Traffic Control - Multi-Tenant Ingress with Istio

Transcript

1. Multi-Tenant Ingress using Istio Christian Posta | @christianposta | Solo.io

   Sandeep Parikh | @crcsmnky | Google Cloud

2. Challenge Examples Solutions What’s new Questions What we’ll cover

3. Challenge

4. Running multi- tenant-ingress deployments

5. What is multi-ingress? When running large multi- tenant deployments, teams

   or workloads may need their own dedicated ingress, or apps may need different ingress setups.

6. Isolation for individual teams and logical workloads Why multi-ingress? Multiple

   ingress types like APIs vs user-facing services Serving multiple applications out of different domains Require unique SSL certificates for each domain being served

7. Example deployment

8. What we have

9. What we want

10. Isolate teams and logical workloads Support for different ingress types

    Each ingress needs HTTPS support Top-level requirements

11. Critical features Platform load balancer support SSL certificate support Kubernetes-native

    service Traffic management mechanisms API gateway support Auth support for in- cluster services

12. Ecosystem solutions

13. Kubernetes Ingress • More capable than Service LoadBalancer • SSL

    certificate support • Multiple ingress resources can be deployed • Can integrate with L7 platform load balancers • Supports single-service, simple fanout, or name-based virtual hosts

14. Kubernetes Ingress Controllers!

15. Traefik Features! Tiny, fast, Go! IngressRoute CRD! Ingress-only? traefik.io

16. nginx Features! Tried and true Many examples Ingress-only? nginx.com/products/nginx/ kubernetes-ingress-controller

17. Is there an Istio- native option?

18. Istio Ingress Gateway • Supports workloads across different namespaces •

    Native Kubernetes Service, integrates with platform load balancers • Support for SSL certificates • Encrypted traffic to downstream services

19. Istio Ingress Gateway Out of the box, you get one.

    What if you want more?

20. Generate a new ingressgateway Use helm to generate the required

    components to run your own ingress gateway. cd istio-1.3.2/install/kubernetes/helm helm template istio \ --name istio --namespace istio-system \ -x charts/gateways/templates/serviceaccount.yaml \ >> my-ingressgateway.yaml helm template istio \ --name istio --namespace istio-system \ -x charts/gateways/templates/deployment.yaml \ >> my-ingressgateway.yaml helm template istio \ --name istio --namespace istio-system \ -x charts/gateways/templates/service.yaml \ >> my-ingressgateway.yaml

21. Update metadata Update the generated ServiceAccount, Deployment, and Service ServiceAccount:

    - metadata.name - metadata.labels Deployment: - metadata.name - metadata.labels - spec.selector.matchLabels - spec.template.metadata.labels - spec.containers[].name - spec.containers[].volumeMounts[] - spec.serviceAccountName - spec.volumes[] Service: - metadata.name - metadata.labels - spec.ports[].http2.nodePort - spec.ports[].https.nodePort - spec.ports[].tcp.nodePort - spec.selector

22. Wiring up Istio objects When creating Gateway objects, configure spec.selector

    for your new ingressgateway apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: gateway-example spec: selector: istio: example-ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"

23. 23 | Copyright © 2019 Gloo Edge Proxy EAST-WEST TRAFFIC

    NORTH-SOUTH TRAFFIC SERVIC E I SERVIC E II SERVIC E III SERVIC E IV SERVIC E V

24. 24 | Copyright © 2019 GLOO FEATURES Gloo is a

    fully-featured edge Gateway and Ingress Controller built on Envoy Proxy. Gloo was built to extend the capabilities of the service mesh. Gloo runs on any platform bare-metal, VM, Kubernetes, and Cloud.

25. 25 | Copyright © 2019 Gloo Gateway Complements Service Mesh

    • Extend with powerful edge capabilities (as seen previously) • Integrate with mTLS (SDS) • Integrate with telemetry collection • Integrate with distributed tracing • Provide full North-South & East-West networking abstraction

26. 26 | Copyright © 2019 ENVIRONMENT SECRET CONFIGURATION Data Plane

    Upstream gRPC-JSON transcoder Rate limiting External AUTH … Control Plane The pict ure can' t be disp laye d. Configure and manage envoy’s plugins Router

27. Demo

28. What we just deployed

29. What’s New

30. Istio 1.3 52 improvements 662 commits 400+ contributors 300 companies

    Full release notes Released 2019-09-12

31. Istio 1.3 Improve the UX for new users adopting Istio

    Key Improve the UX for debugging problems Themes Support more apps w/o addt’l config

32. Istio 1.3 highlights containerPort no longer required Customizable generated Envoy

    config Mixer-less telemetry (experimental) Intelligent protocol detection (experimental) Operator-based install (experimental) New commands in istioctl experimental for debugging

33. $ istioctl x --help Experimental commands that may be modified

    or deprecated Usage: istioctl experimental [command] Aliases: experimental, x, exp Available Commands: add-to-mesh Add workloads into Istio service mesh analyze Analyze Istio configuration and print validation messages auth Inspect and interact with authn/authz policies in the mesh describe Describe resource and related Istio configuration kube-uninject Uninject Envoy sidecar from Kubernetes pod resources manifest Commands related to Istio manifests metrics Prints metrics for specified workload(s) when running in K8S profile Commands related to Istio configuration profiles remove-from-mesh Remove workloads from Istio service mesh

34. $ istioctl x --help Experimental commands that may be modified

    or deprecated Usage: istioctl experimental [command] Aliases: experimental, x, exp Available Commands: add-to-mesh Add workloads into Istio service mesh analyze Analyze Istio configuration and print validation messages auth Inspect and interact with authn/authz policies in the mesh describe Describe resource and related Istio configuration kube-uninject Uninject Envoy sidecar from Kubernetes pod resources manifest Commands related to Istio manifests metrics Prints metrics for specified workload(s) when running in K8S profile Commands related to Istio configuration profiles remove-from-mesh Remove workloads from Istio service mesh Analyze YAML files Analyze live cluster Simulate effect of applying YAML

35. $ istioctl x --help Experimental commands that may be modified

    or deprecated Usage: istioctl experimental [command] Aliases: experimental, x, exp Available Commands: add-to-mesh Add workloads into Istio service mesh analyze Analyze Istio configuration and print validation messages auth Inspect and interact with authn/authz policies in the mesh describe Describe resource and related Istio configuration kube-uninject Uninject Envoy sidecar from Kubernetes pod resources manifest Commands related to Istio manifests metrics Prints metrics for specified workload(s) when running in K8S profile Commands related to Istio configuration profiles remove-from-mesh Remove workloads from Istio service mesh Operator-based install! Generate and/or apply manifests Diff against multiple manifests Migrate from Helm config to Operator

36. What’s Next Security Around 3 weeks after the next Istio

    release, we’ll dig into security-centric use cases, and how Istio can help. Istio 1.4 → Late Q4 2019

37. Thank You! Questions or Comments? Find us @christianposta and @crcsmnky

    Learn More • Istio istio.io • Google Cloud cloud.google.com • Solo.io www.solo.io • Gloo gloo.solo.io • Service Mesh Hub servicemeshhub.io Demo • github.com/crcsmnky/istio-multi-ingress