SlideShare a Scribd company logo

Ato2019 weave-services-istio

Lin Sun, profile picture
Lin Sun

The document discusses the benefits of using Istio service mesh to connect microservices. Istio provides a standard sidecar proxy that handles tasks like load balancing, failure recovery, metrics collection, and traffic management for microservices. It also provides interfaces to configure and manage policies separately from application code. This allows clear separation between application development and operations tasks like routing, monitoring, and access control configuration.

Technology
1 of 53
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Weave Your Microservices With Istio Lin Sun Senior Technical Staff Member, IBM @linsun_unc Photo by Markos Mant on Unsplash
IBM Cloud Why Service Mesh?
IBM Cloud try { HttpResponse response = httpClient.get( “http://secretsauce.internal/recipe”); cook(response.body); } catch (NetworkError ne) { fixmePleaseOMG(ne); } Credit to Louis Ryan for this fun example
IBM Cloud try { // Load balancing IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne(); HttpResponse response = httpClient.open(ip).get( “http://secretsauce.internal/recipe”); cook(response.body); } catch (NetworkError ne) { fixmePleaseOMG(ne); } Credit to Louis Ryan for this fun example
IBM Cloud for (int i = 0; i < 3; i++) { // Retry try { IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne(); HttpResponse response = httpClient.open(ip).get( “http://secretsauce.internal/recipe”); cook(response.body); } catch (NetworkError ne) { if (i == 2) fixmePleaseOMG(ne); else Thread.sleep(random(5) * 1000); } } Credit to Louis Ryan for this fun example
IBM Cloud Secret key = new Secret(new File(“/somewhere/safe/key”); for (int i = 0; i < 3; i++) { try { IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne(); HttpResponse response = httpClient.open(ip) .setHeader(“Authorization”, key.toString()) .get(“http://secretsauce.internal/recipe”); cook(response.body); } catch (NetworkError ne) { if (i == 2) fixmePleaseOMG(ne); else Thread.sleep(random(5) * 1000); } } Credit to Louis Ryan for this fun example
IBM Cloud Secret key = new Secret(new File(“/somewhere/safe/key”); for (int i = 0; i < 3; i++) { try { IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne(); HttpResponse response = httpClient.open(ip) .setHeader(“Authorization”, key.toString()) .get(“http://secretsauce.internal/recipe”); log(“Success”); cook(response.body); } catch (NetworkError ne) { log(“Failed”); if (i == 2) fixmePleaseOMG(ne); else Thread.sleep(random(5) * 1000); } } Credit to Louis Ryan for this fun example
IBM Cloud
IBM Cloud Imagine you have many services like this room. Each may use different languages.
IBM Cloud Each service owner needs to build all these? Can we trust each service owner to build all these consistently?
IBM Cloud What exactly is service mesh?
IBM Cloud
IBM Cloud
IBM Cloud A Service Mesh is… Language neutral Dummy initialization Program the attachment to be smartVisibility +
IBM Cloud Before Service Mesh
IBM Cloud Add to mesh command Dummy initialization Visibility +
IBM Cloud apply policy command Program the attachment to be smart mTLS mTLS
IBM Cloud Do you really need service mesh?
IBM Cloud What is Istio? - An open service mesh platform - Provides language neutral standard attachment to your application container - Provides user interfaces to configure policies for the attachment, without redeploying your application - Enables clear separation from the application (Dev) and attachment (Ops)
IBM Cloud data flow management flow From istio.io
IBM Cloud Policy checksPolicy checks Policy Telemetry data flow management flow What is missing?
IBM Cloud Policy checksPolicy checks Policy Telemetry Kubernetes API server User interactions kubectl istioctl data flow management flow
IBM Cloud Policy checksPolicy checks Policy Telemetry Kubernetes API server What about auto injection? kubectl istioctl Sidecar-injector data flow management flow
IBM Cloud Policy checksPolicy checks Policy Telemetry Kubernetes API server Mesh Boundary kubectl istioctl Sidecar-injector Ingress- gateway Egress- gateway data flow management flow
IBM Cloud Install Istio • Nothing Magic… Istio is just a bunch of CRDs, services, deployments, config maps, secrets • Installation Profiles • Recommend start with the demo profile • Use default profile as starting point for production usage
IBM Cloud Deploy microservices to the mesh • istioctl kube-inject • kubectl label namespace {namespace} istio-injection=enabled • istioctl add-to-mesh • istioctl describe https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/
IBM Cloud Deploy pods and services to the mesh • Add named service port for each service port • Declare containerPort configuration for each pod port • Pod must have a service associated • Label deployments with app and version • Don't use UID 1337 • Do you have NET_ADMIN privilege? https://istio.io/docs/setup/kubernetes/prepare/requirements/ apiVersion: v1 kind: Service metadata: name: productpage labels: app: productpage service: productpage spec: ports: - port: 9080 name: http selector: app: productpage --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: productpage-v1 labels: app: productpage version: v1 spec: replicas: 1 template: metadata: labels: app: productpage version: v1 spec: containers: - name: productpage image: istio/examples-bookinfo- productpage-v1:1.10.1 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 bookinfo.yaml
