SlideShare a Scribd company logo

Istio Playground

QAware GmbH, profile picture
QAware GmbH

The document outlines the steps for setting up and deploying Istio on a local Kubernetes cluster, including configuring observability tools and deploying a sample application called Bookinfo. It provides detailed instructions on various tasks such as creating a Kubernetes environment, deploying Istio and its components, and configuring logging and metrics tools. Additionally, it covers detailed setup for traffic management features like canary releases and security configurations within Istio.

Data & Analytics
Related topics:
Cloud Computing Insights
1 of 53
Downloaded 27 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Istio Playground @adersberger @qaware
Our network today — Optimize first: Switch network off and on again and use 5GHz networking — Plan A: Local installation — Plan B: Use GKE clusters — Plan C: Use Katacoda — Plan D: Steamworks
Workshop Prerequisites — Bash — git Client — Text editor (like VS.Code)
Baby Step: Grab the Code git clone https://github.com/adersberger/istio-playground cd istio-playground/code
Baby Step: Install a (local) Kubernetes Cluster https://www.docker.com/community-edition — Preferences: enable Kubernetes — Preferences: increase resource usage to 3 cores and 8 GB memory
The Ultimate Guide to Fix Strange Kubernetes Behavior
Setup Kubernetes Environment # Switch k8s context kubectl config use-context docker-for-desktop # Deploy k8s dashboard kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml # Extract id of default service account token (referred as TOKENID) kubectl describe serviceaccount default # Grab token and insert it into k8s Dashboard UI auth dialog kubectl describe secret TOKENID # Start local proxy kubectl proxy --port=8001 & # Open k8s Dashboard open http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
Deploy Istio curl -L https://git.io/getLatestIstio | sh - cd istio-1.0.1 export PATH=$PWD/bin:$PATH istioctl version # deploy Istio # (demo setting, default deployment is via Helm) kubectl apply -f install/kubernetes/istio-demo.yaml kubectl get pods -n istio-system # label default namespace to be auto-sidecarred kubectl label namespace default istio-injection=enabled kubectl get namespace -L istio-injection
Deploy Sample Application (BookInfo) kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml kubectl get pods istioctl create -f samples/bookinfo/networking/bookinfo-gateway.yaml istioctl get gateways open http://localhost/productpage
Hands-on
Why?
Istio Playground
Istio Playground
Atomic Architecture
Istio Playground
Istio Playground
Library Bloat
Istio Playground
Istio Playground
Istio Playground
Istio Playground
Se!ing the Sails with Istio 1.0.1
Istio Playground
Istio Abstractions
Sample Application: BookInfo1 1  Istio BookInfo Sample (https://istio.io/docs/examples/bookinfo)
Istio Playground
Bookinfo: Gateway apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"
Bookinfo: VirtualService apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo spec: hosts: - "*" gateways: - bookinfo-gateway http: - match: - uri: exact: /productpage - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage port: number: 9080
Bookinfo: DestinationRule apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: productpage spec: host: productpage subsets: - name: v1 labels: version: v1
Hands-on: Have a look around the YAMLs and Dashboard
Expose Istio Observability Tools #Metrics: Prometheus kubectl expose deployment prometheus --name=prometheus-expose --port=9090 --target-port=9090 --type=LoadBalancer -n=istio-system #Metrics: Grafana kubectl expose deployment grafana --name=grafana-expose --port=3000 --target-port=3000 --type=LoadBalancer -n=istio-system open http://localhost:3000/d/1/istio-dashboard #Tracing: Jaeger kubectl expose deployment istio-tracing --name=tracing-expose --port=16686 --target-port=16686 --type=LoadBalancer -n=istio-system open http://localhost:16686 #Tracing: ServiceGraph kubectl expose service servicegraph --name=servicegraph-expose --port=8088 --target-port=8088 --type=LoadBalancer -n=istio-system open http://localhost:8088/force/forcegraph.html open http://localhost:8088/dotviz
Deploy Missing Observability Feature: Log Analysis (EFK) cd .. #go to istio-playground/code kubectl apply -f logging-stack.yaml kubectl get pods -n=logging kubectl expose deployment kibana --name=kibana-expose --port=5601 --target-port=5601 --type=LoadBalancer -n=logging istioctl create -f fluentd-istio.yaml
