SlideShare a Scribd company logo

Advanced Observability & Security

F
Fabian Hardt

The document discusses the implementation of advanced observability and security for Kubernetes environments using a modern service mesh, specifically focusing on Kuma. It highlights the benefits of adopting a service mesh, such as improved security, developer productivity, and the ability to manage multi-cloud applications efficiently. The content also includes technical details about Kuma's architecture, deployment options, and integration capabilities, along with a demo and additional resources.

Technology
Related topics:
Multi-Cloud Insights
1 of 32
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 1 Berlin, 2023-06-13 Philipp Kürsten, Fabian Hardt ADVANCED OBSERVABILITY & SECURITY FOR YOUR KUBERNETES WITH A MODERN SERVICE MESH
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 2 WHY SERVICE MESH? 01 KUMA 02 CONCLUSION 04 DEMO 03
© OPITZ CONSULTING 2023 / Öffentlich OPITZ CONSULTING Advanced Observability & Security for your Kubernetes with a modern Service Mesh 3 „Wir erreichen Kundennähe vor Ort und durch moderne Delivery-Modelle auch auf Entfernung!“ Peter Menne, GF Essen Bad Homburg Stuttgart München Nürnberg Gummersbach Berlin Hamburg Kraków
© OPITZ CONSULTING 2023 / Öffentlich MODERN IT-Modernisierung „Nachhaltiges Business durch flexible, dynamikrobuste Lösungen für die digitale Welt von morgen“ #MEHRWERT Advanced Observability & Security for your Kubernetes with a modern Service Mesh 4 AUTO- MATISIERT SICHER INTEGRIERT Security „Sichere IT-Lösungen und Infrastrukturen als Basis für Geschäftsmodelle in dynamischen Märkten“ Systemintegration „Eine integrierte IT-Landschaft als Grundlage für ein #ZUKUNFTSWIRKSAMES Business“ Intelligent Automation „Effizienterer Ressourceneinsatz durch die Automatisierung von Business-Prozessen mit dem Einsatz von KI-Technologien“
© OPITZ CONSULTING 2023 / Öffentlich #TECHNOLOGIE & KOMPETENZEN Advanced Observability & Security for your Kubernetes with a modern Service Mesh 5 CONSULTING nachhaltig-langfristig- erfolgreich APPLICATIONS innovativ-herausragend- benutzerfreundlich INTEGRATION flexibel-automatisiert- performt ANALYTICS smart-intelligent- verlässlich INFRASTRUCTURE cloud-hybrid- elastisch CHANGE nachhaltig-achtsam- verbindlich  Serverless Microservices  DevOps  Modernisierung  Entkopplung  API first  Bi-Modal  UX-Design  Lifecycle  Cloud Based Integration  Sensor Data  IoT / Industrie 4.0  API-Management  Integration Third Party Apps  Process Integration  Application Integration  Data Lakes  Big Data & Fast Data  AI & Machine Learning  Intelligent Automation  Analytics für IoT  Data Labs  Data Governance  Open Data  Hybride Architekturen  Infrastructure as Code  Cloud Consumption  Multi-Cloud Management  Sicherheit der Cloud  Shared Cloud Services  Compliance  Managed Services  Vision & Sinn  Rolle und Identität  Werte & Glaubenssätze  Umwelt  Fähigkeiten und Verhalten  Culture Gardening  Digital Awareness  Digitalisierungsstrategie  Digitale Transformation  Innovation  Digitale Roadmap  Governance  Lizenzberatung DIGITALE PLATTFORM basierend auf dynamikrobusten Architekturen der Digitalisierung Künstliche Intelligenz mit dem Fokus auf Automatisierung & Entscheidungsvorbereitung
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 6 WHY SERVICE MESH? 01
© OPITZ CONSULTING 2023 / Öffentlich TREND TOWARDS DISTRIBUTED APPLICATION ARCHITECTURES Advanced Observability & Security for your Kubernetes with a modern Service Mesh 7 Centralized STATIC ON-PREM MONOLITH VIRTUAL MACHINES MANUAL CHANGE PROCESS Decentralized DYNAMIC CLOUD / MULTI-CLOUD MICROSERVICES / SERVERLESS CONTAINERS, KUBERNETES AUTOMATED CI/CD TOOL CHAIN # Services & APIs CONTROL AND VISIBILITY