IBM Cloud initContainers: - args: - -p - "15001" - -u - "1337" - -m - REDIRECT - -i - '*' - -x - "" - -b - "*" - -d - "15020" image: docker.io/istio/proxy_init:1.1.0 imagePullPolicy: IfNotPresent name: istio-init resources: limits: cpu: 100m memory: 50Mi requests: cpu: 10m memory: 10Mi securityContext: capabilities: add: - NET_ADMIN volumes: - emptyDir: medium: Memory name: istio-envoy - name: istio-certs secret: optional: true secretName: istio.default FROM ubuntu:xenial RUN apt-get update && apt-get upgrade -y && apt-get install -y iproute2 iptables && rm -rf /var/lib/apt/lists/* ADD istio-iptables.sh /usr/local/bin/ ENTRYPOINT ["/usr/local/bin/istio-iptables.sh"] echo ' -p: Specify the envoy port to which redirect all TCP traffic (default $ENVOY_PORT = 15001)' echo ' -u: Specify the UID of the user for which the redirection is not' echo ' applied. Typically, this is the UID of the proxy container' # shellcheck disable=SC2016 echo ' (default to uid of $ENVOY_USER, uid of istio_proxy, or 1337)' echo ' -g: Specify the GID of the user for which the redirection is not' echo ' applied. (same default value as -u param)' echo ' -m: The mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY"' # shellcheck disable=SC2016 echo ' (default to $ISTIO_INBOUND_INTERCEPTION_MODE)' echo ' -b: Comma separated list of inbound ports for which traffic is to be redirected to Envoy (optional). The' echo ' wildcard character "*" can be used to configure redirection for all ports. An empty list will disable' # shellcheck disable=SC2016 echo ' all inbound redirection (default to $ISTIO_INBOUND_PORTS)' echo ' -d: Comma separated list of inbound ports to be excluded from redirection to Envoy (optional). Only applies' # shellcheck disable=SC2016 echo ' when all inbound traffic (i.e. "*") is being redirected (default to $ISTIO_LOCAL_EXCLUDE_PORTS)' echo ' -i: Comma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard' echo ' character "*" can be used to redirect all outbound traffic. An empty list will disable all outbound' # shellcheck disable=SC2016 echo ' redirection (default to $ISTIO_SERVICE_CIDR)' echo ' -x: Comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all ' Dockerfile.proxy_init Istio-iptables.sh
IBM Cloud - args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.cluster.local - --configPath - /etc/istio/proxy - --binaryPath - /usr/local/bin/envoy - --serviceCluster - productpage.$(POD_NAMESPACE) - --drainDuration - 45s - --parentShutdownDuration - 1m0s - --discoveryAddress - istio-pilot.istio-system:15010 - --zipkinAddress - zipkin.istio-system:9411 - --connectTimeout - 10s - --proxyAdminPort - "15000" - --concurrency - "2" - --controlPlaneAuthPolicy - NONE - --statusPort - "15020" - --applicationPorts - “9080" image: docker.io/istio/proxyv2:1.1.0 imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_METAJSON_LABELS value: | {"app":"productpage","version":"v1"} readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15020 initialDelaySeconds: 1 periodSeconds: 2 resources: limits: cpu: "2" memory: 128Mi requests: cpu: 10m memory: 40Mi securityContext: readOnlyRootFilesystem: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /etc/certs/ name: istio-certs readOnly: true Istio-proxy container
IBM Cloud Assuming you have moved 1 or more services to the mesh…
IBM Cloud What have you gained? Dummy sidecar Visibility
IBM Cloud $ istioctl proxy-config route productpage-v1-6597cb5df9-qlqlg --name 9080 -o json [ … { "name": "9080", "virtualHosts": [ { { "name": "reviews.default.svc.cluster.local:9080", "domains": [ "reviews.default.svc.cluster.local", "reviews.default.svc.cluster.local:9080", "reviews", "reviews:9080", "reviews.default.svc.cluster", "reviews.default.svc.cluster:9080", "reviews.default.svc", "reviews.default.svc:9080", "reviews.default", "reviews.default:9080", "172.21.29.23", "172.21.29.23:9080" ], "routes": [ { "match": { "prefix": "/" }, "route": { "cluster": "outbound|9080||reviews.default.svc.cluster.local", "timeout": "0s", "retryPolicy": { "retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes", "numRetries": 2, "retryHostPredicate": [ { "name": "envoy.retry_host_predicates.previous_hosts" } ], "hostSelectionRetryMaxAttempts": "3", "retriableStatusCodes": [ 503 ] }, "maxGrpcTimeout": "0s" }, "decorator": { "operation": "reviews.default.svc.cluster.local:9080/*" }, "perFilterConfig": { // mixer filter config } } } ] } ], "validateClusters": false Outbound Handler - Routes $ istioctl proxy-config route productpage-v1- 6597cb5df9-qlqlg --name 9080 NOTE: This output only contains routes loaded via RDS. NAME VIRTUAL HOSTS 9080 4
IBM Cloud Update: What have you gained? Retry twiceDummy sidecar Visibility
IBM Cloud Let us see it live!
IBM Cloud Ready for some intelligence?
IBM Cloud Istio Network Resources • Gateway • Virtual Service • Destination Rule • Service Entry • Envoy Filter • Sidecar (*new*)
IBM Cloud Istio Security Resources • Authorization Policy • Authentication Policy
IBM Cloud apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v1 Round robin is boring! apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: loadBalancer: simple: RANDOM subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3