Deploy Missing Observability Feature: Log Analysis (EFK) open http://localhost:5601/app/kibana — Perform some requests to the BookInfo application — Use * as the index pattern — Select @timestamp as the time filter field name
fluentd-istio.yaml (1/3) # Configuration for logentry instances apiVersion: "config.istio.io/v1alpha2" kind: logentry metadata: name: newlog namespace: istio-system spec: severity: '"info"' timestamp: request.time variables: source: source.labels["app"] | source.service | "unknown" user: source.user | "unknown" destination: destination.labels["app"] | destination.service | "unknown" responseCode: response.code | 0 responseSize: response.size | 0 latency: response.duration | "0ms" monitored_resource_type: '"UNSPECIFIED"'
fluentd-istio.yaml (2/3) # Configuration for a fluentd handler apiVersion: "config.istio.io/v1alpha2" kind: fluentd metadata: name: handler namespace: istio-system spec: address: "fluentd-es.logging:24224"
fluentd-istio.yaml (3/3) # Rule to send logentry instances to the fluentd handler apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: newlogtofluentd namespace: istio-system spec: match: "true" # match for all requests actions: - handler: handler.fluentd instances: - newlog.logentry
Stimulate! slapper -rate 4 -targets ./target -workers 2 -maxY 15s Download from: https://github.com/adersberger/slapper/ releases/tag/0.1
Slapper2 in action 2  Key bindings: q, ctrl-c - quit r - reset stats k - increase rate by 100 RPS j - decrease rate by 100 RPS
Hands-on
Observability Outlook: Kiali
Observability Outlook: Kiali (macOS setup) brew install gettext brew link --force gettext # follow k8s setup guide: https://www.kiali.io/gettingstarted kubectl expose deployment kiali --name=kiali-expose --port=20001 --target-port=20001 --type=LoadBalancer -n=istio-system open http://localhost:20001 # login with admin/admin
Release Pa!erns
Sample Application Recap
Sample Desination Rule apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3
Canary Releases: A/B Testing apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - match: - headers: end-user: exact: jason route: - destination: host: reviews subset: v2 - route: - destination: host: reviews subset: v1
Canary Releases: A/B Testing cd istio-1.0.1 istioctl create -f samples/bookinfo/networking/virtual-service-all-v1.yaml istioctl create -f samples/bookinfo/networking/destination-rule-all.yaml istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml #open BookInfo application and login as user jason (password jason) open http://localhost/productpage — login as "jason" / "jason" leads to v2 (black stars) — anonymous user leads to v1 (no stars)
Canary Releases: Rolling Upgrade apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v1 weight: 50 - destination: host: reviews subset: v3 weight: 50 istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml
Canary Releases: Blue/Green apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v3 istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-v3.yaml istioctl get routerules
Hands-on
Time to Play! Traffic Management Resiliency Security Observability Request Routing Timeouts mTLS Metrics Load Balancing Circuit Breaker Role-Based Access Control Logs Traffic Shifting Health Checks (active, passive) Workload Identity Traces Traffic Mirroring Retries Authentication Policies Service Discovery Rate Limiting CORS Handling Ingress, Egress Delay & Fault Injection TLS Termination, SNI API Specification Connection Pooling Multicluster Mesh https://istio.io/docs/tasks https://istio.io/about/feature-stages
Hands-on
Istio Playground
FAQ Q: How does the Envoy proxy intercept requests? A: With IPtable rules (alls rules pointing to envoy) Q: How does the auto-sidecar magic work? A: With an Istio admission controller enhancing the deployments Q: How can I list all Istio custom resource definitions and commands? A: kubectl api-resources Q: I can't see any metrics, logs, traces. What should I do? A: Restart istio-telemetry Deploment or kubectl replace -f fluentd-istio.yaml

More Related Content

PDF
Container Network Interface: Network Plugins for Kubernetes and beyond
KubeAcademy
 
PDF
Kubernetes Networking
Giragadurai Vallirajan
 
PPT
Docker Multi Host Networking, Rachit Arora, IBM
Neependra Khare
 
PPTX
How to Achieve Canary Deployment on Kubernetes
HanLing Shen
 
PDF
IP Virtual Server(IPVS) 101
HungWei Chiu
 
PDF
Driving containerd operations with gRPC
Docker, Inc.
 
