17 text

Pilot Pod Service 1 Pod Service 2 Envoy Envoy

Slide 18

Slide 18 text

Pilot Pod Service 1 Pod Service 2 Envoy Envoy Mixer

Slide 19

Slide 19 text

Istio Metrics

Slide 20

Slide 20 text

Security Service 2 Service 1

Slide 21

Slide 21 text

Istio & Spiffe Service 1 Service 2 Istio Certificate Authority SAN: "spiffe://myorg.com/ns/prod/sa/foo" - Namespace: prod - Service account: foo SAN: "spiffe://myorg.com/ns/prod/sa/bar" - Namespace: prod - Service account: bar Issue & Mount Keys Issue & Mount Keys

Slide 22

Slide 22 text

Istio & Spiffe Service 1 Service 2 SAN: "spiffe://myorg.com/ns/prod/sa/foo" - Namespace: prod - Service account: foo SAN: "spiffe://myorg.com/ns/prod/sa/bar" - Namespace: prod - Service account: bar Istio Certificate Authority Mutual TLS & Secure Naming

Slide 23

Slide 23 text

Istio Control Plane Putting it all together Istio Certificate Authority Pilot Mixer Service 1 Service 2 Envoy Envoy

Slide 24

Slide 24 text

Istio Key Features § Automatic Protocol Metrics Collection & Tracing § Mutual TLS Authentication § Circuit Breaking § Failure Injection § Traffic Splitting

Slide 25

Slide 25 text

RouteRules for Traffic Management apiVersion: config.istio.io/v1alpha2 kind: RouteRule metadata: name: reviews-v2-launch namespace: default spec: destination: name: reviews route: - labels: version: v2 weight: 25 - labels: version: v1 weight: 75 apiVersion: config.istio.io/v1alpha2 kind: RouteRule metadata: name: reviews-ios spec: destination: name: reviews-ios match: request: headers: user-agent: regex: (iPod|iPhone|iPad) precedence: 2 route: - labels: platform: ios --- apiVersion: config.istio.io/v1alpha2 kind: RouteRule metadata: name: reviews-android spec: destination: name: reviews-android match: request: headers: user-agent: regex: (Android) precedence: 2 route: - labels: platform: android

Slide 26

Slide 26 text

Demo: Dynamic Header Routing

Slide 27

Slide 27 text

Circuit breaking apiVersion: config.istio.io/v1alpha2 kind: DestinationPolicy metadata: name: httpbin-circuit-breaker spec: destination: name: httpbin labels: version: v1 circuitBreaker: - simpleCb: # Maximum number of connection on destination backend maxConnections: 1 # Maximum number of pending requests to destination backend httpMaxPendingRequests: 1 # Minimum time circuit will be opened sleepWindow: 3m # Time between ejection sweep analysis httpDetectionInterval: 1s # Maximum percentage of hosts to eject if circuit is triggered httpMaxEjectionPercent: 100 # Number of 5XX codes before circuit should be opened httpConsecutiveErrors: 1 # Max number of requests per connection to a backend httpMaxRequestsPerConnection: 1

Slide 28

Slide 28 text

Demo Circuit-Breaking

Slide 29

Slide 29 text

Fault injection apiVersion: config.istio.io/v1alpha2 kind: RouteRule metadata: name: ratings-default spec: destination: name: ratings route: - labels: version: v1 httpFault: delay: percent: 100 fixedDelay: 2s apiVersion: config.istio.io/v1alpha2 kind: RouteRule metadata: name: reviews-default spec: destination: name: reviews route: - labels: version: v2 httpReqTimeout: simpleTimeout: timeout: 1s

Slide 30

Slide 30 text

Pod reviews Pod ratings Envoy Envoy 2 sec latency

Slide 31

Slide 31 text

2 second latency trace

Slide 32

Slide 32 text

2 second latency with 1 sec timeout

Slide 33

Slide 33 text

Demo: Failure Injection

Slide 34

Slide 34 text

FIN: Questions • Contact • Github: github.com/cmluciano • Slack: cmluciano • Speakerdeck: speakerdeck.com/cmluciano • Twitter: @cmluciano_