IBM Cloud $ istioctl proxy-config route productpage-v1-6597cb5df9-qlqlg --name 9080 -o json [ … { "name": "9080", "virtualHosts": [ { { "name": "reviews.default.svc.cluster.local:9080", "domains": [ "reviews.default.svc.cluster.local", "reviews.default.svc.cluster.local:9080", "reviews", "reviews:9080", "reviews.default.svc.cluster", "reviews.default.svc.cluster:9080", "reviews.default.svc", "reviews.default.svc:9080", "reviews.default", "reviews.default:9080", "172.21.29.23", "172.21.29.23:9080" ], "routes": [ { "match": { "prefix": "/" }, "route": { "cluster": "outbound|9080|v1|reviews.default.svc.cluster.local", "timeout": "0s", "retryPolicy": { "retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes", "numRetries": 2, "retryHostPredicate": [ { "name": "envoy.retry_host_predicates.previous_hosts" } ], "hostSelectionRetryMaxAttempts": "3", "retriableStatusCodes": [ 503 ] }, "maxGrpcTimeout": "0s" }, "decorator": { "operation": "reviews.default.svc.cluster.local:9080/*" }, "perFilterConfig": { // mixer filter config } } } ] } ], "validateClusters": false Outbound Handler - Routes $ istioctl proxy-config route productpage-v1- 6597cb5df9-qlqlg --name 9080 NOTE: This output only contains routes loaded via RDS. NAME VIRTUAL HOSTS 9080 4
IBM Cloud $ istioctl pc endpoint productpage-v1-6597cb5df9-qlqlg --cluster "outbound|9080|v1|reviews.default.svc.cluster.local" ENDPOINT STATUS CLUSTER 172.30.239.1:9080 HEALTHY outbound|9080|v1|reviews.default.svc.cluster.local $ k get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE details-v1-bc557b7fc-hwkf4 2/2 Running 0 17d 172.30.239.62 10.188.142.197 <none> httpbin-5fc7cf895d-8jj9r 2/2 Running 0 2d12h 172.30.177.181 10.188.142.194 <none> productpage-v1-6597cb5df9-qlqlg 2/2 Running 0 17d 172.30.177.159 10.188.142.194 <none> ratings-v1-5c46fc6f85-gqb8p 2/2 Running 0 17d 172.30.177.175 10.188.142.194 <none> reviews-v1-69dcdb544-6rdff 2/2 Running 0 17d 172.30.239.1 10.188.142.197 <none> reviews-v2-65fbdc9f88-zx6fx 2/2 Running 0 17d 172.30.177.177 10.188.142.194 <none> reviews-v3-bd8855bdd-dndgk 2/2 Running 0 17d 172.30.239.63 10.188.142.197 <none> sleep-64c6f57bc8-f5n4x 2/2 Running 0 29d 172.30.177.144 10.188.142.194 <none> Outbound Handler - Endpoint
IBM Cloud apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - match: - headers: end-user: exact: jason route: - destination: host: reviews subset: v2 - route: - destination: host: reviews subset: v1 Let’s A/B test reviews v2 apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: loadBalancer: simple: RANDOM subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3
IBM Cloud $ istioctl proxy-config route productpage-v1-6597cb5df9-qlqlg --name 9080 -o json … { "name": "reviews.default.svc.cluster.local:9080", "domains": [ "reviews.default.svc.cluster.local", " ], "routes": [ { "match": { "prefix": "/", "headers": [ { "name": "end-user", "exactMatch": "jason" } ] }, "route": { "cluster": "outbound|9080|v2|reviews.default.svc.cluster.local", "timeout": "0s", "retryPolicy": { "retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes", "numRetries": 2, "retryHostPredicate": [ { "name": "envoy.retry_host_predicates.previous_hosts" } ], "hostSelectionRetryMaxAttempts": "3", "retriableStatusCodes": [ 503 ] }, "maxGrpcTimeout": "0s" }, … }, { "match": { "prefix": "/" }, "route": { "cluster": "outbound|9080|v1|reviews.default.svc.cluster.local", "timeout": "0s", "retryPolicy": { "retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes", "numRetries": 2, "retryHostPredicate": [ { "name": "envoy.retry_host_predicates.previous_hosts" } ], "hostSelectionRetryMaxAttempts": "3", "retriableStatusCodes": [ 503 ] }, "maxGrpcTimeout": "0s" }, … } ] } Outbound Handler - Routes $ istioctl proxy-config route productpage-v1- 6597cb5df9-qlqlg --name 9080 NOTE: This output only contains routes loaded via RDS. NAME VIRTUAL HOSTS 9080 4
IBM Cloud $ istioctl pc endpoint productpage-v1-6597cb5df9-qlqlg --cluster "outbound|9080|v1|reviews.default.svc.cluster.local" ENDPOINT STATUS CLUSTER 172.30.239.1:9080 HEALTHY outbound|9080|v1|reviews.default.svc.cluster.local $ istioctl pc endpoint productpage-v1-6597cb5df9-qlqlg --cluster "outbound|9080|v2|reviews.default.svc.cluster.local" ENDPOINT STATUS CLUSTER 172.30.177.177:9080 HEALTHY outbound|9080|v2|reviews.default.svc.cluster.local $ k get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE details-v1-bc557b7fc-hwkf4 2/2 Running 0 17d 172.30.239.62 10.188.142.197 <none> httpbin-5fc7cf895d-8jj9r 2/2 Running 0 2d12h 172.30.177.181 10.188.142.194 <none> productpage-v1-6597cb5df9-qlqlg 2/2 Running 0 17d 172.30.177.159 10.188.142.194 <none> ratings-v1-5c46fc6f85-gqb8p 2/2 Running 0 17d 172.30.177.175 10.188.142.194 <none> reviews-v1-69dcdb544-6rdff 2/2 Running 0 17d 172.30.239.1 10.188.142.197 <none> reviews-v2-65fbdc9f88-zx6fx 2/2 Running 0 17d 172.30.177.177 10.188.142.194 <none> reviews-v3-bd8855bdd-dndgk 2/2 Running 0 17d 172.30.239.63 10.188.142.197 <none> sleep-64c6f57bc8-f5n4x 2/2 Running 0 29d 172.30.177.144 10.188.142.194 <none> Outbound Handler - Endpoint
IBM Cloud More Sidecar Debug $ istioctl dashboard envoy $(kubectl get pod -l app=productpage -o jsonpath='{.items[0].metadata.name}') http://localhost:56740
IBM Cloud How many lines are my envoy configuration?
IBM Cloud Program Envoy is hardProgram envoy is hard
IBM Cloud Program Envoy is hard
IBM Cloud Let us see it live!
IBM Cloud 2019 Istio Themes • Project Sustainability • Layering and Extensibility • Improved Experience • Performance and Scalability
IBM Cloud Istio 2019 Predictable Releases Istio 1.0 Launch -July 2018 2018 2019 Istio 1.1 February Istio 1.2 June Istio 1.3 Septem ber 2020 Istio 1.4 Unreleased
IBM Cloud 2019 Istio Key Updates • All outbound traffic is allowed by default • Mixer-policy is not enabled by default • Multicluster Istio for non flat networks • Introduce Sidecar resource • Intelligent Protocol Sniffing • Various istioctl UX improvements
IBM Cloud How to contribute • Contribute via discuss or slack • Gain membership Status • Consult existing maintainers • Gain maintainer status • Attend WG Meetings
IBM Cloud • Preview available around KubeCon US 2019 • Final book available by end of 2019

