Istio 1.5 Updates

Istio 1.5 Updates

923237754890d536819892ad42451555?s=128

sakajunquality

March 12, 2020
Tweet

Transcript

  1. Jun Sakata Google Developers Expert, Cloud @sakajunquality Istio 1.5 Updates

    2020.03.12 #GCPUG Istio 1.5 Day
  2. Agenda Istio 1.5 Updates! - Istio Releases - Istio 1.5

    Overview - Isito 1.5 Features - Demo? - Tips
  3. Istio Releases Release Histories

  4. Istio Releases Quarterly release since 1.1 - 1.0 - July

    31, 2018 - Theme: Production Use - 1.1 - March 19, 2019 - Theme: Enterprise Ready - 1.2 - June 18, 2019 - Theme: Predictable Releases
  5. Istio Releases Quarterly release since 1.1 - 1.3 - September

    12, 2019 - Theme: User Experience - 1.4 - November 14, 2019 - Theme: User Experience, Performance - 1.5 New! - March 5, 2020 - Theme: istiod, WASM
  6. 1.5 https://istio.io/news/releases/1.5.x/announcing-1.5/

  7. Istio 1.5 Overview What’s new in 1.5

  8. “The Istio project is really heading in the right direction!

    Improved lifecycle management, better performance, and Wasm based extensibility in Envoy -- you'll be able to write extensions in not C++ On top of all that, a single binary control plane.” - Kelsey Hightower https://twitter.com/kelseyhightower/status/1235449975565254656
  9. “The Istio project is really heading in the right direction!

    Improved lifecycle management, better performance, and Wasm based extensibility in Envoy -- you'll be able to write extensions in not C++ On top of all that, a single binary control plane.” - Kelsey Hightower https://twitter.com/kelseyhightower/status/1235449975565254656
  10. Istio Roadmap 2020 https://istio.io/blog/2020/tradewinds-2020/

  11. Istio Roadmap 2020 - Performance - Mixer to proxy -

    Extensibility - More capabilities in sidecar proxies - Simplifying Control Plane - Component - Lifecycle Management - Install / Upgrade - User Experience - istioctl
  12. istiod https://github.com/istio/community

  13. istiod A single binary for control plane

  14. How Istio works

  15. How it worked prior to 1.5

  16. How it works from 1.5

  17. Istio Architecture

  18. Resources in 1.4 (demo profile) kubectl -n istio-system get deploy,service

  19. Resources in 1.5 (demo profile) kubectl -n istio-system get deploy,service

  20. ~1.4 Components in 1.5 isitod - Pilot -> istiod -

    Sidecar injection -> istiod - Galley - Configuration Validation -> istiod - X features -> still remains as isito-galley - Citadel -> isitod - Mixer -> Deprecated
  21. e.g. Sidecar Injection In ~1.4 $ k get MutatingWebhookConfiguration istio-sidecar-injector

    -o yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration name: istio-sidecar-injector ... webhooks: - admissionReviewVersions: ... service: name: istio-sidecar-injector namespace: istio-system path: /inject port: 443 ...
  22. e.g. Sidecar Injection In 1.5 $ k get MutatingWebhookConfiguration istio-sidecar-injector

    -o yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration name: istio-sidecar-injector ... webhooks: - admissionReviewVersions: ... service: name: istiod namespace: istio-system path: /inject port: 443 ...
  23. Mixer 1.4

  24. Mixer Deprecated in 1.5, supported until 1.7 - istio-policy -

    Policy enforcement - disabled by default since Istio 1.3 - istio-telemetry - Telemetry Report - disabled by default since Istio 1.5
  25. Telemetry V2 Telemetry through proxy, without Mixer - Telemetry is

    directly exported by proxy - Currently compiled in istio proxy - To be on Wasm runtime
  26. Telemetry V2 https://istio.io/docs/reference/config/telemetry/metrics/

  27. Telemetry V2 Telemetry through proxy - 1.3 - Experimental Feature

    - HTTP telemetry (Alpha) - 1.4 - Simpler Installation - HTTP telemetry (Beta), TCP telemetry(Alpha) - 1.5 - Installed by Default
  28. Feature Status Alpha -> Beta -> Stable https://istio.io/about/feature-stages/

  29. WebAssembly https://istio.io/blog/2020/wasm-announce/

  30. WebAssembly(WASM) - Need for more extensibility - Extensions without WASM

    - Envoy -> Filters written in C++ - Istio -> Mixer - WASM - Ecosystems - Memory-safe and sandboxed runtime
  31. WebAssemblyHub https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/

  32. Istio 1.5 Features

  33. Features - Authentication Policy - istioctl analyze - Telemetry v2

    - Operator Install - Auto mTLS - Kiali
  34. Authentication Policy PeerAuthentication and RequestAuthentication - Policy and MeshPolicy is

    being replaced by - PeerAuthentication and RequestAuthentication - Docs - 1.5 https://istio.io/docs/tasks/security/authentication/authn-policy/ - 1.4 https://archive.istio.io/v1.4/docs/tasks/security/authentication/authn-policy/
  35. Authentication Policy e.g. global mTLS STRICT // 1.4 apiVersion: "authentication.istio.io/v1alpha1"

    kind: "MeshPolicy" metadata: name: "default" spec: peers: - mtls: {} // 1.5 apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "default" namespace: "istio-system" spec: mtls: mode: STRICT
  36. istioctl analyze More capabilities - Introduced in 1.4 - Out

    of Experimental - More analyzers - mutual TLS, JWT, ServiceAssociation, Secret, sidecar image, port name and policy deprecated - -L to display - -k (current cluster) by default - -A|--all-namespaces flag - Print namespace - stdin / files from directory - istioctl analyze a.yaml b.yaml my-app-config/ , xxx | istioctl analyze
  37. istioctl analyze e.g. istioctl analyze -A

  38. Telemetry v2 TCP Support - HTTP Support in 1.3 -

    TCP Support in 1.5 - mTLS only
  39. Operator Install IstioControlPlane -> IstioOperator - istioctl operator {init, remove}

    - CRD IstioControlPlane in 1.4 is renamed to IstioOperator in 1.5
  40. Istio install istioctl, Operator, Helm - istioctl - istioctl manifest

    apply - Standardalone Operator - istioctl operator init - Helm - Default before 1.3 - Will be deprecated!
  41. Istio install istioctl, Operator - istioctl - Human-triggered - Standardalone

    Operator - Machine-triggered - CRD’s reconcile loop - Planned for canarying rollout of control plane
  42. Auto mTLS (mutualTLS) Alpha -> Beta - Introduced in 1.4

    - Enabled by default
  43. Newer version of Kiali $ istioctl dashboard kiali

  44. Tips

  45. Install demo profile istioctl manifest apply --set profile=demo

  46. Firewalls for Private Clusters

  47. Firewalls for Private Clusters

  48. Try Again istioctl manifest apply --set profile=demo

  49. Demo?

  50. Thank You! Jun Sakata Google Developers Expert, Cloud @sakajunquality