© OPITZ CONSULTING 2023 / Öffentlich INCREASED COMPLEXITY AND COGNITIVE LOAD ON DEVS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 8 Security Security Logging Logging Security Tracing Metrics Routing Metrics Tracing Application AuthN/ Z Rate-Limiting Routing Caching Organization Application AuthN/ Z Versioning Versioning Rate-Limiting
© OPITZ CONSULTING 2023 / Öffentlich WHAT’S A SERVICE MESH? Advanced Observability & Security for your Kubernetes with a modern Service Mesh 10  Efficient implementation of cross-cutting concerns with respect to service integration challenges  Everything is a service!  Cloud-native apps deployed to Kubernetes  Non Cloud-native workloads  Should be independent of  Architecture (e.g. Monolithic or µService)  Platform (e.g. VMs, Containers, Kubernetes) Dedicated infrastructure layer that makes service-to-service communication more reliable, secure and observable
© OPITZ CONSULTING 2023 / Öffentlich E2E SERVICE CONNECTIVITY WITH GATEWAY AND MESH Advanced Observability & Security for your Kubernetes with a modern Service Mesh 12  Increased Developer experience  Consistent security  Seamless observability  Reliable connectivity  Resilience  Flexibility GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2
© OPITZ CONSULTING 2023 / Öffentlich SERVICE-MESH IMPLEMENTATIONS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 13  Kuma  Istio  Consul  Linkerd  GlooMesh
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 14 KUMA 02
© OPITZ CONSULTING 2023 / Öffentlich KUMA INTRODUCTION Advanced Observability & Security for your Kubernetes with a modern Service Mesh 15  Initially invented by Kong and donated to CNCF in 2020  Provides a modern distributed Control Plane  Completely Envoy-based Data Plane proxies  Platform agnostic open-source control plane for Service Mesh  Hence Kuma is  Universal  Simple  Scalable  Flexible deployment options  Standalone deployment  Multi-Zone deployment Source: https://tinyurl.com/xb57bhx5
© OPITZ CONSULTING 2023 / Öffentlich KUMA STANDALONE ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 16
© OPITZ CONSULTING 2023 / Öffentlich KUMA MULTI-CLUSTER ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 17  One mesh can be deployed over multiple clusters (=> Zone)  All traffic enters cluster over zone ingress  One Remote (Zone) Control Plane in each cluster
© OPITZ CONSULTING 2023 / Öffentlich KUMA NETWORKING / CNI Advanced Observability & Security for your Kubernetes with a modern Service Mesh 18  Installed as DaemonSet on all Nodes  Injects label on Pods - k8s.v1.cni.cncf.io/networks: kuma-cni  CNI enables Transparent Proxying – redirects all traffic through Data Plane
© OPITZ CONSULTING 2023 / Öffentlich KUMA NETWORKING / INIT-CONTAINER Advanced Observability & Security for your Kubernetes with a modern Service Mesh 19  Injected to Pod and started individually before Data Plane  Configures iptables / network routing
© OPITZ CONSULTING 2023 / Öffentlich SERVICE MESH DNS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 20  Local DNS resolution directly in Data Plane (Envoy)  Names are not resolvable in complete cluster, just inside service mesh (Envoy)  Resolves “.mesh“ address to pre-defined service mesh IP address  IP in other zone / cluster is routed over Kuma Zone Ingress
© OPITZ CONSULTING 2023 / Öffentlich ZONE EGRESS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 21  Special Data Plane instance – like Zone Ingress  All outgoing traffic is routed through this instance  Usage of External Services just possible with deployed Zone Egress in the future