More Related Content

PDF
All Things Open 2019 weave-services-istio
Lin Sun
 
PDF
All things open 2019 crazy-sm-ecosystem
Lin Sun
 
PDF
Python Google Cloud Function with CORS
RapidValue
 
PPT
Java client socket-20070327
Tsu-Fen Han
 
PPTX
Taking advantage of the Amazon Web Services (AWS) Family
Ben Hall
 
PDF
Terraform Introduction
soniasnowfrog
 
PDF
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
OW2
 
PPT
Bluemix hadoop beginners Guide part I
Joseph Chang
 
All Things Open 2019 weave-services-istio
Lin Sun
 
All things open 2019 crazy-sm-ecosystem
Lin Sun
 
Python Google Cloud Function with CORS
RapidValue
 
Java client socket-20070327
Tsu-Fen Han
 
Taking advantage of the Amazon Web Services (AWS) Family
Ben Hall
 
Terraform Introduction
soniasnowfrog
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
OW2
 
Bluemix hadoop beginners Guide part I
Joseph Chang
 

What's hot (20)

PDF
Everything as Code with Terraform
Mitchell Pronschinske
 
ODP
Deploy Mediawiki Using FIWARE Lab Facilities
FIWARE
 
PPTX
Interoute Virtual Data Centre api 101
jon_graham1977
 
PPTX
How to deploy spark instance using ansible 2.0 in fiware lab v2
Fernando Lopez Aguilar
 
ODP
Networking and Data Access with Eqela
jobandesther
 
PDF
Threads, Queues, and More: Async Programming in iOS
TechWell
 
PDF
Terraform at Scale - All Day DevOps 2017
Jonathon Brouse
 
PDF
Denys Serhiienko "ASGI in depth"
Fwdays
 
PDF
AWSをテラフォーミングする会(Terraformハンズオン)
正貴 小川
 
PPT
Jcconf 2015 Taipei -- Bluemix java liberty -auto-configration
Joseph Chang
 
PDF
Securing Prometheus exporters using HashiCorp Vault
Bram Vogelaar
 
PDF
Replacing Squid with ATS
Kit Chan
 
PDF
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
Alessandro Cinelli (cirpo)
 
PDF
How we use and deploy Varnish at Opera
Cosimo Streppone
 
PPTX
ARGUS - THE OMNISCIENT CI
Cosmin Poieana
 
PDF
Failsafe Mechanism for Yahoo Homepage
Kit Chan
 
PPT
香港六合彩 &raquo; SlideShare
biyu
 
PDF
FOSDEM 2017 - RTC Services With Lua and Kamailio
Daniel-Constantin Mierla
 
PDF
VUG5: Varnish at Opera Software
Cosimo Streppone
 
PDF
Hopping in clouds: a tale of migration from one cloud provider to another
Michele Orselli
 
Everything as Code with Terraform
Mitchell Pronschinske
 
Deploy Mediawiki Using FIWARE Lab Facilities
FIWARE
 
Interoute Virtual Data Centre api 101
jon_graham1977
 
How to deploy spark instance using ansible 2.0 in fiware lab v2
Fernando Lopez Aguilar
 
Networking and Data Access with Eqela
jobandesther
 
Threads, Queues, and More: Async Programming in iOS
TechWell
 
Terraform at Scale - All Day DevOps 2017
Jonathon Brouse
 
Denys Serhiienko "ASGI in depth"
Fwdays
 
AWSをテラフォーミングする会(Terraformハンズオン)
正貴 小川
 
Jcconf 2015 Taipei -- Bluemix java liberty -auto-configration
Joseph Chang
 
Securing Prometheus exporters using HashiCorp Vault
Bram Vogelaar
 
Replacing Squid with ATS
Kit Chan
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
Alessandro Cinelli (cirpo)
 
