21st Docker Switzerland Meetup - ISTIO

ISTIO
NIKLAUS HIRT (DEVOPS / CLOUD ARCHITECT)

AGENDA
1. Microservices
2. Istio
3. Demo

MICROSERVICES
▸Decomposing an application into single function modules
which are independently deployed and operated
▸Accelerate delivery by minimizing communication and
coordination between people

THE TRADE OFF
Improved delivery
velocity in exchange for
increased operational
complexity
Hailo microservices

MICROSERVICES ARE HARD
▸Applications aren’t running in green-field environments
▸Network layer is hard to manage
▸Tooling is nascent

COMMON DEVOPS CHALLENGE 1
▸How do I roll out a newer version of my microservice
without down time?
▸How do I ensure traffic continue to go to the current
version before the newer version is tested and ready?

▸How do I do canary testing?
▸I want to leverage crowdsourced testing. How do I test the
new version with a subset of users?
▸How do I proceed to a full rollout after satisfactory testing
of the new version?

▸How do I do A/B testing?
• Release a new version to a subset of users in a precise
way
▸I have launched B in the dark, but how can I keep B to
myself or a small testing group?

OTHER COMMON DEVOPS CHALLENGES
4. Things don’t always go correctly in production... How do I
inject fault to my microservices to prepare myself?
5. My services can only handle certain rate, how can I limit
rate for some of my services?
6. I need to view and monitor what is going on with each of
my services when crisis arises.
7. How can I secure my services .

It’s doable, but…
Requires a lot of coding

Service Mesh
Dedicated infrastructure layer
to make
service-to-service communication
fast, safe and reliable

ISTIO
A service mesh designed to
connect, manage and secure micro services

ISTIO
Launched in May 2017
by Google, Lyft and IBM

ISTIO
Open Source

ISTIO
Open Source
Zero Code Changes

INTELLIGENT ROUTING AND LOAD BALANCING
‣ Conduct traffic between services
with dynamic route configuration
‣ A/B tests
‣ Canary releases
‣ Gradually upgrade versions
Red/Black deployments

RESILIENCE ACROSS LANGUAGES AND PLATFORMS
‣ Increase reliability by shielding
applications from flaky networks
and cascading failures in adverse
conditions

FLEET-WIDE POLICY ENFORCEMENT
‣ Apply organizational policy to the
interaction between services
‣ Ensure access policies are
enforced
‣ Make sure resources are fairly
distributed among consumers.

IN-DEPTH TELEMETRY AND REPORTING
‣ Understand the dependencies
between services, the nature and
flow of traffic between them, and
quickly identify issues with
distributed tracing.

COMPONENTS OF ISTIO
‣ Envoy
proxy, to mediate all inbound and outbound traffic for all
services in the service mesh.
‣ Pilot
Programming envoys and responsible for service discovery,
registration and load balancing
‣ Citadel
provides strong service-to-service and end-user authentication
using mutual TLS, with built-in identity and credential
management
‣ Mixer
Responsible for enforcing access control and usage policies and
collecting telemetry data

ISTIO
▸Operates at Layer 7 , which is the “service” or “RPC” layer
of your network application
▸A rich set of attributes to base policy decisions on, so
policies can be applied based on virtual host, URL, or
other HTTP headers
▸Flexibility in processing
▸Allows it to be distributed
▸Istio Proxy is implemented inside the pod, as a Envoy
sidecar container in the same network namespace

ISTIO – CUSTOM RESOURCE DEFINITIONS
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
kind: DestinationRule
metadata:
name: helloworld-destination
spec:
host: helloworld
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
kind: VirtualService
metadata:
name: helloworld
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /hello
route:
- destination:
host: helloworld
subset: v1
weight: 90
- destination:
host: helloworld
subset: v2
weight: 10
POD
HelloWorld
version = v1
POD
HelloWorld
version = v2

TRAFFIC CONTROL
CHALLENGE 1
ROLL OUT NEW VERSION WITHOUT DOWNTIME OR CHANGING CODE
version: v2.0
env: us-prod
version: v1.5
env: us-prod
100%
0%
// A simple traffic control rule
destination:
serviceB.example.cluster.local
match:
source:
serviceA.example.cluster.local
route:
- labels:
version: v1.5
env: us-prod
weight: 100