© OPITZ CONSULTING 2023 / Öffentlich INTEGRATION OF LEGACY WORKLOAD Advanced Observability & Security for your Kubernetes with a modern Service Mesh 22  Integration of vm and bare metal workload  Local Data Plane instance connecting to Control Plane  Seamless and secure commuication between vm and Kubernetes workload
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 23 DEMO 03
© OPITZ CONSULTING 2023 / Öffentlich ARCHITECTURE OVERVIEW Advanced Observability & Security for your Kubernetes with a modern Service Mesh 24
© OPITZ CONSULTING 2023 / Öffentlich ANALYZING AND MONITORING THE DATA Advanced Observability & Security for your Kubernetes with a modern Service Mesh  Using Grafana Stack to create a 360-degree view  Component usage:  Visualization: Grafana  Logging: Loki (Log Shipping: FluentD / FluentBit / Promtail)  Metrics: Prometheus  Tracing: Jaeger or Tempo  Alerting: Prometheus Alert Manager  Operating models  Self-managed (e.g. on-prem)  Grafana SaaS offering 25
© OPITZ CONSULTING 2023 / Öffentlich ARCHITECTURE OBSERVABILITY Advanced Observability & Security for your Kubernetes with a modern Service Mesh 26
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 27 DEMO
© OPITZ CONSULTING 2023 / Öffentlich ASPECTS COVERED Advanced Observability & Security for your Kubernetes with a modern Service Mesh 28  Mesh Management (Kuma UI)  Managing Apps within the Mesh  Locality Awareness  Advanced Routing  Security  Mesh observability  Metrics  Logs  Traces
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 29 CONCLUSION 04
© OPITZ CONSULTING 2023 / Öffentlich SERVICE MESH BENEFITS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 30  Zero-trust security  mTLS, Traffic Permissions  Increased Developers productivity  Crosscutting concerns (AuthN & AuthZ, …)  Self-service network management  Multi-Tenancy over multiple clouds  Reliable connectivity  Circuit Breaker, Traffic Routes, …  Observability  Metrics, Tracing, Logs
© OPITZ CONSULTING 2023 / Öffentlich KEY TAKEAWAYS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 31  Service Mesh is essential to build and managing multi-cloud apps efficiently  Kuma as mesh implementation provides  Agnostic approach (independent of architecture or platform)  Modern, flexible architecture supporting hybrid, multi-cloud scenarios  Multi-zone  Multi-cluster  Multi-mesh  Seamless CI / CD integration (GitOps)  Intuitive design  Spanning a mesh over multiple clusters and clouds can be done easily
© OPITZ CONSULTING 2023 / Öffentlich MATERIALS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 32  Demo Source: https://github.com/KongChampions/kuma-multi-zone-mesh  Kuma docs: https://kuma.io/docs/2.2.x/  Kuma Counter Demo: https://github.com/kumahq/kuma-counter-demo  Kuma introduction – Meetup recording “Service integration made easy with OpenSource Kuma”: https://www.youtube.com/watch?v=f3GeuKzYrsA&t=1s  Demo “Service integration made easy with OpenSource Kuma”: https://github.com/svenbernhardt/service-integration-made-easy  Kong / Kuma and friends (k3d)– https://github.com/FabianHardt/k3d-bootstrap-cluster
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 33 Q & A https://opitzcloud.canto.global/b/H0EMG
© OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 34 www.opitz-consulting.com KONTAKT Philipp Kürsten Senior Consultant Philipp.Kürsten@opitz-consulting.com +49 173 7279570 https://www.xing.com/profile/Philipp_Kuersten/ https://www.linkedin.com/in/philipp-kuersten/ Fabian Hardt Solution Architect Fabian.Hardt@opitz-consulting.com https://twitter.com/fabian_hardt https://www.xing.com/profile/Fabian_Hardt https://www.linkedin.com/in/fabian-hardt/