PDF
KubeCon EU 2016: A Practical Guide to Container Scheduling
KubeAcademy
 
PPTX
Introduction to CNI (Container Network Interface)
HungWei Chiu
 
Container Network Interface: Network Plugins for Kubernetes and beyond
KubeAcademy
 
Kubernetes Networking
Giragadurai Vallirajan
 
Docker Multi Host Networking, Rachit Arora, IBM
Neependra Khare
 
How to Achieve Canary Deployment on Kubernetes
HanLing Shen
 
IP Virtual Server(IPVS) 101
HungWei Chiu
 
Driving containerd operations with gRPC
Docker, Inc.
 
KubeCon EU 2016: A Practical Guide to Container Scheduling
KubeAcademy
 
Introduction to CNI (Container Network Interface)
HungWei Chiu
 

What's hot (20)

PDF
Load Balancing 101
HungWei Chiu
 
PDF
Network plugins for kubernetes
inwin stack
 
PDF
Introduction to CircleCI
HungWei Chiu
 
PDF
Simplify Networking for Containers
LinuxCon ContainerCon CloudOpen China
 
PDF
Kubernetes Networking
CJ Cullen
 
PDF
Docker 1.12 networking deep dive
Madhu Venugopal
 
PDF
Docker Meetup: Docker Networking 1.11, by Madhu Venugopal
Michelle Antebi
 
PDF
Containerd: Building a Container Supervisor by Michael Crosby
Docker, Inc.
 
PDF
Kubernetes Networking - Giragadurai Vallirajan
Neependra Khare
 
PDF
DockerDay2015: Docker Networking
Docker-Hanoi
 
PDF
Build Your Own CaaS (Container as a Service)
HungWei Chiu
 
PDF
Application-Based Routing
HungWei Chiu
 
PDF
Automatically Renew Certificated In Your Kubernetes Cluster
HungWei Chiu
 
PDF
Container Performance Analysis
Brendan Gregg
 
PPTX
Docker Online Meetup #29: Docker Networking is Now GA
Docker, Inc.
 
PDF
Docker network performance in the public cloud
Arjan Schaaf
 
PDF
Elk for applications on k8s
Che-Chia Chang
 
PDF
Scaling docker with kubernetes
Liran Cohen
 
PDF
IPTABLES Introduction
HungWei Chiu
 
PDF
Kubernetes networking & Security
Vietnam Open Infrastructure User Group
 
Load Balancing 101
HungWei Chiu
 
Network plugins for kubernetes
inwin stack
 
Introduction to CircleCI
HungWei Chiu
 
Simplify Networking for Containers
LinuxCon ContainerCon CloudOpen China
 
Kubernetes Networking
CJ Cullen
 
Docker 1.12 networking deep dive
Madhu Venugopal
 
Docker Meetup: Docker Networking 1.11, by Madhu Venugopal
Michelle Antebi
 
Containerd: Building a Container Supervisor by Michael Crosby
Docker, Inc.
 
Kubernetes Networking - Giragadurai Vallirajan
Neependra Khare
 
DockerDay2015: Docker Networking
Docker-Hanoi
 
Build Your Own CaaS (Container as a Service)
HungWei Chiu
 
Application-Based Routing
HungWei Chiu
 
Automatically Renew Certificated In Your Kubernetes Cluster
HungWei Chiu
 
Container Performance Analysis
Brendan Gregg
 
Docker Online Meetup #29: Docker Networking is Now GA
Docker, Inc.
 