TRAFFIC CONTROL
CHALLENGE 1
ROLL OUT NEW VERSION WITHOUT DOWNTIME OR CHANGING CODE
version: v2.0
env: us-prod
version: v1.5
env: us-prod
0%
0%100%
// A simple traffic control rule
destination:
match:
source:
route:
- labels:
version: v2.0
env: us-prod
weight: 100

TRAFFIC SPLITTING
CHALLENGE 2
HOW TO DO CANARY TESTING
version: v2.0-alpha
env: us-staging
version: v1.5
env: us-prod
// A simple traffic splitting rule
destination:
match:
source:
route:
- labels:
version: v1.5
env: us-prod
weight: 95
- labels:
version: v2.0-alpha
env: us-staging
weight: 5

TRAFFIC STEERNIG
CHALLENGE 3
HOW TO DO A/B TESTING
version: v2
version: v1
version: v2
version: v1
// Content-based traffic steering
destination:
match:
httpHeaders:
user-agent:
regex: ^(.*?;)?(iPhone)(;.*)?$
precedence: 2
route:
- labels:
version: v2

TRAFFIC MIRRORING
version: v2.0-alpha
env: us-staging
version: v1.5
env: us-prod100%
100%
•Responses to any mirrored traffic is ignored; traffic is mirrored as “fire-and-forget”
•You’ll need to have the 0-weighted route to hint to Istio to create the proper Envoy
// A simple traffic splitting rule
destination:
match:
source:
route:
- labels:
version: v1.5
env: us-prod
weight: 100
- labels:
version: v2.0-alpha
env: us-staging
weight: 0
mirror:
name: httpbin
labels:
version: v2.0-alpha
env: us-staging
CHALLENGE 4
THINGS DON’T ALWAYS GO CORRECTLY IN PRODUCTION...

RESILIENCY
CHALLENGE 4
THINGS DON’T ALWAYS GO CORRECTLY IN PRODUCTION...

RESILIENCY TESTING
hosts:
- ratings
http:
- fault:
abort:
percent: 10
httpStatus: 400
route:
- destination:
host: ratings
subset: v1
hosts:
- ratings
http:
- fault:
delay:
percent: 10
fixedDelay: 5s
route:
- destination:
host: ratings
subset: v1
CHALLENGE 4
HOW DO I INJECT FAULT TO MY MICROSERVICES TO PREPARE MYSELF?

RATE LIMITING
CHALLENGE 5
HOW CAN I LIMIT RATE FOR SOME OF MY SERVICES?

TELEMETRY
‣ Monitoring & tracing should
not be an afterthought in the
infrastructure
‣ Goals
‣ Metrics without instrumenting apps
‣ Consistent metrics across fleet
‣ Trace flow of requests across
services
‣ Portable across metric backend
providers
CHALLENGE 6
I NEED TO VIEW WHAT IS GOING ON WHEN CRISIS ARISES

SECURITY
CHALLENGE 7
HOW CAN I SECURE MY SERVICES?
‣ Authentication
‣ Transport authentication, also
known as service-to-service
authentication
‣ Origin authentication, also
known as end-user
authentication
‣ Authorization
‣ Based on RBAC
‣ Namespace-level, service-level
and method-level access control
for services

USING ISTIO IN CONCERT WITH CALICO
▸ Policy operates at Layer 7 , which is the
“service” or “RPC” layer of your network
application.
▸ A rich set of attributes to base policy
decisions on, so policies can be applied
based on virtual host, URL, or other HTTP
headers.
▸ Flexibility in processing.
▸ Allows it to be distributed
▸ Istio Proxy is implemented inside the pod, as
a Envoy sidecar container in the same
network namespace.
▸ Operates at Layer 3, which is the network
layer
▸ Has the advantage of being universal (DNS,
SQL, real-time streaming, …)
▸ Can extend beyond the service mesh
(including to bare metal or VM endpoints not
under the control of Kubernetes).
▸ Calico’s policy is enforced at the host node,
outside the network namespace of the guest
pods.
▸ Based on iptables, which are packet filters
implemented in the standard Linux kernel, it
is extremely fast.