More Related Content

PPTX
Advanced Observability & Security
Fabian Hardt
 
PDF
Service Mesh Advanced Use Cases
Sven Bernhardt
 
PDF
Service Mesh Advanced Use Cases
Fabian Hardt
 
PDF
Service integration made easy with Open Source Kuma
Sven Bernhardt
 
PDF
Build and Manage Multi-Cloud Applications Using Kuma
Sven Bernhardt
 
PDF
Kuma + Kong
AvinashUpadhyaya3
 
PDF
Architecture Room Stuttgart - "Cloud-native ist nur ein Teil des Spiels!"
OPITZ CONSULTING Deutschland
 
PDF
Build and Manage Multi-Cloud Applications Using Kuma
Sven Bernhardt
 
Advanced Observability & Security
Fabian Hardt
 
Service Mesh Advanced Use Cases
Sven Bernhardt
 
Service Mesh Advanced Use Cases
Fabian Hardt
 
Service integration made easy with Open Source Kuma
Sven Bernhardt
 
Build and Manage Multi-Cloud Applications Using Kuma
Sven Bernhardt
 
Kuma + Kong
AvinashUpadhyaya3
 
Architecture Room Stuttgart - "Cloud-native ist nur ein Teil des Spiels!"
OPITZ CONSULTING Deutschland
 
Build and Manage Multi-Cloud Applications Using Kuma
Sven Bernhardt
 

Similar to Advanced Observability & Security (20)

PDF
Declarative observability management for Microservice architectures
Sven Bernhardt
 
PPTX
ABC Present-Service-Mesh.pptx
BrodyMitchum
 
PDF
Docker microservices and the service mesh
Docker, Inc.
 
PPTX
Kubernetes And Istio and Azure AKS DevOps
Ofir Makmal
 
PDF
API Gateway or Service mesh - Complementary or excluding concepts
Sven Bernhardt
 
PPTX
Service Mesh 101 - Digging into your service
Huynh Thai Bao
 
PDF
Amazon EKS 그리고 Service Mesh (김세호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
Amazon Web Services Korea
 
PDF
API Gateway or Service Mesh - Complementary or excluding concepts
Sven Bernhardt
 
PDF
Kubernetes stack reliability
Oleg Chunikhin
 
PDF
How Self-Healing Nodes and Infrastructure Management Impact Reliability
Kublr
 
PDF
Microservices Architecture In The Real World: Mason Jones
Redis Labs
 
PDF
The Complete Guide to Service Mesh
Aspen Mesh
 
PPTX
Hybrid cloud openstack meetup
dfilppi
 
PPTX
MRA AMA Part 6: Service Mesh Models
NGINX, Inc.
 
PPT
Rutgers Cloud Seminar 2017
▫️Canturk▫️ ▪️Isci▪️
 
PPT
Rutgers Cloud Seminar 2017
Canturk Isci
 
PDF
[WSO2Con Asia 2018] Architecting for Container-native Environments
WSO2
 
PPTX
Do You Need A Service Mesh?
NGINX, Inc.
 
PPTX
microXchg 2018: "What is a Service Mesh? Do I Need One When Developing 'Cloud...
Daniel Bryant
 
PDF
Cncf Istio introduction
Erhwen Kuo
 
Declarative observability management for Microservice architectures
Sven Bernhardt
 
ABC Present-Service-Mesh.pptx
BrodyMitchum
 
Docker microservices and the service mesh
Docker, Inc.
 
Kubernetes And Istio and Azure AKS DevOps
Ofir Makmal
 
API Gateway or Service mesh - Complementary or excluding concepts
Sven Bernhardt
 
Service Mesh 101 - Digging into your service
Huynh Thai Bao
 
Amazon EKS 그리고 Service Mesh (김세호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
Amazon Web Services Korea
 
API Gateway or Service Mesh - Complementary or excluding concepts
Sven Bernhardt
 
Kubernetes stack reliability
Oleg Chunikhin
 
How Self-Healing Nodes and Infrastructure Management Impact Reliability
Kublr
 
Microservices Architecture In The Real World: Mason Jones
Redis Labs
 
The Complete Guide to Service Mesh
Aspen Mesh
 
Hybrid cloud openstack meetup
dfilppi
 
MRA AMA Part 6: Service Mesh Models
NGINX, Inc.
 