How we use and deploy Varnish at Opera
Cosimo Streppone
 
ARGUS - THE OMNISCIENT CI
Cosmin Poieana
 
Failsafe Mechanism for Yahoo Homepage
Kit Chan
 
香港六合彩 &raquo; SlideShare
biyu
 
FOSDEM 2017 - RTC Services With Lua and Kamailio
Daniel-Constantin Mierla
 
VUG5: Varnish at Opera Software
Cosimo Streppone
 
Hopping in clouds: a tale of migration from one cloud provider to another
Michele Orselli
 
Ad

Similar to Ato2019 weave-services-istio (20)

PDF
The Crazy Service Mesh Ecosystem
All Things Open
 
PDF
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Chris Bailey
 
PDF
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
Chris Bailey
 
PDF
Istio Playground
QAware GmbH
 
PDF
Hopping in clouds - phpuk 17
Michele Orselli
 
PDF
How to build a Citrix infrastructure on AWS
Denis Gundarev
 
PDF
Bare Metal to OpenStack with Razor and Chef
Matt Ray
 
PPTX
StrongLoop Overview
Shubhra Kar
 
PPTX
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Vietnam Open Infrastructure User Group
 
PPTX
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Ben Hall
 
PPTX
Monitoring distributed (micro-)services
Rafael Winterhalter
 
PDF
iguazio - nuclio Meetup Nov 30th
iguazio
 
ODP
Supporting and Using EC2/CIMI on top of Cloud Environments via Deltacloud
Oved Ourfali
 
PDF
Swift Cloud Workshop - Swift Microservices
Chris Bailey
 
PDF
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:Invent
Henning Jacobs
 
PDF
Node Summit 2018: Cloud Native Node.js
Chris Bailey
 
ODP
Power ai image-pipeline
Paulo Sergio Lemes Queiroz
 
PPTX
K8s best practices from the field!
DoiT International
 
PPTX
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
Emily Jiang
 
PPTX
Cloud nativemicroservices jax-london2020
Emily Jiang
 
The Crazy Service Mesh Ecosystem
All Things Open
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Chris Bailey
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
Chris Bailey
 
Istio Playground
QAware GmbH
 
Hopping in clouds - phpuk 17
Michele Orselli
 
How to build a Citrix infrastructure on AWS
Denis Gundarev
 
Bare Metal to OpenStack with Razor and Chef
Matt Ray
 
StrongLoop Overview
Shubhra Kar
 
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Vietnam Open Infrastructure User Group
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Ben Hall
 
Monitoring distributed (micro-)services
Rafael Winterhalter
 
iguazio - nuclio Meetup Nov 30th
iguazio
 
Supporting and Using EC2/CIMI on top of Cloud Environments via Deltacloud
Oved Ourfali
 
Swift Cloud Workshop - Swift Microservices
Chris Bailey
 
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:Invent
Henning Jacobs
 
Node Summit 2018: Cloud Native Node.js
Chris Bailey
 
Power ai image-pipeline
Paulo Sergio Lemes Queiroz
 
K8s best practices from the field!
DoiT International
 
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
Emily Jiang
 
Cloud nativemicroservices jax-london2020
Emily Jiang
 
Ad

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KodekX | Application Modernization Development
KodekX
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
A Presentation on Artificial Intelligence
memembruh336
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Approach and Philosophy of On baking technology
30anthuong17
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 

