Istio 1.5 Updates

Transcript

1. Jun Sakata
   Google Developers Expert, Cloud
   @sakajunquality
   Istio 1.5 Updates
   2020.03.12
   #GCPUG Istio 1.5 Day
   

   View Slide

2. Agenda
   Istio 1.5 Updates!
   - Istio Releases
   - Istio 1.5 Overview
   - Isito 1.5 Features
   - Demo?
   - Tips
   

   View Slide

3. Istio Releases
   Release Histories
   

   View Slide

4. Istio Releases
   Quarterly release since 1.1
   - 1.0
   - July 31, 2018
   - Theme: Production Use
   - 1.1
   - March 19, 2019
   - Theme: Enterprise Ready
   - 1.2
   - June 18, 2019
   - Theme: Predictable Releases
   

   View Slide

5. Istio Releases
   Quarterly release since 1.1
   - 1.3
   - September 12, 2019
   - Theme: User Experience
   - 1.4
   - November 14, 2019
   - Theme: User Experience, Performance
   - 1.5 New!
   - March 5, 2020
   - Theme: istiod, WASM
   

   View Slide

6. 1.5
   https://istio.io/news/releases/1.5.x/announcing-1.5/
   

   View Slide

7. Istio 1.5 Overview
   What’s new in 1.5
   

   View Slide

8. “The Istio project is really heading in the right
   direction!
   Improved lifecycle management, better performance, and
   Wasm based extensibility in Envoy -- you'll be able to
   write extensions in not C++
   On top of all that, a single binary control plane.”
   - Kelsey Hightower
   https://twitter.com/kelseyhightower/status/1235449975565254656
   

   View Slide

9. “The Istio project is really heading in the right
   direction!
   Improved lifecycle management, better performance, and
   Wasm based extensibility in Envoy -- you'll be able to
   write extensions in not C++
   On top of all that, a single binary control plane.”
   - Kelsey Hightower
   https://twitter.com/kelseyhightower/status/1235449975565254656
   

   View Slide

10. Istio Roadmap 2020
    https://istio.io/blog/2020/tradewinds-2020/
    

    View Slide

11. Istio Roadmap 2020
    - Performance
    - Mixer to proxy
    - Extensibility
    - More capabilities in sidecar proxies
    - Simplifying Control Plane
    - Component
    - Lifecycle Management
    - Install / Upgrade
    - User Experience
    - istioctl
    

    View Slide

12. istiod
    https://github.com/istio/community
    

    View Slide

13. istiod
    A single binary for control plane
    

    View Slide

14. How Istio works
    

    View Slide

15. How it worked prior to 1.5
    

    View Slide

16. How it works from 1.5
    

    View Slide

17. Istio Architecture
    

    View Slide

18. Resources in 1.4 (demo profile)
    kubectl -n istio-system get deploy,service
    

    View Slide

19. Resources in 1.5 (demo profile)
    kubectl -n istio-system get deploy,service
    

    View Slide

20. ~1.4 Components in 1.5
    isitod
    - Pilot -> istiod
    - Sidecar injection -> istiod
    - Galley
    - Configuration Validation -> istiod
    - X features -> still remains as isito-galley
    - Citadel -> isitod
    - Mixer -> Deprecated
    

    View Slide

21. e.g. Sidecar Injection
    In ~1.4
    $ k get MutatingWebhookConfiguration istio-sidecar-injector -o yaml
    apiVersion: admissionregistration.k8s.io/v1beta1
    kind: MutatingWebhookConfiguration
    name: istio-sidecar-injector
    ...
    webhooks:
    - admissionReviewVersions:
    ...
    service:
    name: istio-sidecar-injector
    namespace: istio-system
    path: /inject
    port: 443
    ...
    

    View Slide

22. e.g. Sidecar Injection
    In 1.5
    $ k get MutatingWebhookConfiguration istio-sidecar-injector -o yaml
    apiVersion: admissionregistration.k8s.io/v1beta1
    kind: MutatingWebhookConfiguration
    name: istio-sidecar-injector
    ...
    webhooks:
    - admissionReviewVersions:
    ...
    service:
    name: istiod
    namespace: istio-system
    path: /inject
    port: 443
    ...
    