Docker network performance in the public cloud
Arjan Schaaf
 
Elk for applications on k8s
Che-Chia Chang
 
Scaling docker with kubernetes
Liran Cohen
 
IPTABLES Introduction
HungWei Chiu
 
Kubernetes networking & Security
Vietnam Open Infrastructure User Group
 
Ad

Similar to Istio Playground (20)

PDF
Ports, pods and proxies
LibbySchulze
 
PDF
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
PDF
Gluster Containerized Storage for Cloud Applications
Gluster.org
 
PDF
Gluster Contenarized Storage for Cloud Applications
Humble Chirammal
 
PDF
Web scale infrastructures with kubernetes and flannel
purpleocean
 
PPTX
Kubernetes walkthrough
Sangwon Lee
 
PDF
DevOpSec_KubernetesOperatorUsingJava.pdf
kanedafromparis
 
PDF
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
María Angélica Bracho
 
PDF
Istio By Example (extended version)
Josef Adersberger
 
PDF
Istio by Example (extended version)
QAware GmbH
 
PPTX
Dayta AI Seminar - Kubernetes, Docker and AI on Cloud
Jung-Hong Kim
 
PPTX
k8s practice 2023.pptx
wonyong hwang
 
PPTX
Orchestration with Kubernetes
Kunal Kerkar
 
PDF
Istio Playground
QAware GmbH
 
PDF
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Chris Bailey
 
PPTX
TechUG - Kubernetes 101 - May 2020
Elton Stoneman
 
PDF
kubernetes for beginners
Dominique Dumont
 
PDF
Prometheus on NKS
Jo Hoon
 
PPTX
The Challenges of Becoming Cloud Native
Ben Hall
 
PDF
Shakr - Container CI/CD with Google Cloud Platform
Minku Lee
 
Ports, pods and proxies
LibbySchulze
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
Gluster Containerized Storage for Cloud Applications
Gluster.org
 
Gluster Contenarized Storage for Cloud Applications
Humble Chirammal
 
Web scale infrastructures with kubernetes and flannel
purpleocean
 
Kubernetes walkthrough
Sangwon Lee
 
DevOpSec_KubernetesOperatorUsingJava.pdf
kanedafromparis
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
María Angélica Bracho
 
Istio By Example (extended version)
Josef Adersberger
 
Istio by Example (extended version)
QAware GmbH
 
Dayta AI Seminar - Kubernetes, Docker and AI on Cloud
Jung-Hong Kim
 
k8s practice 2023.pptx
wonyong hwang
 
Orchestration with Kubernetes
Kunal Kerkar
 
Istio Playground
QAware GmbH
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Chris Bailey
 
TechUG - Kubernetes 101 - May 2020
Elton Stoneman
 
kubernetes for beginners
Dominique Dumont
 
Prometheus on NKS
Jo Hoon
 
The Challenges of Becoming Cloud Native
Ben Hall
 
Shakr - Container CI/CD with Google Cloud Platform
Minku Lee
 
Ad

More from QAware GmbH (20)

PDF
QAware_Mario-Leander_Reimer_Architecting and Building a K8s-based AI Platform...
QAware GmbH
 
PDF
Frontends mit Hilfe von KI entwickeln.pdf
QAware GmbH
 
PDF
Mit ChatGPT Dinosaurier besiegen - Möglichkeiten und Grenzen von LLM für die ...
QAware GmbH
 
PDF
50 Shades of K8s Autoscaling #JavaLand24.pdf
QAware GmbH
 
PDF
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
QAware GmbH
 
PPTX
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
QAware GmbH
 
PDF
Down the Ivory Tower towards Agile Architecture
QAware GmbH
 
PDF
"Mixed" Scrum-Teams – Die richtige Mischung macht's!
QAware GmbH
 
PDF
Make Developers Fly: Principles for Platform Engineering
QAware GmbH
 
PDF
Der Tod der Testpyramide? – Frontend-Testing mit Playwright
QAware GmbH
 
PDF
Was kommt nach den SPAs
QAware GmbH
 
PDF
Cloud Migration mit KI: der Turbo
QAware GmbH
 
PDF
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
QAware GmbH
 
PDF
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
QAware GmbH
 
PDF
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
QAware GmbH
 
PDF
Kubernetes with Cilium in AWS - Experience Report!
QAware GmbH
 
PDF
50 Shades of K8s Autoscaling
QAware GmbH
 
PDF
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
QAware GmbH
 
PDF
Service Mesh Pain & Gain. Experiences from a client project.
QAware GmbH
 
PDF
50 Shades of K8s Autoscaling
QAware GmbH
 
QAware_Mario-Leander_Reimer_Architecting and Building a K8s-based AI Platform...
QAware GmbH
 