Rutgers Cloud Seminar 2017
▫️Canturk▫️ ▪️Isci▪️
 
Rutgers Cloud Seminar 2017
Canturk Isci
 
[WSO2Con Asia 2018] Architecting for Container-native Environments
WSO2
 
Do You Need A Service Mesh?
NGINX, Inc.
 
microXchg 2018: "What is a Service Mesh? Do I Need One When Developing 'Cloud...
Daniel Bryant
 
Cncf Istio introduction
Erhwen Kuo
 
Ad

More from Fabian Hardt (12)

PDF
Ist die Cloud eine Einbahnstraße? Die Realität hinter der Flexibilität und Po...
Fabian Hardt
 
PDF
DDD und Data Mesh - Unterstützen durch modernes Plattformdesign
Fabian Hardt
 
PDF
Data Mesh & DDD: Synergien für datengetriebene Exzellenz
Fabian Hardt
 
PDF
Vanilla, cherry or blueberry - which on-prem Kubernetes distribution is best ...
Fabian Hardt
 
PPTX
Mit APIs auf der Überholspur zur produktorientierten Organisation
Fabian Hardt
 
PPTX
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Fabian Hardt
 
PDF
Analytics meets Integration – Modern Development mit Data APIs
Fabian Hardt
 
PDF
How Service Mesh Fits into the Modern Data Stack
Fabian Hardt
 
PDF
Modern Data Stack – Buzzword oder echter Game-Changer?
Fabian Hardt
 
PDF
Persönliche Filmtipps mittels Recommender System und Chatbot
Fabian Hardt
 
PDF
Automatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
Fabian Hardt
 
PDF
Augmented Analytics mit Amazon Alexa
Fabian Hardt
 
Ist die Cloud eine Einbahnstraße? Die Realität hinter der Flexibilität und Po...
Fabian Hardt
 
DDD und Data Mesh - Unterstützen durch modernes Plattformdesign
Fabian Hardt
 
Data Mesh & DDD: Synergien für datengetriebene Exzellenz
Fabian Hardt
 
Vanilla, cherry or blueberry - which on-prem Kubernetes distribution is best ...
Fabian Hardt
 
Mit APIs auf der Überholspur zur produktorientierten Organisation
Fabian Hardt
 
Data Mesh und Domain Driven Design - rücken Analytics und SD nun doch näher z...
Fabian Hardt
 
Analytics meets Integration – Modern Development mit Data APIs
Fabian Hardt
 
How Service Mesh Fits into the Modern Data Stack
Fabian Hardt
 
Modern Data Stack – Buzzword oder echter Game-Changer?
Fabian Hardt
 
Persönliche Filmtipps mittels Recommender System und Chatbot
Fabian Hardt
 
Automatisierte Provisionierung einer Data Lab Umgebung für Data Scientists
Fabian Hardt
 
Augmented Analytics mit Amazon Alexa
Fabian Hardt
 
Ad

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Encapsulation theory and applications.pdf
gurumoop
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

