Istio On Kubernetes

Istio on Kubernetes: Enter the
Service Mesh
benevides@redhat.com
@rafabene
Link http://bit.ly/istio-kubernetes
@rafabene 1
Rafael Benevides
Director of Developer Experience at Red Hat
benevides@redhat.com
@rafabene
Java Certifications:
SCJA / SCJP / SCWCD / SCBCD / SCEA
JBoss Certifications:
JBCD / JBCAA
Red Hat Certifications:
OpenShift / Containers / Ansible
Other Certifications:
SAP Netweaver / ITIL / IBM Software Quality
@rafabene - http://bit.ly/istio-kubernetes
bit.ly/mono2microdb
bit.ly/istio-book
http://bit.ly/javamsabook
@rafabene
https://quarkus.io/
Your Journey to Awesomeness
Self-Service, Automation CI & CD Advanced Microservices

Re-Org to
On-Demand, Deployment Deployment
DevOps
Elastic Pipeline Techniques
Infrastructure
Monolith
MyApp
Modules
Microservices
Microservices
Microservices
Microservices
Microservices
Network of Services - Mesh
Microservices own their Data
Multiple Points of Entry
Multiple Pipelines
Microservices Principles
1. Deployment Independence - updates to an individual microservice have no negative
impact to any other component of the system. Optimized for Replacement
2. Organized around business capabilities
3. Products not Projects
4. API Focused
5. Smart endpoints and dumb pipes
6. Decentralized Governance
7. Decentralized Data Management
8. Infrastructure Automation (infrastructure as code)
9. Design for failure 2 Pizza Team
10. Evolutionary Design
Old School New School
Love Thy Mono
Microservices == Distributed Computing
OS OS
JVM JVM
Service A Service C
OS
JVM
Service B
Fallacies of Distributed Computing
• The Network is Reliable

• Latency is zero
• Bandwidth is infinite
• Topology does not change
• There is one administrator
• Transport cost is zero
• The network is homogeneous
https://en.wikipedia.org/wiki/Fallacies_of_distributed_computing
Failure of a Service
Cascading Failure
X X
X X
X X
X
Microservices embedding Capabilities
Container Container
JVM JVM
Service A Service C
Discovery Discovery
Load-balancer Load-balancer
Resiliency Resiliency
Metrics Metrics
Tracing Tracing
Container
JVM
Service B
Discovery
Load-balancer
Resiliency
Metrics
Tracing
History of Microservices
AWS EC2 Java EE6 DropWizard Hystrix Eureka Spring Boot Kubernetes
2006 2009 May 2011 March 2012 July 2012 Sept 2013 June 2014 2
0
1
Continuous Agile DevOps NETFLIX Vert.x Ribbon Microservices Docker Microservices 5
Integration Manifesto 2009 to AWS June March Assess March Defined
via XP Feb 2010 2011 2012 Thoughtworks 2013 Thoughtworks
1999 2001 Radar Fowler, Lewis
March 2012 March 2014
The Cloud is Born
0
1
Fat Jars
0
1
Netflix goes Open Source
0
1
Perfect Storm for Microservices
0
1
What's Wrong with Netflix OSS?
Java Only
Adds a lot of libraries to YOUR code
Microservices'ilities
API
Tracing Discovery
Monitoring Invocation
MyService
Logging Elasticity
Authentication Resilience
Pipeline
Microservices'ilities + Kubernetes
API
Tracing Discovery
MyService
Logging Elasticity
Pipeline
Microservices'ilities + OpenShift
API
Tracing Discovery
MyService
Logging Elasticity
Pipeline
Istio - Sail
(Kubernetes - Helmsman or ship’s pilot)
Service Mesh Defined
A service mesh is a dedicated infrastructure layer for handling service-to-service

communication. It’s responsible for the reliable delivery of requests through the
complex topology of services that comprise a modern, cloud native application. In
practice, the service mesh is typically implemented as an array of lightweight
network proxies that are deployed alongside application code, without the
application needing to be aware
https://buoyant.io/2017/04/25/whats-a-service-mesh-and-why-do-i-need-one/
Microservices'ilities + Istio
API
Tracing Discovery
MyService
Logging Elasticity
Pipeline
Microservices embedding Capabilities
Container Container
JVM JVM
Service A
Discovery Before Istio Service C
Discovery
Load-balancer Load-balancer
Resiliency Resiliency
Metrics Metrics
Tracing Tracing
Container
JVM
Service B
Discovery
Load-balancer
Resiliency
Metrics
Tracing
Microservices externalizing Capabilities
Pod Pod
Container Container
JVM JVM
Service A
After Istio Service C
Sidecar Container Sidecar Container
Pod
Container
JVM
Service B
Sidecar Container
Microservices externalizing Capabilities
Pod Pod
Container Container
JVM JVM
Service A
After Istio
The sidecar intercepts all network traffic
Service C
Pod
Sidecar Container
Container
JVM
Service B
Envoy is the current sidecar
Pod Pod
Container Container
JVM JVM
Service A Service C
Pod
Sidecar Container
Container
JVM
Service B
Sidecar
https://www.imz-ural.com/blog/waffles-the-sidecar-dog
Next Generation Microservices - Service Mesh
Code Independent (Polyglot)

