Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Gloo Mesh Enterprise Webinar 12.10.2020

Solo.io
December 11, 2020

Gloo Mesh Enterprise Webinar 12.10.2020

Gloo Mesh is the service mesh management plane for single to multi-cluster and multi-platform configuration, global failover routing, and operations. As a Kubernetes-native control plane, Gloo Mesh streamlines administration and unifies management as service mesh environments scales across clusters, clouds, and regions.

The recently announced Gloo Mesh Enterprise adds security, management, and commercial support to the open source edition, including:

* Role Based API for delegated service mesh access and ownership to configure policies
* Production Istio Support including validated upstream software, maintenance, patches/hotfixes, and long-term support (LTS)
* Operational Observability with unified dashboard with status and health across service mesh clusters, services, and workloads
* Integrated WebAssembly modules and tooling to customize service mesh behavior

Solo.io

December 11, 2020
Tweet

More Decks by Solo.io

Other Decks in Technology

Transcript

  1. 2 | Copyright © 2020 CHRISTIAN POSTA Global Field CTO,

    Solo.io @christianposta [email protected] https://blog.christianposta.com https://slideshare.net/ceposta
  2. 3 | Copyright © 2020 Solo.io Gloo Platform What do

    we offer? Gloo API Infrastructure Platform - A portfolio of products to enable, secure, and observe application connectivity at the edge and between services across clusters and clouds What does the platform include? Gloo API Infrastructure: • Gloo Mesh – Enterprise Istio with multi-cluster, VM, multi-mesh, and Wasm management • Gloo Edge - A powerful next generation API gateway built on Envoy Proxy • Gloo Portal - Developer portal to catalog and expose running APIs. • Gloo Extensions - Developer tooling to extend Envoy with WebAssembly
  3. 5 | Copyright © 2020 Service mesh technologies provide the

    following: • Service discovery / Load balancing • Secure service-to-service communication • Traffic control / shaping / shifting • Policy / Intention based access control • Traffic metric collection • Service resilience • API / programmable interface
  4. 6 | Copyright © 2020 Service proxy lives with application

    instance Account Communicate on the network Proxy responsible for enriching the network communication with: • Circuit breaking • Load balancing • Timeout, retry • Service discovery • Metric collection Other service
  5. 7 | Copyright © 2020 Service proxy + control plane

    Account User Control Plane mTLS Control plane responsible for • Configuration translation • Telemetry, tracing collection • Platform service discovery • Policy declaration Policy enforcement
  6. 8 | Copyright © 2020 Communication mesh between services WORK

    LOAD WORK LOAD WORK LOAD WORK LOAD Control Plane
  7. 9 | Copyright © 2020 Istio is the dominant open-source

    leader https://istio.io Source: CNCF Survey 2020 raw data
  8. 10 | Copyright © 2020 Challenges in service mesh adoption

    • Which one to choose? • Who will provide support, long-term support? • Multi-tenancy issues within a single cluster? • Managing multiple clusters • Fitting with existing services (sidecar lifecycle, race conditions, etc) • Delineation between developers and operations • What about legacy / hybrid environments?
  9. 12 | Copyright © 2020 Multi-Cluster Operations Consistent configuration and

    orchestration across multiple clusters and VMs Istio Production and long-terms support (LTS, N-3) with patches and hotfixes for validated upstream Istio Role Based API Delegate ownership of configuration and policy by persona, including: developers, SREs, and admins WebAssembly Extend the service-mesh control plane with WebAssembly modules; manage their deployment and lifecycle across clusters Observability Operational visibility with a single pane of glass across multiple service mesh clusters Gloo Mesh Enterprise Enterprise Istio for single cluster, multi-cluster and multi-platform configuration. Focus on ease of use, powerful best practices built in, security, and extensibility Global Failover Routing Cross-cluster failover rand locality aware routing Multi-Mesh Multi-platform service mesh support (AWS App Mesh and Azure Open Service Mesh) across clouds and zones Security End to end security across clusters and meshes for zero trust networks https://www.solo.io/products/gloo-mesh/
  10. 13 | Copyright © 2020 13 | Copyright © 2020

    Deep dive through example Gloo Mesh Enterprise
  11. 14 | Copyright © 2020 14 | Copyright © 2020