USING ISTIO IN CONCERT WITH CALICO
“RPC” — L7 Layer “Network” — L3-4
Userspace Implementation Kernel
Pod Enforcement Point Node
Ideal for applying policy in support of
operational goals, like service routing,
retries, circuit-breaking, etc
Strengths
Universal, highly efficient, and
isolated from the pods, making it ideal
for applying policy in support of
security goals

ADDRESSING DEVOPS CHALLENGES
# CHALLENGE ISTIO SOLUTION
CHALLENGE 1 ROLL OUT NEW VERSION WITHOUT DOWNTIME
OR CHANGING CODE TRAFFIC CONTROL
CHALLENGE 2 HOW TO DO CANARY TESTING TRAFFIC SPLITTING
CHALLENGE 3 HOW TO DO A/B TESTING TRAFFIC STEERNIG
CHALLENGE 4 THINGS DON’T ALWAYS GO CORRECTLY IN
PRODUCTION...
TRAFFIC MIRRORING
RESILIENCY
RESILIENCY TESTING
CHALLENGE5 HOW CAN I LIMIT RATE FOR SOME OF MY
SERVICES? RATE LIMITING
CHALLENGE 6 I NEED TO VIEW AND MONITOR WHAT IS GOING ON
WHEN CRISIS ARISES
TELEMETRY
CHALLENGE 7 HOW CAN I SECURE MY SERVICES? AUTHENTICATION
AUTHORIZATION
CALICO

GETTING STARTED
‣ Go to https://istio.io/
‣ Download ISTIO Release
With Kubectl
$ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
$ kubectl apply -f install/kubernetes/istio-demo.yaml
With HELM Templating
$ kubectl create namespace istio-system
$ helm template --name istio
--namespace istio-system
--set grafana.enabled=true
--set servicegraph.enabled=true
--set kiali.enabled=true > istio.yaml
$ kubectl apply -f istio.yaml

GETTING STARTED
‣ IBMs ISTIO 101 Hands On
‣ Go to https://github.com/IBM/istio101

COMMUNITY PARTNERS
‣ Vmware
‣ RedHat
‣ Microsoft
‣ Tigera
‣ Cisco
‣ Pivotal
‣ Weave works
‣ Datawire
‣ Scytale (SPIFEE)
‣ And more…

USEFUL LINKS
‣ Web istio.io
‣ Twitter: @Istiomesh
‣ Istio 101: https://github.com/IBM/istio101
‣ Traffic management using Istio: https://ibm.co/2F7xSnf
‣ Resiliency and fault-tolerance using Istio: https://bit.ly/2qStF2B
‣ Reliable application roll out and operations using Istio:
https://bit.ly/2K9IRQX

SOME DOCS
IBM Cloud Private
for Dummies
http://ibm.biz/BdZedY
Cloud Adoption and
Transformation Consultancy
http://ibm.biz/BdYFCx
The de facto guide to improving your
enterprise with the cloud, created
by distinguished members of our
Solution Engineering team
http://ibm.biz/playbook
Deploying and Operating Production
Applications on Kubernetes in Hybrid
Cloud Environments
http://ibm.biz/k8sintheenterprise

CONTACT ME
Niklaus Hirt: nikh@ch.ibm.com

DEMO – BOOKINFO APP
The Bookinfo application is broken into four separate microservices:
• productpage. The productpage microservice calls the details and reviews microservices to populate the page.
• details. The details microservice contains book information.
• reviews. The reviews microservice contains book reviews. It also calls the ratings microservice.
• ratings. The ratings microservice contains book ranking information that accompanies a book review.
There are 3 versions of the reviews microservice:
• Version v1 doesn’t call the ratings service.
• Version v2 calls the ratings service, and displays each rating as 1 to 5 black stars.
• Version v3 calls the ratings service, and displays each rating as 1 to 5 red stars.

21st Docker Switzerland Meetup - ISTIO

More Related Content

What's hot (20)

Similar to 21st Docker Switzerland Meetup - ISTIO (20)

Recently uploaded (20)

21st Docker Switzerland Meetup - ISTIO