Frontends mit Hilfe von KI entwickeln.pdf
QAware GmbH
 
Mit ChatGPT Dinosaurier besiegen - Möglichkeiten und Grenzen von LLM für die ...
QAware GmbH
 
50 Shades of K8s Autoscaling #JavaLand24.pdf
QAware GmbH
 
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...
QAware GmbH
 
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN Mainz
QAware GmbH
 
Down the Ivory Tower towards Agile Architecture
QAware GmbH
 
"Mixed" Scrum-Teams – Die richtige Mischung macht's!
QAware GmbH
 
Make Developers Fly: Principles for Platform Engineering
QAware GmbH
 
Der Tod der Testpyramide? – Frontend-Testing mit Playwright
QAware GmbH
 
Was kommt nach den SPAs
QAware GmbH
 
Cloud Migration mit KI: der Turbo
QAware GmbH
 
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
QAware GmbH
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
QAware GmbH
 
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
QAware GmbH
 
Kubernetes with Cilium in AWS - Experience Report!
QAware GmbH
 
50 Shades of K8s Autoscaling
QAware GmbH
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
QAware GmbH
 
Service Mesh Pain & Gain. Experiences from a client project.
QAware GmbH
 
50 Shades of K8s Autoscaling
QAware GmbH
 

Recently uploaded (20)

PPTX
Data_Analytics_and_PowerBI_Presentation.pptx
ZubyrAhmed
 
PPTX
MODULE 8 - DISASTER risk PREPAREDNESS.pptx
AceAquino4
 
PPTX
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
 
PPT
Chapter 3 METAL JOINING.pptnnnnnnnnnnnnn
JanakiRaman206018
 
PPT
Reliability_Chapter_ presentation 1221.5784
abobaker13
 
PPT
Quality review (1)_presentation of this 21
abobaker13
 
PDF
Foundation of Data Science unit number two notes
sanguleumeshit
 
PDF
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
PPTX
Moving the Public Sector (Government) to a Digital Adoption
PaulYoung221210
 
PPTX
DISORDERS OF THE LIVER, GALLBLADDER AND PANCREASE (1).pptx
chepkoitcheruiyot
 
PPTX
Major-Components-ofNKJNNKNKNKNKronment.pptx
dushyantsharma1221
 
PPTX
Introduction to Knowledge Engineering Part 1
busyprogrammersguide
 
PDF
Lecture1 pattern recognition............
ZafriFarid
 
PPTX
Computer network topology notes for revision
BatoolRawat
 
PDF
Galatica Smart Energy Infrastructure Startup Pitch Deck
Shahzaib Ajmal
 
PPT
Miokarditis (Inflamasi pada Otot Jantung)
NandaAndini1
 
PPTX
CEE 2 REPORT G7.pptxbdbshjdgsgjgsjfiuhsd
hildogavino28
 
PPT
Chapter 2 METAL FORMINGhhhhhhhjjjjmmmmmmmmm
JanakiRaman206018
 
PPTX
Introduction to Basics of Ethical Hacking and Penetration Testing -Unit No. 1...
AshutoshDeshmukh33
 
PPTX
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 
Data_Analytics_and_PowerBI_Presentation.pptx
ZubyrAhmed
 
MODULE 8 - DISASTER risk PREPAREDNESS.pptx
AceAquino4
 
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
 
Chapter 3 METAL JOINING.pptnnnnnnnnnnnnn
JanakiRaman206018
 
Reliability_Chapter_ presentation 1221.5784
abobaker13
 
Quality review (1)_presentation of this 21
abobaker13
 
Foundation of Data Science unit number two notes
sanguleumeshit
 
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
Moving the Public Sector (Government) to a Digital Adoption
PaulYoung221210
 