Advanced Observability & Security

  • 1. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 1 Berlin, 2023-06-13 Philipp Kürsten, Fabian Hardt ADVANCED OBSERVABILITY & SECURITY FOR YOUR KUBERNETES WITH A MODERN SERVICE MESH
  • 2. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 2 WHY SERVICE MESH? 01 KUMA 02 CONCLUSION 04 DEMO 03
  • 3. © OPITZ CONSULTING 2023 / Öffentlich OPITZ CONSULTING Advanced Observability & Security for your Kubernetes with a modern Service Mesh 3 „Wir erreichen Kundennähe vor Ort und durch moderne Delivery-Modelle auch auf Entfernung!“ Peter Menne, GF Essen Bad Homburg Stuttgart München Nürnberg Gummersbach Berlin Hamburg Kraków
  • 4. © OPITZ CONSULTING 2023 / Öffentlich MODERN IT-Modernisierung „Nachhaltiges Business durch flexible, dynamikrobuste Lösungen für die digitale Welt von morgen“ #MEHRWERT Advanced Observability & Security for your Kubernetes with a modern Service Mesh 4 AUTO- MATISIERT SICHER INTEGRIERT Security „Sichere IT-Lösungen und Infrastrukturen als Basis für Geschäftsmodelle in dynamischen Märkten“ Systemintegration „Eine integrierte IT-Landschaft als Grundlage für ein #ZUKUNFTSWIRKSAMES Business“ Intelligent Automation „Effizienterer Ressourceneinsatz durch die Automatisierung von Business-Prozessen mit dem Einsatz von KI-Technologien“
  • 5. © OPITZ CONSULTING 2023 / Öffentlich #TECHNOLOGIE & KOMPETENZEN Advanced Observability & Security for your Kubernetes with a modern Service Mesh 5 CONSULTING nachhaltig-langfristig- erfolgreich APPLICATIONS innovativ-herausragend- benutzerfreundlich INTEGRATION flexibel-automatisiert- performt ANALYTICS smart-intelligent- verlässlich INFRASTRUCTURE cloud-hybrid- elastisch CHANGE nachhaltig-achtsam- verbindlich  Serverless Microservices  DevOps  Modernisierung  Entkopplung  API first  Bi-Modal  UX-Design  Lifecycle  Cloud Based Integration  Sensor Data  IoT / Industrie 4.0  API-Management  Integration Third Party Apps  Process Integration  Application Integration  Data Lakes  Big Data & Fast Data  AI & Machine Learning  Intelligent Automation  Analytics für IoT  Data Labs  Data Governance  Open Data  Hybride Architekturen  Infrastructure as Code  Cloud Consumption  Multi-Cloud Management  Sicherheit der Cloud  Shared Cloud Services  Compliance  Managed Services  Vision & Sinn  Rolle und Identität  Werte & Glaubenssätze  Umwelt  Fähigkeiten und Verhalten  Culture Gardening  Digital Awareness  Digitalisierungsstrategie  Digitale Transformation  Innovation  Digitale Roadmap  Governance  Lizenzberatung DIGITALE PLATTFORM basierend auf dynamikrobusten Architekturen der Digitalisierung Künstliche Intelligenz mit dem Fokus auf Automatisierung & Entscheidungsvorbereitung
  • 6. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 6 WHY SERVICE MESH? 01
  • 7. © OPITZ CONSULTING 2023 / Öffentlich TREND TOWARDS DISTRIBUTED APPLICATION ARCHITECTURES Advanced Observability & Security for your Kubernetes with a modern Service Mesh 7 Centralized STATIC ON-PREM MONOLITH VIRTUAL MACHINES MANUAL CHANGE PROCESS Decentralized DYNAMIC CLOUD / MULTI-CLOUD MICROSERVICES / SERVERLESS CONTAINERS, KUBERNETES AUTOMATED CI/CD TOOL CHAIN # Services & APIs CONTROL AND VISIBILITY
  • 8. © OPITZ CONSULTING 2023 / Öffentlich INCREASED COMPLEXITY AND COGNITIVE LOAD ON DEVS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 8 Security Security Logging Logging Security Tracing Metrics Routing Metrics Tracing Application AuthN/ Z Rate-Limiting Routing Caching Organization Application AuthN/ Z Versioning Versioning Rate-Limiting