Ato2019 weave-services-istio

  • 1. Weave Your Microservices With Istio Lin Sun Senior Technical Staff Member, IBM @linsun_unc Photo by Markos Mant on Unsplash
  • 3. IBM Cloud try { HttpResponse response = httpClient.get( “http://secretsauce.internal/recipe”); cook(response.body); } catch (NetworkError ne) { fixmePleaseOMG(ne); } Credit to Louis Ryan for this fun example
  • 4. IBM Cloud try { // Load balancing IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne(); HttpResponse response = httpClient.open(ip).get( “http://secretsauce.internal/recipe”); cook(response.body); } catch (NetworkError ne) { fixmePleaseOMG(ne); } Credit to Louis Ryan for this fun example
  • 5. IBM Cloud for (int i = 0; i < 3; i++) { // Retry try { IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne(); HttpResponse response = httpClient.open(ip).get( “http://secretsauce.internal/recipe”); cook(response.body); } catch (NetworkError ne) { if (i == 2) fixmePleaseOMG(ne); else Thread.sleep(random(5) * 1000); } } Credit to Louis Ryan for this fun example
  • 6. IBM Cloud Secret key = new Secret(new File(“/somewhere/safe/key”); for (int i = 0; i < 3; i++) { try { IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne(); HttpResponse response = httpClient.open(ip) .setHeader(“Authorization”, key.toString()) .get(“http://secretsauce.internal/recipe”); cook(response.body); } catch (NetworkError ne) { if (i == 2) fixmePleaseOMG(ne); else Thread.sleep(random(5) * 1000); } } Credit to Louis Ryan for this fun example
  • 7. IBM Cloud Secret key = new Secret(new File(“/somewhere/safe/key”); for (int i = 0; i < 3; i++) { try { IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne(); HttpResponse response = httpClient.open(ip) .setHeader(“Authorization”, key.toString()) .get(“http://secretsauce.internal/recipe”); log(“Success”); cook(response.body); } catch (NetworkError ne) { log(“Failed”); if (i == 2) fixmePleaseOMG(ne); else Thread.sleep(random(5) * 1000); } } Credit to Louis Ryan for this fun example
  • 9. IBM Cloud Imagine you have many services like this room. Each may use different languages.
  • 10. IBM Cloud Each service owner needs to build all these? Can we trust each service owner to build all these consistently?
  • 11. IBM Cloud What exactly is service mesh?
  • 14. IBM Cloud A Service Mesh is… Language neutral Dummy initialization Program the attachment to be smartVisibility +
  • 16. IBM Cloud Add to mesh command Dummy initialization Visibility +
  • 17. IBM Cloud apply policy command Program the attachment to be smart mTLS mTLS
  • 18. IBM Cloud Do you really need service mesh?
  • 19. IBM Cloud What is Istio? - An open service mesh platform - Provides language neutral standard attachment to your application container - Provides user interfaces to configure policies for the attachment, without redeploying your application - Enables clear separation from the application (Dev) and attachment (Ops)
  • 20. IBM Cloud data flow management flow From istio.io
  • 21. IBM Cloud Policy checksPolicy checks Policy Telemetry data flow management flow What is missing?
  • 22. IBM Cloud Policy checksPolicy checks Policy Telemetry Kubernetes API server User interactions kubectl istioctl data flow management flow
  • 23. IBM Cloud Policy checksPolicy checks Policy Telemetry Kubernetes API server What about auto injection? kubectl istioctl Sidecar-injector data flow management flow
  • 24. IBM Cloud Policy checksPolicy checks Policy Telemetry Kubernetes API server Mesh Boundary kubectl istioctl Sidecar-injector Ingress- gateway Egress- gateway data flow management flow
  • 25. IBM Cloud Install Istio • Nothing Magic… Istio is just a bunch of CRDs, services, deployments, config maps, secrets • Installation Profiles • Recommend start with the demo profile • Use default profile as starting point for production usage
  • 26. IBM Cloud Deploy microservices to the mesh • istioctl kube-inject • kubectl label namespace {namespace} istio-injection=enabled • istioctl add-to-mesh • istioctl describe https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/
  • 27. IBM Cloud Deploy pods and services to the mesh • Add named service port for each service port • Declare containerPort configuration for each pod port • Pod must have a service associated • Label deployments with app and version • Don't use UID 1337 • Do you have NET_ADMIN privilege? https://istio.io/docs/setup/kubernetes/prepare/requirements/ apiVersion: v1 kind: Service metadata: name: productpage labels: app: productpage service: productpage spec: ports: - port: 9080 name: http selector: app: productpage --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: productpage-v1 labels: app: productpage version: v1 spec: replicas: 1 template: metadata: labels: app: productpage version: v1 spec: containers: - name: productpage image: istio/examples-bookinfo- productpage-v1:1.10.1 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 bookinfo.yaml