DISORDERS OF THE LIVER, GALLBLADDER AND PANCREASE (1).pptx
chepkoitcheruiyot
 
Major-Components-ofNKJNNKNKNKNKronment.pptx
dushyantsharma1221
 
Introduction to Knowledge Engineering Part 1
busyprogrammersguide
 
Lecture1 pattern recognition............
ZafriFarid
 
Computer network topology notes for revision
BatoolRawat
 
Galatica Smart Energy Infrastructure Startup Pitch Deck
Shahzaib Ajmal
 
Miokarditis (Inflamasi pada Otot Jantung)
NandaAndini1
 
CEE 2 REPORT G7.pptxbdbshjdgsgjgsjfiuhsd
hildogavino28
 
Chapter 2 METAL FORMINGhhhhhhhjjjjmmmmmmmmm
JanakiRaman206018
 
Introduction to Basics of Ethical Hacking and Penetration Testing -Unit No. 1...
AshutoshDeshmukh33
 
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 

Istio Playground

  • 2. Our network today — Optimize first: Switch network off and on again and use 5GHz networking — Plan A: Local installation — Plan B: Use GKE clusters — Plan C: Use Katacoda — Plan D: Steamworks
  • 3. Workshop Prerequisites — Bash — git Client — Text editor (like VS.Code)
  • 4. Baby Step: Grab the Code git clone https://github.com/adersberger/istio-playground cd istio-playground/code
  • 5. Baby Step: Install a (local) Kubernetes Cluster https://www.docker.com/community-edition — Preferences: enable Kubernetes — Preferences: increase resource usage to 3 cores and 8 GB memory
  • 6. The Ultimate Guide to Fix Strange Kubernetes Behavior
  • 7. Setup Kubernetes Environment # Switch k8s context kubectl config use-context docker-for-desktop # Deploy k8s dashboard kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml # Extract id of default service account token (referred as TOKENID) kubectl describe serviceaccount default # Grab token and insert it into k8s Dashboard UI auth dialog kubectl describe secret TOKENID # Start local proxy kubectl proxy --port=8001 & # Open k8s Dashboard open http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
  • 8. Deploy Istio curl -L https://git.io/getLatestIstio | sh - cd istio-1.0.1 export PATH=$PWD/bin:$PATH istioctl version # deploy Istio # (demo setting, default deployment is via Helm) kubectl apply -f install/kubernetes/istio-demo.yaml kubectl get pods -n istio-system # label default namespace to be auto-sidecarred kubectl label namespace default istio-injection=enabled kubectl get namespace -L istio-injection
  • 9. Deploy Sample Application (BookInfo) kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml kubectl get pods istioctl create -f samples/bookinfo/networking/bookinfo-gateway.yaml istioctl get gateways open http://localhost/productpage
  • 11. Why?
  • 22. Se!ing the Sails with Istio 1.0.1
  • 25. Sample Application: BookInfo1 1  Istio BookInfo Sample (https://istio.io/docs/examples/bookinfo)
  • 27. Bookinfo: Gateway apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"
  • 28. Bookinfo: VirtualService apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo spec: hosts: - "*" gateways: - bookinfo-gateway http: - match: - uri: exact: /productpage - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage port: number: 9080
  • 29. Bookinfo: DestinationRule apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: productpage spec: host: productpage subsets: - name: v1 labels: version: v1
  • 30. Hands-on: Have a look around the YAMLs and Dashboard
  • 31. Expose Istio Observability Tools #Metrics: Prometheus kubectl expose deployment prometheus --name=prometheus-expose --port=9090 --target-port=9090 --type=LoadBalancer -n=istio-system #Metrics: Grafana kubectl expose deployment grafana --name=grafana-expose --port=3000 --target-port=3000 --type=LoadBalancer -n=istio-system open http://localhost:3000/d/1/istio-dashboard #Tracing: Jaeger kubectl expose deployment istio-tracing --name=tracing-expose --port=16686 --target-port=16686 --type=LoadBalancer -n=istio-system open http://localhost:16686 #Tracing: ServiceGraph kubectl expose service servicegraph --name=servicegraph-expose --port=8088 --target-port=8088 --type=LoadBalancer -n=istio-system open http://localhost:8088/force/forcegraph.html open http://localhost:8088/dotviz