  • 9. © OPITZ CONSULTING 2023 / Öffentlich WHAT’S A SERVICE MESH? Advanced Observability & Security for your Kubernetes with a modern Service Mesh 10  Efficient implementation of cross-cutting concerns with respect to service integration challenges  Everything is a service!  Cloud-native apps deployed to Kubernetes  Non Cloud-native workloads  Should be independent of  Architecture (e.g. Monolithic or µService)  Platform (e.g. VMs, Containers, Kubernetes) Dedicated infrastructure layer that makes service-to-service communication more reliable, secure and observable
  • 10. © OPITZ CONSULTING 2023 / Öffentlich E2E SERVICE CONNECTIVITY WITH GATEWAY AND MESH Advanced Observability & Security for your Kubernetes with a modern Service Mesh 12  Increased Developer experience  Consistent security  Seamless observability  Reliable connectivity  Resilience  Flexibility GW DP CLIENT PUBLIC TRAFFIC GW DP MESH CP MESH 1 MESH 2
  • 11. © OPITZ CONSULTING 2023 / Öffentlich SERVICE-MESH IMPLEMENTATIONS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 13  Kuma  Istio  Consul  Linkerd  GlooMesh
  • 12. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 14 KUMA 02
  • 13. © OPITZ CONSULTING 2023 / Öffentlich KUMA INTRODUCTION Advanced Observability & Security for your Kubernetes with a modern Service Mesh 15  Initially invented by Kong and donated to CNCF in 2020  Provides a modern distributed Control Plane  Completely Envoy-based Data Plane proxies  Platform agnostic open-source control plane for Service Mesh  Hence Kuma is  Universal  Simple  Scalable  Flexible deployment options  Standalone deployment  Multi-Zone deployment Source: https://tinyurl.com/xb57bhx5
  • 14. © OPITZ CONSULTING 2023 / Öffentlich KUMA STANDALONE ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 16
  • 15. © OPITZ CONSULTING 2023 / Öffentlich KUMA MULTI-CLUSTER ARCHITECTURE Advanced Observability & Security for your Kubernetes with a modern Service Mesh 17  One mesh can be deployed over multiple clusters (=> Zone)  All traffic enters cluster over zone ingress  One Remote (Zone) Control Plane in each cluster
  • 16. © OPITZ CONSULTING 2023 / Öffentlich KUMA NETWORKING / CNI Advanced Observability & Security for your Kubernetes with a modern Service Mesh 18  Installed as DaemonSet on all Nodes  Injects label on Pods - k8s.v1.cni.cncf.io/networks: kuma-cni  CNI enables Transparent Proxying – redirects all traffic through Data Plane
  • 17. © OPITZ CONSULTING 2023 / Öffentlich KUMA NETWORKING / INIT-CONTAINER Advanced Observability & Security for your Kubernetes with a modern Service Mesh 19  Injected to Pod and started individually before Data Plane  Configures iptables / network routing
  • 18. © OPITZ CONSULTING 2023 / Öffentlich SERVICE MESH DNS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 20  Local DNS resolution directly in Data Plane (Envoy)  Names are not resolvable in complete cluster, just inside service mesh (Envoy)  Resolves “.mesh“ address to pre-defined service mesh IP address  IP in other zone / cluster is routed over Kuma Zone Ingress
  • 19. © OPITZ CONSULTING 2023 / Öffentlich ZONE EGRESS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 21  Special Data Plane instance – like Zone Ingress  All outgoing traffic is routed through this instance  Usage of External Services just possible with deployed Zone Egress in the future
  • 20. © OPITZ CONSULTING 2023 / Öffentlich INTEGRATION OF LEGACY WORKLOAD Advanced Observability & Security for your Kubernetes with a modern Service Mesh 22  Integration of vm and bare metal workload  Local Data Plane instance connecting to Control Plane  Seamless and secure commuication between vm and Kubernetes workload
  • 21. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 23 DEMO 03
  • 22. © OPITZ CONSULTING 2023 / Öffentlich ARCHITECTURE OVERVIEW Advanced Observability & Security for your Kubernetes with a modern Service Mesh 24
