istio service meshpeople.redhat.com/abach/osaw/files/day2/7 istio service mesh.pdf · enforce...
TRANSCRIPT
![Page 1: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/1.jpg)
CONFIDENTIAL Designator
OpenShift 4.x Architecture Workshop
Istio Service Mesh
July 2019
![Page 2: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/2.jpg)
CONFIDENTIAL Designator
MicroservicesBenefits and Challenges
![Page 3: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/3.jpg)
ISTIO WEBINAR
MICROSERVICES ARCHITECTURE
Runtime
Service
Runtime
Service
Runtime
Service
Runtime
Service
Runtime
Service
Runtime
Service
Runtime
Service
Application Server
HTML Javascript Web
ServiceServiceService
Service Service Service
Data Access
DISTRIBUTED
Runtime
Service
Runtime
Service
3
![Page 4: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/4.jpg)
ISTIO WEBINAR4
DISTRIBUTED COMPUTING CHALLENGES
Fallacies of Distributed Computing● The network is reliable.● Latency is zero.● Bandwidth is infinite.● The network is secure.● Topology doesn't change.● There is one administrator.● Transport cost is zero.● The network is homogeneous.
wikipedia.org/wiki/Fallacies_of_distributed_computing
![Page 5: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/5.jpg)
ISTIO WEBINAR
DISTRIBUTED ARCHITECTURE
Service ServiceService
Service ServiceService
Service ServiceService
5
![Page 6: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/6.jpg)
ISTIO WEBINAR6
MICROSERVICES ARE HARD
Because applications must deal with
● Unpredictable failures● End-to-end application correctness● System degradation● Topology changes● Elastic/ephemeral/transient resources● Distributed logs● The fallacies of distributed computing
A
E
B C
F G
DH
I
Client
![Page 7: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/7.jpg)
ISTIO WEBINAR7
AN EXAMPLE
ACME Laptop 128GB SSD, 8GB RAM
$323.56
Touchscreen128GB SSD 8GB RAMCore i3Windows 10
Add to Cart
In-Store Pickup (15 available)Raleigh, Central Ave, Store #1123
Recommendations
Pricing EngineReviews
Details/Specifications
Location-based availability
People who purchased also...
![Page 8: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/8.jpg)
ISTIO WEBINAR8
CHAINING
![Page 9: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/9.jpg)
ISTIO WEBINAR9
CHAINING (FAILURE)
X
![Page 10: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/10.jpg)
ISTIO WEBINAR10
CHAINING (CASCADING FAILURE)
XXXXX
![Page 11: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/11.jpg)
CONFIDENTIAL Designator
Traditional Approaches
![Page 12: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/12.jpg)
ISTIO WEBINAR12
POSSIBLE SOLUTIONS
Have your developers do this:
● Circuit Breaking● Bulkheading● Timeouts/Retries● Service Discovery● Load Balancing● Traffic Control
![Page 13: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/13.jpg)
ISTIO WEBINAR
Need a library to support each language/framework combination
Ribbon
Eureka
Archaius
Hystrix
Zuul
Container
JVM
service A
discovery
load-balancer
resiliency
metrics
tracing
app logic
13
![Page 14: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/14.jpg)
ISTIO WEBINAR
WHAT ABOUT…?
POLYGLOT APPS
EXISTING APPS
14
![Page 15: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/15.jpg)
ISTIO WEBINAR
Kubernetes exacerbates the problem
The trends of containerization, microservices and hybrid/multi-cloud deployments have created more distributed applications than ever.
This has left enterprises unable to connect, observe or secure or control their services in a consistent way.
15
![Page 16: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/16.jpg)
CONFIDENTIAL Designator
Enter the service mesh
![Page 17: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/17.jpg)
SERVICE MESHA dedicated network for
service-to-service communications
Photo on Visual Hunt
![Page 18: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/18.jpg)
ISTIO WEBINAR
A better way with a service mesh
Service
Config
Svc Discovery
Routing
Circuit Breaker
Tracing
Service
Platform Container Platform (+ Service Mesh)
...2014 2018
A service mesh provides a transparent and language-independent network for connecting, observing, securing and controlling the connectivity between services.
18
![Page 19: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/19.jpg)
ISTIO WEBINAR19
![Page 20: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/20.jpg)
ISTIO WEBINAR
ISTIO’S CAPABILITIES AT 10,000 FEET
Traffic Management. Rules and traffic routing lets you control the flow of traffic and API calls between services.