    View Slide

23. Mixer
    1.4
    

    View Slide

24. Mixer
    Deprecated in 1.5, supported until 1.7
    - istio-policy
    - Policy enforcement
    - disabled by default since Istio 1.3
    - istio-telemetry
    - Telemetry Report
    - disabled by default since Istio 1.5
    

    View Slide

25. Telemetry V2
    Telemetry through proxy, without Mixer
    - Telemetry is directly exported by proxy
    - Currently compiled in istio proxy
    - To be on Wasm runtime
    

    View Slide

26. Telemetry V2
    https://istio.io/docs/reference/config/telemetry/metrics/
    

    View Slide

27. Telemetry V2
    Telemetry through proxy
    - 1.3
    - Experimental Feature
    - HTTP telemetry (Alpha)
    - 1.4
    - Simpler Installation
    - HTTP telemetry (Beta), TCP telemetry(Alpha)
    - 1.5
    - Installed by Default
    

    View Slide

28. Feature Status
    Alpha -> Beta -> Stable
    https://istio.io/about/feature-stages/
    

    View Slide

29. WebAssembly
    https://istio.io/blog/2020/wasm-announce/
    

    View Slide

30. WebAssembly(WASM)
    - Need for more extensibility
    - Extensions without WASM
    - Envoy -> Filters written in C++
    - Istio -> Mixer
    - WASM
    - Ecosystems
    - Memory-safe and sandboxed runtime
    

    View Slide

31. WebAssemblyHub
    https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/
    

    View Slide

32. Istio 1.5 Features
    

    View Slide

33. Features
    - Authentication Policy
    - istioctl analyze
    - Telemetry v2
    - Operator Install
    - Auto mTLS
    - Kiali
    

    View Slide

34. Authentication Policy
    PeerAuthentication and RequestAuthentication
    - Policy and MeshPolicy is being replaced by
    - PeerAuthentication and RequestAuthentication
    - Docs
    - 1.5 https://istio.io/docs/tasks/security/authentication/authn-policy/
    - 1.4 https://archive.istio.io/v1.4/docs/tasks/security/authentication/authn-policy/
    

    View Slide

35. Authentication Policy
    e.g. global mTLS STRICT
    // 1.4
    apiVersion: "authentication.istio.io/v1alpha1"
    kind: "MeshPolicy"
    metadata:
    name: "default"
    spec:
    peers:
    - mtls: {}
    // 1.5
    apiVersion: "security.istio.io/v1beta1"
    kind: "PeerAuthentication"
    metadata:
    name: "default"
    namespace: "istio-system"
    spec:
    mtls:
    mode: STRICT
    

    View Slide

36. istioctl analyze
    More capabilities
    - Introduced in 1.4
    - Out of Experimental
    - More analyzers
    - mutual TLS, JWT, ServiceAssociation, Secret, sidecar image, port name and policy deprecated
    - -L to display
    - -k (current cluster) by default
    - -A|--all-namespaces flag
    - Print namespace
    - stdin / files from directory
    - istioctl analyze a.yaml b.yaml my-app-config/ , xxx | istioctl analyze
    

    View Slide

37. istioctl analyze
    e.g. istioctl analyze -A
    

    View Slide

38. Telemetry v2
    TCP Support
    - HTTP Support in 1.3
    - TCP Support in 1.5
    - mTLS only
    

    View Slide

39. Operator Install
    IstioControlPlane -> IstioOperator
    - istioctl operator {init, remove}
    - CRD IstioControlPlane in 1.4 is renamed to IstioOperator in 1.5
    

    View Slide

40. Istio install
    istioctl, Operator, Helm
    - istioctl
    - istioctl manifest apply
    - Standardalone Operator
    - istioctl operator init
    - Helm
    - Default before 1.3
    - Will be deprecated!
    

    View Slide

41. Istio install
    istioctl, Operator
    - istioctl
    - Human-triggered
    - Standardalone Operator
    - Machine-triggered
    - CRD’s reconcile loop
    - Planned for canarying rollout of control plane
    

    View Slide

42. Auto mTLS (mutualTLS)
    Alpha -> Beta
    - Introduced in 1.4
    - Enabled by default
    

    View Slide

43. Newer version of Kiali
    $ istioctl dashboard kiali
    

    View Slide

44. Tips
    

    View Slide

45. Install demo profile
    istioctl manifest apply --set profile=demo
    

    View Slide

46. Firewalls for Private Clusters
    

    View Slide

47. Firewalls for Private Clusters
    

    View Slide

48. Try Again
    istioctl manifest apply --set profile=demo
    

    View Slide

49. Demo?
    

    View Slide

50. Thank You!
    Jun Sakata
    Google Developers Expert, Cloud
    @sakajunquality
    

    View Slide