    Single cluster Gloo Mesh Enterprise: Istio
  12. 15 | Copyright © 2020 Services deployed in single cluster:

    Enterprise Istio • Upstream first • Specialty builds available (FIPS, ARM, etc) • Long Term Support (LTS) N-3 • Critical security patches • Production break-fix • One hour SLA Severity 1 • Install / upgrade • Architecture and operational guidance, best practices Account User Kubernetes Cluster Istiod
  13. 16 | Copyright © 2020 16 | Copyright © 2020

    Configuration abstraction level, complexity, ownership and contention Gloo Mesh Enterprise: role-based API
  14. 17 | Copyright © 2020 Configuration: typical roles Account User

    Kubernetes Cluster Istiod SRE Platform Team Service Team (provider) Service Team (consumer)
  15. 18 | Copyright © 2020 Example: Service Team (provider) Sidecar

    • Service dependencies • Hostname routing • CORS • Traffic splitting • Rate limiting • Fault injection • Circuit breaking VirtualService DestinationRule Configured with these Istio resources for each service Account Service Sidecar VirtualService DestinationRule User Service VirtualService (ingress) VirtualService (ingress)
  16. 19 | Copyright © 2020 Example: Service Team (consumer) •

    Timeouts • Retries • Retry budget • Locality aware load balancing • Circuit breaking Sidecar VirtualService DestinationRule Configured with these Istio resources for each service Account Service Sidecar VirtualService DestinationRule User Service
  17. 20 | Copyright © 2020 Problem: Contention…Who owns these resources!?

    Sidecar VirtualService DestinationRule VirtualService (ingress) Istio’s API closely mimics Envoy’s. It’s low level and does not lend itself to multi-team ownership and delineation
  18. 21 | Copyright © 2020 Example: Platform owner(s) • Kubernetes

    owner, network/security ops • What services should/should not communicate? • What calls can cross organizational boundaries? • Identity propagation • Traffic encrypted • Default resilience settings • High availability of solution ServiceEntry Configured with these Istio resources PeerAuthentication AuthorizationPolicy Gateway EnvoyFilter WorkloadEntry
  19. 22 | Copyright © 2020 Gloo Mesh: simplified role-based API

    Account User Kubernetes Cluster Istiod SRE Platform Team Service Team (provider) Service Team (consumer) Gloo Mesh Management Plane Translate to Istio TrafficPolicy AccessPolicy Gloo Mesh API simplifies the model to selection of source and target: Source -> policy -> Target
  20. 25 | Copyright © 2020 Deploy Istio across multiple clusters

    for high availability and isolation Cluster 1 Account Istiod User Ingress Cluster 2 Orders Istiod Ingress User AWS EKS Orders Istiod Ingress User Account
  21. 26 | Copyright © 2020 Problem: configuration semantics and explosion

    Cluster 1 Account Istiod User Ingress Cluster 2 Orders Istiod Ingress User Cluster 3 Orders Istiod Ingress User Account Account VS User VS Account DR User DR Account SC Account SE3 User SC User SE2 User SE3 Orders VS User VS Orders DR User DR Orders SC Orders SE3 User SC User SE1 User SE3 Orders VS User VS Orders DR User DR Orders SC Orders SE3 User SC User SE1 User SE3 Account VS Account DR Account SC Config boundary Config boundary Config boundary
  22. 27 | Copyright © 2020 Problems operating multiple clusters and

    control planes • Making clusters aware of dependent services on other clusters (service discovery / partitioning) • Unifying identity domains / limited trust networks • Often need to write multiple configurations in multiple clusters just to accomplish something simple (like traffic routing) • Consistent security • Defining failover semantics (locality, priority, etc) • Isolating fault domains (trust, configuration, etc)
  23. 28 | Copyright © 2020 28 | Copyright © 2020

    Solution: a federation management plane Gloo Mesh Enterprise: management plane
  24. 29 | Copyright © 2020 Gloo Mesh management plane for

    federation Cluster 1 Account Istiod User Ingress Cluster 2 Orders Istiod Ingress User AWS EKS Orders Istiod Ingress User Account Gloo Mesh Management Plane Service Teams / SRE / Platform Team Translate and orchestrate TrafficPolicy AccessPolicy
  25. 30 | Copyright © 2020 Gloo Mesh multi-cluster configuration Gloo