  • 32. Deploy Missing Observability Feature: Log Analysis (EFK) cd .. #go to istio-playground/code kubectl apply -f logging-stack.yaml kubectl get pods -n=logging kubectl expose deployment kibana --name=kibana-expose --port=5601 --target-port=5601 --type=LoadBalancer -n=logging istioctl create -f fluentd-istio.yaml
  • 33. Deploy Missing Observability Feature: Log Analysis (EFK) open http://localhost:5601/app/kibana — Perform some requests to the BookInfo application — Use * as the index pattern — Select @timestamp as the time filter field name
  • 34. fluentd-istio.yaml (1/3) # Configuration for logentry instances apiVersion: "config.istio.io/v1alpha2" kind: logentry metadata: name: newlog namespace: istio-system spec: severity: '"info"' timestamp: request.time variables: source: source.labels["app"] | source.service | "unknown" user: source.user | "unknown" destination: destination.labels["app"] | destination.service | "unknown" responseCode: response.code | 0 responseSize: response.size | 0 latency: response.duration | "0ms" monitored_resource_type: '"UNSPECIFIED"'
  • 35. fluentd-istio.yaml (2/3) # Configuration for a fluentd handler apiVersion: "config.istio.io/v1alpha2" kind: fluentd metadata: name: handler namespace: istio-system spec: address: "fluentd-es.logging:24224"
  • 36. fluentd-istio.yaml (3/3) # Rule to send logentry instances to the fluentd handler apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: newlogtofluentd namespace: istio-system spec: match: "true" # match for all requests actions: - handler: handler.fluentd instances: - newlog.logentry
  • 37. Stimulate! slapper -rate 4 -targets ./target -workers 2 -maxY 15s Download from: https://github.com/adersberger/slapper/ releases/tag/0.1
  • 38. Slapper2 in action 2  Key bindings: q, ctrl-c - quit r - reset stats k - increase rate by 100 RPS j - decrease rate by 100 RPS
  • 41. Observability Outlook: Kiali (macOS setup) brew install gettext brew link --force gettext # follow k8s setup guide: https://www.kiali.io/gettingstarted kubectl expose deployment kiali --name=kiali-expose --port=20001 --target-port=20001 --type=LoadBalancer -n=istio-system open http://localhost:20001 # login with admin/admin
  • 44. Sample Desination Rule apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3
  • 45. Canary Releases: A/B Testing apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - match: - headers: end-user: exact: jason route: - destination: host: reviews subset: v2 - route: - destination: host: reviews subset: v1
  • 46. Canary Releases: A/B Testing cd istio-1.0.1 istioctl create -f samples/bookinfo/networking/virtual-service-all-v1.yaml istioctl create -f samples/bookinfo/networking/destination-rule-all.yaml istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml #open BookInfo application and login as user jason (password jason) open http://localhost/productpage — login as "jason" / "jason" leads to v2 (black stars) — anonymous user leads to v1 (no stars)
  • 47. Canary Releases: Rolling Upgrade apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v1 weight: 50 - destination: host: reviews subset: v3 weight: 50 istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml
  • 48. Canary Releases: Blue/Green apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v3 istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-v3.yaml istioctl get routerules
  • 50. Time to Play! Traffic Management Resiliency Security Observability Request Routing Timeouts mTLS Metrics Load Balancing Circuit Breaker Role-Based Access Control Logs Traffic Shifting Health Checks (active, passive) Workload Identity Traces Traffic Mirroring Retries Authentication Policies Service Discovery Rate Limiting CORS Handling Ingress, Egress Delay & Fault Injection TLS Termination, SNI API Specification Connection Pooling Multicluster Mesh https://istio.io/docs/tasks https://istio.io/about/feature-stages
  • 53. FAQ Q: How does the Envoy proxy intercept requests? A: With IPtable rules (alls rules pointing to envoy) Q: How does the auto-sidecar magic work? A: With an Istio admission controller enhancing the deployments Q: How can I list all Istio custom resource definitions and commands? A: kubectl api-resources Q: I can't see any metrics, logs, traces. What should I do? A: Restart istio-telemetry Deploment or kubectl replace -f fluentd-istio.yaml