  • 28. IBM Cloud initContainers: - args: - -p - "15001" - -u - "1337" - -m - REDIRECT - -i - '*' - -x - "" - -b - "*" - -d - "15020" image: docker.io/istio/proxy_init:1.1.0 imagePullPolicy: IfNotPresent name: istio-init resources: limits: cpu: 100m memory: 50Mi requests: cpu: 10m memory: 10Mi securityContext: capabilities: add: - NET_ADMIN volumes: - emptyDir: medium: Memory name: istio-envoy - name: istio-certs secret: optional: true secretName: istio.default FROM ubuntu:xenial RUN apt-get update && apt-get upgrade -y && apt-get install -y iproute2 iptables && rm -rf /var/lib/apt/lists/* ADD istio-iptables.sh /usr/local/bin/ ENTRYPOINT ["/usr/local/bin/istio-iptables.sh"] echo ' -p: Specify the envoy port to which redirect all TCP traffic (default $ENVOY_PORT = 15001)' echo ' -u: Specify the UID of the user for which the redirection is not' echo ' applied. Typically, this is the UID of the proxy container' # shellcheck disable=SC2016 echo ' (default to uid of $ENVOY_USER, uid of istio_proxy, or 1337)' echo ' -g: Specify the GID of the user for which the redirection is not' echo ' applied. (same default value as -u param)' echo ' -m: The mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY"' # shellcheck disable=SC2016 echo ' (default to $ISTIO_INBOUND_INTERCEPTION_MODE)' echo ' -b: Comma separated list of inbound ports for which traffic is to be redirected to Envoy (optional). The' echo ' wildcard character "*" can be used to configure redirection for all ports. An empty list will disable' # shellcheck disable=SC2016 echo ' all inbound redirection (default to $ISTIO_INBOUND_PORTS)' echo ' -d: Comma separated list of inbound ports to be excluded from redirection to Envoy (optional). Only applies' # shellcheck disable=SC2016 echo ' when all inbound traffic (i.e. "*") is being redirected (default to $ISTIO_LOCAL_EXCLUDE_PORTS)' echo ' -i: Comma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard' echo ' character "*" can be used to redirect all outbound traffic. An empty list will disable all outbound' # shellcheck disable=SC2016 echo ' redirection (default to $ISTIO_SERVICE_CIDR)' echo ' -x: Comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all ' Dockerfile.proxy_init Istio-iptables.sh
  • 29. IBM Cloud - args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.cluster.local - --configPath - /etc/istio/proxy - --binaryPath - /usr/local/bin/envoy - --serviceCluster - productpage.$(POD_NAMESPACE) - --drainDuration - 45s - --parentShutdownDuration - 1m0s - --discoveryAddress - istio-pilot.istio-system:15010 - --zipkinAddress - zipkin.istio-system:9411 - --connectTimeout - 10s - --proxyAdminPort - "15000" - --concurrency - "2" - --controlPlaneAuthPolicy - NONE - --statusPort - "15020" - --applicationPorts - “9080" image: docker.io/istio/proxyv2:1.1.0 imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_METAJSON_LABELS value: | {"app":"productpage","version":"v1"} readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15020 initialDelaySeconds: 1 periodSeconds: 2 resources: limits: cpu: "2" memory: 128Mi requests: cpu: 10m memory: 40Mi securityContext: readOnlyRootFilesystem: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /etc/certs/ name: istio-certs readOnly: true Istio-proxy container
  • 30. IBM Cloud Assuming you have moved 1 or more services to the mesh…
  • 31. IBM Cloud What have you gained? Dummy sidecar Visibility
  • 32. IBM Cloud $ istioctl proxy-config route productpage-v1-6597cb5df9-qlqlg --name 9080 -o json [ … { "name": "9080", "virtualHosts": [ { { "name": "reviews.default.svc.cluster.local:9080", "domains": [ "reviews.default.svc.cluster.local", "reviews.default.svc.cluster.local:9080", "reviews", "reviews:9080", "reviews.default.svc.cluster", "reviews.default.svc.cluster:9080", "reviews.default.svc", "reviews.default.svc:9080", "reviews.default", "reviews.default:9080", "172.21.29.23", "172.21.29.23:9080" ], "routes": [ { "match": { "prefix": "/" }, "route": { "cluster": "outbound|9080||reviews.default.svc.cluster.local", "timeout": "0s", "retryPolicy": { "retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes", "numRetries": 2, "retryHostPredicate": [ { "name": "envoy.retry_host_predicates.previous_hosts" } ], "hostSelectionRetryMaxAttempts": "3", "retriableStatusCodes": [ 503 ] }, "maxGrpcTimeout": "0s" }, "decorator": { "operation": "reviews.default.svc.cluster.local:9080/*" }, "perFilterConfig": { // mixer filter config } } } ] } ], "validateClusters": false Outbound Handler - Routes $ istioctl proxy-config route productpage-v1- 6597cb5df9-qlqlg --name 9080 NOTE: This output only contains routes loaded via RDS. NAME VIRTUAL HOSTS 9080 4
  • 33. IBM Cloud Update: What have you gained? Retry twiceDummy sidecar Visibility
  • 34. IBM Cloud Let us see it live!
  • 35. IBM Cloud Ready for some intelligence?
  • 36. IBM Cloud Istio Network Resources • Gateway • Virtual Service • Destination Rule • Service Entry • Envoy Filter • Sidecar (*new*)
  • 37. IBM Cloud Istio Security Resources • Authorization Policy • Authentication Policy
  • 38. IBM Cloud apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v1 Round robin is boring! apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: loadBalancer: simple: RANDOM subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3
  • 39. IBM Cloud $ istioctl proxy-config route productpage-v1-6597cb5df9-qlqlg --name 9080 -o json [ … { "name": "9080", "virtualHosts": [ { { "name": "reviews.default.svc.cluster.local:9080", "domains": [ "reviews.default.svc.cluster.local", "reviews.default.svc.cluster.local:9080", "reviews", "reviews:9080", "reviews.default.svc.cluster", "reviews.default.svc.cluster:9080", "reviews.default.svc", "reviews.default.svc:9080", "reviews.default", "reviews.default:9080", "172.21.29.23", "172.21.29.23:9080" ], "routes": [ { "match": { "prefix": "/" }, "route": { "cluster": "outbound|9080|v1|reviews.default.svc.cluster.local", "timeout": "0s", "retryPolicy": { "retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes", "numRetries": 2, "retryHostPredicate": [ { "name": "envoy.retry_host_predicates.previous_hosts" } ], "hostSelectionRetryMaxAttempts": "3", "retriableStatusCodes": [ 503 ] }, "maxGrpcTimeout": "0s" }, "decorator": { "operation": "reviews.default.svc.cluster.local:9080/*" }, "perFilterConfig": { // mixer filter config } } } ] } ], "validateClusters": false Outbound Handler - Routes $ istioctl proxy-config route productpage-v1- 6597cb5df9-qlqlg --name 9080 NOTE: This output only contains routes loaded via RDS. NAME VIRTUAL HOSTS 9080 4