    Mesh Management Plane Translate and orchestrate Istiod Cluster 1 Istiod Cluster 2 Istiod Eks/Gke/Aks Source(s) Target(s) Applied Policy TrafficPolicy Source(s) Target(s) Applied Policy AccessPolicy TrafficPolicy TrafficPolicy TrafficPolicy AccessPolicy AccessPolicy AccessPolicy
  26. 31 | Copyright © 2020 31 | Copyright © 2020

    Quick Demo: operating multiple meshes
  27. 32 | Copyright © 2020 32 | Copyright © 2020

    Multiple mesh providers Gloo Mesh: Multi-mesh support
  28. 34 | Copyright © 2020 Gloo Mesh multi-cluster configuration Gloo

    Mesh Management Plane Translate and orchestrate Istiod Cluster 1 Istiod Cluster 2 AWS AppMesh EKS/ECS/EC2 Source(s) Target(s) Applied Policy TrafficPolicy Source(s) Target(s) Applied Policy AccessPolicy TrafficPolicy TrafficPolicy TrafficPolicy AccessPolicy AccessPolicy AccessPolicy
  29. 35 | Copyright © 2020 35 | Copyright © 2020

    Extending the mesh Gloo Mesh Enterprise: WebAssembly
  30. 36 | Copyright © 2020 Extending Envoy Proxy - Adding

    Custom Filters THE NEW WAY: WebAssembly − Write filter in any language − Compile to .wasm module − Dynamically load in Envoy Proxy during runtime
  31. 37 | Copyright © 2020 Extend Envoy Proxy with Web

    Assembly (Wasm) EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM WASM gRPC TRANSCODER Why WebAssembly? • Polyglot: Envoy Filters are written in C++ and Wasm expands to any language • Secure and Reliable: Wasm runs in isolated VM, can dynamically update w/o Envoy restarts, no hard dependencies or cascading failures • Speed: Near native performance • Sustainable: Eliminates need to recompile and maintain a build of Envoy
  32. 38 | Copyright © 2020 Gloo Mesh extensibility with WebAssembly

    Cluster 1 Account Istiod User Ingress Cluster 2 Orders Istiod Ingress User AWS EKS Orders Istiod Ingress User Account Gloo Mesh Management Plane SRE / Platform Team Deploy Wasm WasmDeployment Wasm registry
  33. 39 | Copyright © 2020 Gloo Mesh Wasm support •

    Simplified tooling to bootstrap Wasm modules in Rust, C++, TinyGo, AssemblyScript • Infrastructure to build, push, share, deploy Wasm into Istio service mesh • Wasm Registry • Multi-cluster management, orchestration of Wasm lifecycle
  34. 41 | Copyright © 2020 The benefits of Gloo Mesh

    Capability Without Gloo Mesh With Gloo Mesh Istio support N-1, community best effort N-3 LTS, 1hr sev-1 SLA, architecture/operations guidance Role-based API High contention Tailor API to user Multi-cluster traffic and authorization policy Local and complex Global, simplified Extensibility Limited, manual Enterprise ready, multi- cluster Management Local CLI, gitops Global API, CLI, UI, gitops
  35. 42 | Copyright © 2020 Feature readiness Capability Current Target

    stable Istio support Stable, supported Now Role-based API Beta, supported January 2021 Multi-cluster traffic and authorization policy Beta, supported January 2021 Extensibility Alpha, tech preview March 2021 Management Beta. supported January 2021
  36. 43 | Copyright © 2020 • Enterprise Istio support, LTS

    (upstream, FIPS, ARM, validated builds, security patches for N-3) • Istio expertise, architecture, security, etc. • Role based API • Multi-cluster management plane • Identity federation • Unified, multi-cluster API, configuration • Failover, locality-based routing, adaptive traffic shifting • Web assembly extensions Phased Approach to Adopting Gloo Mesh Enterprise
  37. 44 | Copyright © 2020 @christianposta GET GLOO MESH ENTERPRISE!

    https://www.solo.io/products/gloo-mesh/ Open Source: https://github.com/solo-io/gloo-mesh/releases
  38. 45 | Copyright © 2020 • https://solo.io • https://solo.io/blog •

    https://slack.solo.io • https://gloo.solo.io • https://envoyproxy.io • https://istio.io • https://webassemblyhub.io