Slide 1

Slide 1 text

Service Mush Debugging Istio Deployments Sandeep Parikh Google Cloud

Slide 2

Slide 2 text

Hi, I’m Sandeep I write code, best practices, and work with technical practitioners (ops, devops, secops) to build and operate cloud native infrastructure. Find me @crcsmnky on Twitter and Github.

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Microservices introduce...challenges

Slide 5

Slide 5 text

Challenges More services to keep track of Network congestion Service reliability Inter and intra service security Aggregating metrics and logs

Slide 6

Slide 6 text

Istio

Slide 7

Slide 7 text

Secure access and communications between some or all services Examine everything happening with your services with little to no instrumentation Manage the flow of traffic into, out of, and within your complex deployments How does Istio help?

Slide 8

Slide 8 text

Great! But....

Slide 9

Slide 9 text

Istio is not without complexity Multiple control plane components → each generate lots of logs Large config model, multiple istio APIs → steep learning curve Istio policies are highly customizable → many paths to a failing state Istio sits on top of Kubernetes → which itself is complicated

Slide 10

Slide 10 text

And Istio is still growing and evolving Shipping version 1.2 Documentation is growing in size / reorganizing Tools ecosystem is growing but small (lots of CLI basics like curl and jq) Service Service Service Service Gateway

Slide 11

Slide 11 text

What we’ll cover Let’s walk through ● Traffic not routing correctly ● Missing telemetry data ● Authentication issues Goal: share an Istio debugging toolbox with you, through demos. How to diagnose and fix Istio configuration problems

Slide 12

Slide 12 text

Unified traffic management

Slide 13

Slide 13 text

Centralized policy checks + telemetry

Slide 14

Slide 14 text

Automated Service Identity

Slide 15

Slide 15 text

Debugging traffic routing

Slide 16

Slide 16 text

Recap: how Istio Pilot works Observes the service topology Converts Istio API resources into Envoy config Pushes Envoy config to the sidecar proxies Service A Service B proxy proxy Pilot

Slide 17

Slide 17 text

Recap: Istio traffic API North-South controls like Gateway and ServiceEntry affect inter-cluster traffic, inbound and outbound, respectively. East-West controls like VirtualService and DestinationRule affect intra-cluster traffic, inbound and outbound, respectively. VirtualService DestinationRule Gateway ServiceEntry

Slide 18

Slide 18 text

Our demo app weather frontend weather backend v1 weather backend v2

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Demo: VirtualService woes weather frontend weather backend v1 weather backend v2 90% 10% weather frontend weather backend v1 weather backend v2 50% 50% But seeing this. Want this.

Slide 21

Slide 21 text

Demo: what’s deployed? ingressgateway weather frontend weather backend v1 weather backend v2 90% 10% Weather API

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

Missing telemetry data

Slide 24

Slide 24 text

Recap: how Mixer works Mixer has an open API and a pluggable architecture: Send telemetry, logs and traces to your system of choice Challenge: many ways to fail frontend proxy Mixer Adapters Mixer Open Policy Agent

Slide 25

Slide 25 text

Missing metrics Standard Istio metrics are showing up in Prometheus (e.g. server request count). Custom workload metrics don’t appear. Why not? weather frontend weather backend v1 weather backend v2

Slide 26

Slide 26 text

Annotations! In order for Prometheus to gather your custom metrics, you must supply annotations in your deployment’s spec.template.metadata that tell it where to grab them from. annotations: prometheus.io/scrape: "true" prometheus.io/port: "5000" prometheus.io/path: "/metrics"

Slide 27

Slide 27 text

What about other Mixer issues? Troubleshooting ● Confirming Mixer report calls ● Identifying Mixer configuration problems ● Examining Mixer logs ● Reviewing handler and metrics configurations ● Check out Missing Metrics on istio.io Because Mixer components are tightly coupled, you may have to re-apply the configuration. curl -L https://git.io/getLatestIstio | sh - for flag in true false; do helm template --set mixer.enabled=$FLAG --namespace istio-system install/kubernetes/helm/istio > mixer-$FLAG.yaml done diff --line-format=%L mixer-true.yaml mixer-false.yaml > mixer-config.yaml kubectl apply -f mixer-config.yaml

Slide 28

Slide 28 text

Debugging security

Slide 29

Slide 29 text

Istio mTLS authentication Service A Service B TLS handshake secure naming check connection established

Slide 30

Slide 30 text

Istio mTLS architecture Citadel Create certs/keys for service accounts

Slide 31

Slide 31 text

Istio mTLS architecture Service A Citadel New pods get cert / key

Slide 32

Slide 32 text

Istio mTLS architecture Service A Policy User enforces mTLS for Service A Citadel

Slide 33

Slide 33 text

Istio mTLS architecture Service A Policy Pilot Pilot sends mTLS Policy to sidecar proxy Citadel

Slide 34

Slide 34 text

Demo: enforce mTLS for weather-backend apiVersion: ... kind: "Policy" metadata: name: "weather-backend-mtls" spec: targets: - name: weather-backend peers: - mtls: {} apiVersion: ... kind: DestinationRule metadata: name: "dr-weather-backend" spec: host: "weather-backend.default" trafficPolicy: tls: mode: ISTIO_MUTUAL

Slide 35

Slide 35 text

Demo: enforce mTLS for weather-backend weather frontend weather backend But seeing this. Want this. 200 weather frontend weather backend 503

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

apiVersion: ... kind: DestinationRule metadata: name: "weather-backend" spec: host: "weather-backend.default" trafficPolicy: tls: mode: DISABLE subsets: - name: single labels: version: single - name: multiple labels: version: multiple DestinationRule Conflicts apiVersion: ... kind: DestinationRule metadata: name: "dr-weather-backend" spec: host: "weather-backend.default" trafficPolicy: tls: mode: ISTIO_MUTUAL apiVersion: ... kind: DestinationRule metadata: name: "weather-backend" spec: host: "weather-backend.default" trafficPolicy: tls: mode: ISTIO_MUTUAL subsets: - name: single labels: version: single - name: multiple labels: version: multiple Ok Conflict Ok

Slide 38

Slide 38 text

Whew! We made it...

Slide 39

Slide 39 text

What we covered How to determine if a VirtualService is working How to use istioctl How to parse Envoy logs How to diagnose Mixer rules and metrics How to diagnose Istio mTLS Policies

Slide 40

Slide 40 text

Istio debugging toolbox istioctl Envoy status, TLS checks kubectl exec Mounted certs, Envoy debug logs stern Readability for k8s logs jq Read and filter JSON output sleep Pod for debugging east-west traffic curl Testing with HTTP requests And don’t forget the Istio docs!

Slide 41

Slide 41 text

Thank You Questions, comments? @crcsmnky github.com/crcsmnky/service-mush