Slide 1

Slide 1 text

1 Service mesh L E T ' S U N D E R S T A N D I T

Slide 2

Slide 2 text

Which is better for Stack.io clients and projects? ISTIO or Linkerd?

Slide 3

Slide 3 text

3 Flato Presentation Service Mesh Let's understand it Guto Carvalho Cloud Engineer When to use it? Service Mesh Projects Istio Linkerd Comparing When not use it Final notes Service mesh

Slide 4

Slide 4 text

Introduction Service Mesh

Slide 5

Slide 5 text

Service Mesh What is it? 5 Service mesh introduction You have probably heard about it, and usually in the same sentence that someone mentions "service mesh" there is typically the word "Istio" or "Linkerd", both prevalent implementations of this network abstraction layer. 
 
 Service Mesh is an infrastructure layer created to control and handle all service-to- service communication needs in a micro services architecture. It controls the fl ow of the requests to the services, acts as a load balancer, encrypts data, discovers services, and aggregates them to your load balancer. Although you can determine the communication logic of your micro service in your code, the service mesh acts as an abstraction of this logic in a parallel infrastructure layer dedicated to it. The way it works is quite simple, and it uses just a proxy sidecar in each service pod to control it and provide information for your cluster. The sidecar proxy provides data and allows the exchange of information between services, with that you can focus on your business logic and leave the communication policies and routes to the service mesh controller.

Slide 6

Slide 6 text

Bene fi ts 6 Service mesh introduction Observability Typically teams use di ff erent methods and technologies to maintain tra ff i c visibility, logs, metrics, tracing, and security controls. The service mesh already brings all this in a centralized and organized way. Resilience Service mesh o ff ers mechanisms like Circuit Breaker, Latency-aware Load Balancing, a very consistent, enhanced, and robust service discovery. It allows you to con fi gure settings like retries, timeout, and deadlines in these services. Tra ffi c Control We can work with a very granular network tra ff i c control which permits an accurate and objective way to determine where the requests will be routed. Security Most service meshes o ff er a CA mechanism that dynamically generates certi fi cates for each service, ensuring s e c u r e s e r v i c e - t o - s e r v i c e communication. Delay & Fault Injection Most service meshes o ff er a way to con fi gure latency and failures to simulate what would happen in the real world. That way, you can analyze the behavior of your services in the case of a similar scenario. Less code for devs The features o ff ered by service mesh will reduce the amount of code that your dev team must write for your app. Many of your requirements for app controls and policies are already available in the service mesh features. Service Mesh

Slide 7

Slide 7 text

When to use it Service Mesh

Slide 8

Slide 8 text

Service Mesh When I need to use it? 8 Many Micro services If you have a large scale application composed of micro services Visibility + Tracing + Metrics If you need to answer quickly and proactively regarding changes in customers behavior Deploy Strategies When you need controlled deployment methods like Canary and Blue/Green without the complexity of build that on top of k8s Security If you need or want to secure the communication between your services.

Slide 9

Slide 9 text

Service Mesh When I need to use it? 9 Developer Focus If you want Developers getting to focus on what they do best, business code

Slide 10

Slide 10 text

Service Mesh When I need to use it? 10 Performance & Routing Suppose that you have an application that meets a huge demand, and this application is composed of several micro services communicating with each other. In these case, the communication fl ow can become a challenge since the requests between services can grow exponentially. 
 
 You will probably need a sophisticated and intelligent routing strategy to keep the communication fl owing correctly and especially to maintain performance within the expected standards, avoiding degrading the communication between your services.

Slide 11

Slide 11 text

General information Projects

Slide 12

Slide 12 text

Istio is an open-source service mesh implementation created by Google and IBM in partnership with Envoy Lyft team. Istio uses Envoy as a core component for your proxy sidecar strategy. 
 