  • 40. IBM Cloud $ istioctl pc endpoint productpage-v1-6597cb5df9-qlqlg --cluster "outbound|9080|v1|reviews.default.svc.cluster.local" ENDPOINT STATUS CLUSTER 172.30.239.1:9080 HEALTHY outbound|9080|v1|reviews.default.svc.cluster.local $ k get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE details-v1-bc557b7fc-hwkf4 2/2 Running 0 17d 172.30.239.62 10.188.142.197 <none> httpbin-5fc7cf895d-8jj9r 2/2 Running 0 2d12h 172.30.177.181 10.188.142.194 <none> productpage-v1-6597cb5df9-qlqlg 2/2 Running 0 17d 172.30.177.159 10.188.142.194 <none> ratings-v1-5c46fc6f85-gqb8p 2/2 Running 0 17d 172.30.177.175 10.188.142.194 <none> reviews-v1-69dcdb544-6rdff 2/2 Running 0 17d 172.30.239.1 10.188.142.197 <none> reviews-v2-65fbdc9f88-zx6fx 2/2 Running 0 17d 172.30.177.177 10.188.142.194 <none> reviews-v3-bd8855bdd-dndgk 2/2 Running 0 17d 172.30.239.63 10.188.142.197 <none> sleep-64c6f57bc8-f5n4x 2/2 Running 0 29d 172.30.177.144 10.188.142.194 <none> Outbound Handler - Endpoint
  • 41. IBM Cloud apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - match: - headers: end-user: exact: jason route: - destination: host: reviews subset: v2 - route: - destination: host: reviews subset: v1 Let’s A/B test reviews v2 apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: loadBalancer: simple: RANDOM subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3
  • 42. IBM Cloud $ istioctl proxy-config route productpage-v1-6597cb5df9-qlqlg --name 9080 -o json … { "name": "reviews.default.svc.cluster.local:9080", "domains": [ "reviews.default.svc.cluster.local", " ], "routes": [ { "match": { "prefix": "/", "headers": [ { "name": "end-user", "exactMatch": "jason" } ] }, "route": { "cluster": "outbound|9080|v2|reviews.default.svc.cluster.local", "timeout": "0s", "retryPolicy": { "retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes", "numRetries": 2, "retryHostPredicate": [ { "name": "envoy.retry_host_predicates.previous_hosts" } ], "hostSelectionRetryMaxAttempts": "3", "retriableStatusCodes": [ 503 ] }, "maxGrpcTimeout": "0s" }, … }, { "match": { "prefix": "/" }, "route": { "cluster": "outbound|9080|v1|reviews.default.svc.cluster.local", "timeout": "0s", "retryPolicy": { "retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes", "numRetries": 2, "retryHostPredicate": [ { "name": "envoy.retry_host_predicates.previous_hosts" } ], "hostSelectionRetryMaxAttempts": "3", "retriableStatusCodes": [ 503 ] }, "maxGrpcTimeout": "0s" }, … } ] } Outbound Handler - Routes $ istioctl proxy-config route productpage-v1- 6597cb5df9-qlqlg --name 9080 NOTE: This output only contains routes loaded via RDS. NAME VIRTUAL HOSTS 9080 4
  • 43. IBM Cloud $ istioctl pc endpoint productpage-v1-6597cb5df9-qlqlg --cluster "outbound|9080|v1|reviews.default.svc.cluster.local" ENDPOINT STATUS CLUSTER 172.30.239.1:9080 HEALTHY outbound|9080|v1|reviews.default.svc.cluster.local $ istioctl pc endpoint productpage-v1-6597cb5df9-qlqlg --cluster "outbound|9080|v2|reviews.default.svc.cluster.local" ENDPOINT STATUS CLUSTER 172.30.177.177:9080 HEALTHY outbound|9080|v2|reviews.default.svc.cluster.local $ k get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE details-v1-bc557b7fc-hwkf4 2/2 Running 0 17d 172.30.239.62 10.188.142.197 <none> httpbin-5fc7cf895d-8jj9r 2/2 Running 0 2d12h 172.30.177.181 10.188.142.194 <none> productpage-v1-6597cb5df9-qlqlg 2/2 Running 0 17d 172.30.177.159 10.188.142.194 <none> ratings-v1-5c46fc6f85-gqb8p 2/2 Running 0 17d 172.30.177.175 10.188.142.194 <none> reviews-v1-69dcdb544-6rdff 2/2 Running 0 17d 172.30.239.1 10.188.142.197 <none> reviews-v2-65fbdc9f88-zx6fx 2/2 Running 0 17d 172.30.177.177 10.188.142.194 <none> reviews-v3-bd8855bdd-dndgk 2/2 Running 0 17d 172.30.239.63 10.188.142.197 <none> sleep-64c6f57bc8-f5n4x 2/2 Running 0 29d 172.30.177.144 10.188.142.194 <none> Outbound Handler - Endpoint
  • 44. IBM Cloud More Sidecar Debug $ istioctl dashboard envoy $(kubectl get pod -l app=productpage -o jsonpath='{.items[0].metadata.name}') http://localhost:56740
  • 45. IBM Cloud How many lines are my envoy configuration?
  • 46. IBM Cloud Program Envoy is hardProgram envoy is hard
  • 48. IBM Cloud Let us see it live!
  • 49. IBM Cloud 2019 Istio Themes • Project Sustainability • Layering and Extensibility • Improved Experience • Performance and Scalability
  • 50. IBM Cloud Istio 2019 Predictable Releases Istio 1.0 Launch -July 2018 2018 2019 Istio 1.1 February Istio 1.2 June Istio 1.3 Septem ber 2020 Istio 1.4 Unreleased
  • 51. IBM Cloud 2019 Istio Key Updates • All outbound traffic is allowed by default • Mixer-policy is not enabled by default • Multicluster Istio for non flat networks • Introduce Sidecar resource • Intelligent Protocol Sniffing • Various istioctl UX improvements
  • 52. IBM Cloud How to contribute • Contribute via discuss or slack • Gain membership Status • Consult existing maintainers • Gain maintainer status • Attend WG Meetings
  • 53. IBM Cloud • Preview available around KubeCon US 2019 • Final book available by end of 2019