• Intelligent Routing and Load-Balancing
• A/B Tests
• Smarter Canary Releases
• Chaos: Fault Injection
• Resilience: Circuit Breakers
• Observability: Metrics and Tracing
• Fleet wide policy enforcement
Istio Data Plane vs Control Plane
Data Pod Pod Pod

Plane Container Container Container
JVM JVM JVM
HTTP1.1, HTTP2, Service A HTTP1.1, HTTP2, Service B HTTP1.1, HTTP2, Service C

gRPC, TCP w/TLS gRPC, TCP w/TLS gRPC, TCP w/TLS
Envoy Sidecar Envoy Sidecar Envoy Sidecar
Control
Plane Istio Pilot Istio Mixer Istio Galey Istio Citadel
istioctl, API, config Quota, Telemetry Validation mTLS, SPIFFE

Rate Limiting, ACL
Polyglot Microservices Platform circa 2019
Config Server Jaeger Istio
NETFLIX Ribbon
Observability
Kiali.io
New Service Graph
Prometheus
How to add an Istio-Proxy (sidecar)?
istioctl kube-inject -f NormalDeployment.yaml

OR
kubectl label namespace myspace istio-
injection=enabled
To "see" the sidecar:
kubectl describe deployment customer
Traffic Control
Blue/Green
Deployment
Blue/Green Deployment
BUILD
SCM
DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS
BUILD
SCM
BUILD
SCM
BUILD
SCM
SCM BUILD
SCM
SCM
x
SCM
Demo Blue/Green
- Only Recommendation-v2
- Only Recommendation-v1
- Both (Delete Rule)
Canary
Deployment
Canary Resuscitator
http://www.openculture.com/2018/05/the-device-invented-to-resuscitate-canaries-in-coal-mines-circa-1896.html
Thanks to Paolo Antinori!
Canary Deployment
SCM
Canary Deployment
SCM
Canary Deployment
SCM
Canary Deployment
SCM
Canary Deployment
SCM
Canary Deployment
SCM
Canary Deployment
SCM
Canary Deployment
SCM
Canary Deployment
SCM
Canary Deployment
SCM
Canaries with Kubernetes
Pod
Container
JVM
50%
Service A
v1
Route/
Service
Ingress Pod
Container
JVM
Service A 50%
v2
Canaries with Istio
Pod
Container
JVM
90%
Service A
v1
Route/
Service
Ingress Pod
Container
JVM
Service A 10%
v2
Demo Canary
- 90/10
- 75/25
- Based on User-Agent
Dark
Launch
Dark Launches with Istio
Pod
Container
JVM
100%
Service A
v1
Mirror
requests
Route/
Service
Ingress
Pod
Container
JVM
Service A 100%
v2
@rafabene
Demo Dark
Launch
Service Resiliency
• Retry
• Kiali
X X
X X
X X
X
Chaos Testing
By Netflix - https://github.com/Netflix/SimianArmy/blob/master/assets/SimianArmy.png, Apache License 2.0,
https://commons.wikimedia.org/w/index.php?curid=63503083
Demo Caos
- 503
- Delay
Access Control
Pod Pod Pod
Customer Preference Recommendation
istio-proxy ✓ istio-proxy ✓ istio-proxy
Most Communication Inbound & Internal
Outbound/Egress Blocked By Default
✓
Demo Egress
- Access http://worldclockapi.com
bit.ly/istio-book
https://learn.openshift.com/servicemesh
Demo
bit.ly/istio-tutorial
The End
(but Serverless is coming)
@RAFABENE
@rafabene

Istio On Kubernetes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Istio On Kubernetes

Uploaded by

Copyright:

Available Formats

Istio on Kubernetes: Enter the

Self-Service, Automation CI & CD Advanced Microservices

Love Thy Mono

• The Network is Reliable

Adds a lot of libraries to YOUR code

A service mesh is a dedicated infrastructure layer for handling service-to-service

Sidecar Container Sidecar Container

Sidecar Container Sidecar Container

Sidecar Container Sidecar Container

Code Independent (Polyglot)

Data Pod Pod Pod

HTTP1.1, HTTP2, Service A HTTP1.1, HTTP2, Service B HTTP1.1, HTTP2, Service C

Envoy Sidecar Envoy Sidecar Envoy Sidecar

istioctl, API, config Quota, Telemetry Validation mTLS, SPIFFE

Config Server Jaeger Istio

istioctl kube-inject -f NormalDeployment.yaml

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

Pod Pod Pod

Customer Preference Recommendation

istio-proxy ✓ istio-proxy ✓ istio-proxy

You might also like