 Envoy is a distributed service proxy explicitly designed to work with micro services and mesh architectures. Istio General Information 12 About GitHub Starts 28.700+ GitHub Contributors 700+ License Apache 2.0 Version 1.9.x since jan/2019

Slide 13

Slide 13 text

Linkerd is a service mesh for Kubernetes. It makes running services easier and safer by giving you runtime debugging, observability, reliability, and security—all without requiring any changes to your code. 
 
 Linkerd is fully open source, licensed under Apache v2, and is a Cloud Native Computing Foundation graduated project. Linkerd is developed in the open in the Linkerd GitHub organization. Linkerd General Information 13 GitHub Starts 7000+ GitHub Contributors 200+ License Apache 2.0 Version 2.1.x About since fev/2016

Slide 14

Slide 14 text

Project details and analyses ISTIO

Slide 15

Slide 15 text

Istio 15 Kubernetes How to install it ? - istioctl 
 - istio operator 
 - helm packages Not at the moment Some, not well maintained What is required to bring Istio to clients? Have an o ffi cial terraform module? Have a community terraform module? We just need an operational k8s cluster

Slide 16

Slide 16 text

Istio 16 Cert-manager Integrations and features that is interesting to test and use Istio can use cert-manager to create mTLS certs ArgoCD Deploy strategies made easy like Canary and Blue/Green using Istio Tra ff i c Split features alongside ArgoCD Keptn Quality gateway to delivery APPs based on SLOs and rollback an app if a SLO rule is o ff ended Chaos Engineering We can test the resilience of our clusters with "service outage" simulations, chaosengineering-kit has a plugin for istio

Slide 17

Slide 17 text

Project details and analyses Linkerd

Slide 18

Slide 18 text

Linkerd What is required to bring linkerd to clients? 18 Kubernetes How to install it ? - linkerd binary 
 - helm packages 
 - operator? no! Have an o ffi cial terraform module? We just need an operational k8s cluster Have a community terraform module? Not at the moment Some, not well maintained

Slide 19

Slide 19 text

Project details and analyses Comparing

Slide 20

Slide 20 text

ISTIO vs Linkerd Details 20 Dashboard Linkerd Istio Native web dashboard Yes No Saas dasboard Yes No Other No Yes Communication Security Linkerd Istio Authorization Yes Yes Autentication Yes Yes mTLS Yes Yes Certi fi cate Management Yes Yes Kiali

Slide 21

Slide 21 text

ISTIO vs Linkerd Details 21 Communication Protocols Linkerd Istio TCP Proxy Yes Yes HTTPv1 Proxy Yes Yes HTTPv2 Proxy Yes Yes gRPC Proxy Yes Yes

Slide 22

Slide 22 text

ISTIO vs Linkerd Details 22 Monitoring & Tests Linkerd Istio Metrics Yes Yes Health Checks Yes Yes Prometheus Integration Yes Yes Grafana Integration Yes Yes Distribuited Tracing Yes Yes Chaos Monkey Test Ready No Yes

Slide 23

Slide 23 text

ISTIO vs Linkerd Details 23 Other Monitorings Linkerd Istio Service Graphs Yes Yes S2S Latency Yes Yes Reponse Codes Yes Yes Jaeger Integration Yes Yes

Slide 24

Slide 24 text

ISTIO vs Linkerd Details 24 Tra ffi c Management Linkerd Istio Load Balancing Yes Yes Green/Blue Deployment Yes Yes Canary Deployment Yes Yes Circuit Breaker Yes Yes Faulty Injection Yes Yes Dark Launch No Yes Rate Limit Yes Yes Retries Yes Yes Timeouts Yes Yes

Slide 25

Slide 25 text

ISTIO vs Linkerd Details 25 Installation Methods Linkerd Istio Binary Yes Yes Helm Yes Yes Operator No Yes Complexity Low Regular

Slide 26

Slide 26 text

ISTIO vs Linkerd Details 26 Performance & Security Linkerd Istio Latency Low Regular Use of cluster resources Low High Security Good Good Sometimes Istio Proxy can consume more resources than the pod app itself, fact. Is it a problem? 
 