  • 23. © OPITZ CONSULTING 2023 / Öffentlich ANALYZING AND MONITORING THE DATA Advanced Observability & Security for your Kubernetes with a modern Service Mesh  Using Grafana Stack to create a 360-degree view  Component usage:  Visualization: Grafana  Logging: Loki (Log Shipping: FluentD / FluentBit / Promtail)  Metrics: Prometheus  Tracing: Jaeger or Tempo  Alerting: Prometheus Alert Manager  Operating models  Self-managed (e.g. on-prem)  Grafana SaaS offering 25
  • 24. © OPITZ CONSULTING 2023 / Öffentlich ARCHITECTURE OBSERVABILITY Advanced Observability & Security for your Kubernetes with a modern Service Mesh 26
  • 25. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 27 DEMO
  • 26. © OPITZ CONSULTING 2023 / Öffentlich ASPECTS COVERED Advanced Observability & Security for your Kubernetes with a modern Service Mesh 28  Mesh Management (Kuma UI)  Managing Apps within the Mesh  Locality Awareness  Advanced Routing  Security  Mesh observability  Metrics  Logs  Traces
  • 27. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 29 CONCLUSION 04
  • 28. © OPITZ CONSULTING 2023 / Öffentlich SERVICE MESH BENEFITS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 30  Zero-trust security  mTLS, Traffic Permissions  Increased Developers productivity  Crosscutting concerns (AuthN & AuthZ, …)  Self-service network management  Multi-Tenancy over multiple clouds  Reliable connectivity  Circuit Breaker, Traffic Routes, …  Observability  Metrics, Tracing, Logs
  • 29. © OPITZ CONSULTING 2023 / Öffentlich KEY TAKEAWAYS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 31  Service Mesh is essential to build and managing multi-cloud apps efficiently  Kuma as mesh implementation provides  Agnostic approach (independent of architecture or platform)  Modern, flexible architecture supporting hybrid, multi-cloud scenarios  Multi-zone  Multi-cluster  Multi-mesh  Seamless CI / CD integration (GitOps)  Intuitive design  Spanning a mesh over multiple clusters and clouds can be done easily
  • 30. © OPITZ CONSULTING 2023 / Öffentlich MATERIALS Advanced Observability & Security for your Kubernetes with a modern Service Mesh 32  Demo Source: https://github.com/KongChampions/kuma-multi-zone-mesh  Kuma docs: https://kuma.io/docs/2.2.x/  Kuma Counter Demo: https://github.com/kumahq/kuma-counter-demo  Kuma introduction – Meetup recording “Service integration made easy with OpenSource Kuma”: https://www.youtube.com/watch?v=f3GeuKzYrsA&t=1s  Demo “Service integration made easy with OpenSource Kuma”: https://github.com/svenbernhardt/service-integration-made-easy  Kong / Kuma and friends (k3d)– https://github.com/FabianHardt/k3d-bootstrap-cluster
  • 31. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 33 Q & A https://opitzcloud.canto.global/b/H0EMG
  • 32. © OPITZ CONSULTING 2023 / Öffentlich Advanced Observability & Security for your Kubernetes with a modern Service Mesh 34 www.opitz-consulting.com KONTAKT Philipp Kürsten Senior Consultant Philipp.Kürsten@opitz-consulting.com +49 173 7279570 https://www.xing.com/profile/Philipp_Kuersten/ https://www.linkedin.com/in/philipp-kuersten/ Fabian Hardt Solution Architect Fabian.Hardt@opitz-consulting.com https://twitter.com/fabian_hardt https://www.xing.com/profile/Fabian_Hardt https://www.linkedin.com/in/fabian-hardt/

Editor's Notes

  • #6: Achtung: Hier muss!!!! Der Sprechtext sitzen, weil hier unser Angebot formuliert wird.
  • #18: Pfeile
  • #24: Global Control Plane (AKS, Fabian) Zone 1: OKE (Sven mit Data API) Zone 2: AKS (Fabian)
  • #31: Reliable connectivity No longer Developer’s responsibility Consistent, declarative management at infrastructure level Self-service network management Developer defines communication rules (traffic permissions) No longer need to also involve network teams (firewall rules) Zero-trust security Secure communication via mTLS Automated certificate management Service Discovery