Service Identity and Security.Enforce consistently across diverse protocols and runtimes with little or no application changes.
Policy Enforcement. Apply to the interaction between services and ensure they are enforced. Changes are made by configuring the mesh, not by changing application code.
Observability. Gain understanding of the dependencies between services and the nature and flow of traffic between them, providing the ability to quickly identify and fix issues.
20
![Page 21: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/21.jpg)
ISTIO WEBINAR
connect, manage, and secure microservices transparently
MICROSERVICES WITH ISTIO
21
Microservice Container
App/Service A
Pod
Sidecar Container
Istio LogicMicroservice Container
App/Service B
Pod
Sidecar Container
Istio Logic
Microservice Container
App/Service C
Pod
Sidecar Container
Istio Logic
![Page 22: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/22.jpg)
ISTIO WEBINAR22
WHAT IS A SIDECAR?
A proxy instance that abstracts common logic away from individual services
SIDECAR PATTERN
● A utility container in the same pod to enhance the main container’s functionality
● Share the same network and lifecycle● Istio uses an Istio Proxy (L7 Proxy) sidecar
to proxy all network traffic between apps
POD
APP
SIDECAR
![Page 23: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/23.jpg)
ISTIO WEBINAR
Control Plane
Envoy Envoy Envoy Envoy
ISTIO PROVIDES BOTH CONTROL AND DATA PLANES
Data Plane
Pod
App
Pod
App
Pod
App
Pod
App
The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars that mediate and control all network communication between microservices.
The control plane is responsible for managing and configuring proxies to route traffic, as well as enforcing policies at runtime.
23
![Page 24: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/24.jpg)
ISTIO WEBINAR
Envoy, originally from Lyft - it’s an intelligent proxy. Highly parallel non-blocking, network filtering, service discovery, health checking, dynamically configurable.
Pilot, the component responsible for managing a distributed deployment of Envoy proxies in the service mesh. Intelligent routing, traffic mgmt, resiliency
Mixer, which provides the policy and access control mechanisms within the service mesh. Monitoring, reporting, quotas - plugin-based.
Citadel, control service-service traffic based on origin and user. Key mgmt certificate authority.
Control Plane
Pilot Mixer Citadel
Data Plane
Pod PodPod
Envoy
App
Envoy
App
Envoy
App
Pod
Envoy
App
COMPONENTS OF ISTIO
It’s the sidecar
24
![Page 25: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/25.jpg)
ISTIO WEBINAR
WHAT DOES CONNECT MEAN?
25
Discovery and Routing: Decoupled from infrastructure, load balancing modes, dynamic routing...Advanced Deployments: A/B testing, gradual rollouts, canary releases, mirroring...
Failure, Health, and Testing: timeouts, retries, circuit breakers, fault injection, active health checks...
Version = 1.2.3
Version = 1.2.4
![Page 26: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/26.jpg)
ISTIO WEBINAR
HOW DO YOU SECURE SERVICES?
26
Security by defaultno changes needed for application code and infrastructure
Defense in depthintegrate with existing security systems to provide multiple layers of defense
Zero-trust networkbuild security solutions on untrusted networks
![Page 27: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/27.jpg)
ISTIO WEBINAR
WHAT CAN YOU CONTROL?
27
Set and Check Policy: Open-ended, connection limits, rate limits, simple denials, lists
Exempt if:match(request.headers["cookie"], "user=*") == false
Restrict to 2 requests per second per IP :quotas: - name: requestcount.quota.istio-system
overrides:- dimensions: destination: someservice maxAmount: 2
![Page 28: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/28.jpg)
ISTIO WEBINAR
HOW CAN YOU OBSERVE?
28
Understand how your services are operating: Metrics, tracing, network visibility
![Page 29: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/29.jpg)
ISTIO WEBINAR
Istio 1.0!● After over a year of work, ● ~200 developers● Google, IBM, VMWare, Cisco, Red Hat, others...● Adaptors for many monitoring systems
Istio on OpenShift● Available in Dev Preview today (3.10)● GA coming soon (4.1)
29
ISTIO AVAILABILITY
![Page 30: Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f05ed997e708231d4156c68/html5/thumbnails/30.jpg)
ISTIO WEBINAR
Istio on OpenShift● Available in Dev Preview today (3.10)● GA coming soon (4.1)● Istio is an “operator first product” (using Operator Framework)
○ https://github.com/Maistra/istio-operator○ The operator manages the install (eventually updates)○ Istio is delivered as containers, not RPMs
30
ISTIO ON OPENSHIFT