 It depends. Istio can o ff er essential information or at least provide more availability for your service. If resources or cost is not a problem at all, then it's no problem. It's just a condition to run it. If cloud cost is an important variable, you should go with Linkerd, it's cheaper in terms of cloud costs.

Slide 27

Slide 27 text

ISTIO vs Linkerd Details 27 More Linkerd Istio Can use any ingress? Yes No O ff er its own ingress? No Yes Single point of failure No No HA Yes Yes CNI Plugin Option Yes Yes CLI Yes Yes

Slide 28

Slide 28 text

ISTIO vs Linkerd Details 28 Information Linkerd Istio License Apache v2 Apache v2 Core Language rust/go go GitHub Stars 7k+ 28k+ GitHub Contributors 200 700 GitHub First Release fev/16 jan/19 GitHub Latest Release 2.11.1 1.11.4 GitHub Releases 284 221 CVE Records 2021 0 6 Learning curve Low High Operation complexity Low regular > high Istio has more CVE records in 2021, and it also has more users and production cases. It's normal to fi nd issues when you have a large user base. Both are very secure projects.

Slide 29

Slide 29 text

When not to use it Service Mesh

Slide 30

Slide 30 text

Service Mesh When not to use it 30 > When you don't know what it is > When you don't know how it'll help your operation > When you don't know how it'll help your app performance 
 
 > When you don't know how it'll help your app availability > When you don't know how it'll improve your business strategy > When the default k8s service discovery is enough for your needs 
 
 > When the default k8s rollout is enough for your needs > When you don't have a large number of micro services to manage 
 
 > When you don't have any micro services at all > When you don't have a massive tra ff i c fl ow for your services > When you don't need to secure the communication between your services

Slide 31

Slide 31 text

Service Mesh Final notes

Slide 32

Slide 32 text

Service Mesh Drawbacks 32 For the client that want mesh > Can be costly depending of the technology 
 > Can be complex to the client understand how it works and to see the bene fi ts For our operation and team > It's simple to install, but complex to customize > The learning curve can be challenging 
 > It's more complex to fi nd and fi x problems 
 > It may change the way we deploy apps, requiring pipelines adjustments 
 > It's one more system to deal, operate, update and also one more to fail 
 The main projects related to service MESH are constantly evolving. A ton of new features are being created, tested, and delivered on each version. We're going to sail over these releases with a lot of new things to consider and try. Updates can be challenging as technology evolves. It's still evolving

Slide 33

Slide 33 text

Service Mesh Drawbacks 33 Tests executed with Linkerd > Binary installation and test 
 > Dashboard installation and test 
 > Mesh injection on a service (emojivoto app) 
 > Fail injection test (book app) 
 > Retries con fi guration using service pro fi les 
 > Timeout con fi guration using service pro fi les Notes We have followed the Linkerd documentation to install, test, and try some features. Everything works as expected without any problems. The retries and timeout tests needed a swagger pro fi le for the APP, this can be tricky if the client doesn't have it ready for use. 
 
 Another important information is that Linkerd can use any ingress, helping to minimise changes in your cluster and deployments con fi gurations.

Slide 34

Slide 34 text

Final notes Service Mesh R&D 34 In my opinion, if the business requirements for a service mesh matches with Linkerd features, we should use it. It's simpler, lighter, faster and also it's very secure. 
 
 In terms of cost, can be cheaper if we're looking to reduce the client cloud bills. 
 If the costs is not an essential variable, and if the complexity is well considered and accepted by the client, Istio can be a great solution for the project because of the integrations and extra features. 
 
 We need to consider that Istio is very popular and our clients will probably ask for it, we have to be ready to install it and maintain it. 
 Consul is also another widespread service mesh implementation that we should consider and understand how it works at least. 
 
 In the end, our team should master Istio and Linkerd and know how to work with Consul in production.

Slide 35

Slide 35 text

[email protected] Photos: 
 Unsplash 
 Kubecon

Slide 36

Slide 36 text

Flato Add your header here 36 Add Your Sub-header Here Lorem Ipsum Flato Presentation Thank You