![Mixer Metrics
kind: metrics
metadata:
name: requestcount
spec:
value: “1”
dimensions:
Destination_service: destination.service
Source_service: source.service
Response_code: response.code
kind: rule
metadata:
name: prometheus
spec:
match: request.headers[“x-user”] != “admin”
actions:
- handler: handler.prometheus
instances:
- requestcount.metric](https://image.slidesharecdn.com/istiocodecampnov20171-171009202644/85/istio-service-mesh-for-all-31-320.jpg)
istio: service mesh for all
- 1. istio.io service mesh for all Mandar Jog
- 2. ● What is a Service Mesh ● How we got here: A story ● Architecture and details ● Q & A Agenda
- 3. What is a ‘Service Mesh’ ? A network for services, not bytes ●Traffic Control ●Visibility ●Resiliency & Efficiency ●Security ●Policy Enforcement
- 4. Remember the Monolith? Module B Module A Module D Module C ModuleE Module F Module G
- 6. 1. Gained development velocity ! 2. Easy testing because of abstractions. 3. Scale services independently. Problem Solved! Micro Services FTW
- 7. Yay ! 1. Gained development velocity ! 2. Easy testing because of abstractions. 3. Scale services independently. Problem Solved! I am so bloody magical !
- 8. What have we lost? 1. I replaced a reliable in-process call with an unreliable rpc. 2. Trivial single stepping replaced by … ? 3. Secure in-process communication is replaced by insecure network. 4. Access control within process was a NOOP 5. Latency went up That abstraction was leaky ...
- 9. Can we fix it? 1. Add retry logic to the application code. 2. Add entry-exit traces. 3. Secure inter service connections with strong authentication. Now that we are adding code … choose the rpc endpoint intelligently a. Endpoints with low latency. b. Endpoints with warm caches.
- 10. Service Mesh ● Address service level concerns. ● Unlock the full power of microservices.
- 11. Weaving the mesh svcA sidecaringress Service A svcB sidecar Service B External Services HTTP/1.1, HTTP/2, gRPC, TCP with or without TLS HTTP/1.1, HTTP/2, gRPC, TCP with or without TLS Intern et Outbound features: ❖ Service authentication ❖ Load balancing ❖ Retry and circuit breaker ❖ Fine-grained routing ❖ Telemetry ❖ Request Tracing ❖ Fault Injection Inbound features: ❖ Service authentication ❖ Authorization ❖ Rate limits ❖ Load shedding ❖ Telemetry ❖ Request Tracing ❖ Fault Injection
- 12. Architecture svcA Envoy Pod Service A svcB Envoy Service B Pilot Control Plane API Mixer Control flow during request processing Istio-Auth Traffic is transparently intercepted and proxied. App is unaware of Envoy’s presence cache cache
- 13. istio Service Mesh A network for services, not bytes ● Traffic Control ● Visibility ● Resiliency & Efficiency ● Security ● Policy Enforcement
- 14. Application Rollout svcA Envoy Pod Service A svcB Envoy ServiceB http://serviceB.example Pod Labels: version: v1.5 env: us-prod svcB Envoy Pod Labels: version: v2.0- alpha, env:us- serviceB.example.cluster.local Traffic routing rules 99% 1% Rules API Pilot Traffic control is decoupled from infrastructure scaling // A simple traffic splitting rule destination: serviceB.example.cluster.local match: source: serviceA.example.cluster.local route: - tags: version: v1.5 env: us-prod weight: 99 - tags: version: v2.0-alpha env: us-staging weight: 1
- 15. svcA Service A svcB Service B version: v1 Pod 3 Pod 2 Pod 1 Content-based traffic steering svcA Service A svcB Service B version: v1 Pod 3 Pod 2 Pod 1 svcB’ version: canary Pod 4 Traffic Steering // Content-based traffic steering rule destination: serviceB.example.cluster.local match: httpHeaders: user-agent: regex: ^(.*?;)?(iPhone)(;.*)?$ precedence: 2 route: - tags: version: canary
- 16. Istio Service Mesh A network for services, not bytes ● Traffic Control ● Visibility ● Resiliency & Efficiency ● Security ● Policy Enforcement
- 17. Visibility Monitoring & tracing should not be an afterthought in the infrastructure Goals ● Metrics without instrumenting apps ● Consistent metrics across fleet ● Trace flow of requests across services ● Portable across metric backend providers Istio Zipkin tracing dashboard Istio - Grafana dashboard w/ Prometheus backend
- 18. Metrics flow svcA Envoy Pod Service A svcB Envoy Service B API: /svcB Latency: 10ms Status Code: 503 Src: 10.0.0.1 Dst: 10.0.0.2 …... InfluxDB Promethe usAdapter InfluxDB Adapter Custom Adapter Mixer ● Mixer collects metrics emitted by Envoys ● Adapters in the Mixer normalize and forward to monitoring backends ● Metrics backend can be swapped at runtime Prometheus InfluxDB InfluxDB Custom backend Prometheus Prometheus
- 19. Visibility: Tracing svcA Envoy Pod Service A svcB Envoy Service B Trace Headers X-B3-TraceId X-B3-SpanId X-B3-ParentSpanId X-B3-Sampled X-B3-Flags svcC Envoy Service C Spa ns Spa ns Promethe us InfluxDB Zipkin Adapter Stackdriv erAdapter Custom Adapter Mixer Promethe us Zipkin InfluxDB Stackdriv er Custom backend ● Application do not have to deal with generating spans or correlating causality ● Envoys generate spans ○ Applications need to *forward* context headers on outbound calls ● Envoys send traces to Mixer ● Adapters at Mixer send traces to respective backends
- 20. Istio Service Mesh A network for services, not bytes ● Traffic Control ● Visibility ● Resiliency & Efficiency ● Security ● Control
- 21. Resiliency Istio adds fault tolerance to your application without any changes to code Resilience features ❖ Timeouts ❖ Retries with timeout budget ❖ Circuit breakers ❖ Health checks ❖ AZ-aware load balancing w/ automatic failover ❖ Control connection pool size and request load ❖ Systematic fault injection // Circuit breakers destination: serviceB.example.cluster.local policy: - tags: version: v1 circuitBreaker: simpleCb: httpConsecutiveErrors: 7 sleepWindow: 5m httpDetectionInterval: 1m
- 22. Resiliency Testing Systematic fault injection to identify weaknesses in failure recovery policies ○ HTTP/gRPC error codes ○ Delay injection svcA Envoy Service A svcB Envoy Service B svcC Envoy Service C Timeout: 100ms Retries: 3 300ms Timeout: 200ms Retries: 2 400ms
- 23. Efficiency ● L7 load balancing ○ Passive/Active health checks, circuit breaks ○ Backend subsets ○ Affinity ● TLS offload ○ No more JSSE or stale SSL versions. ● HTTP/2 and gRPC proxying
- 24. Istio Service Mesh A network for services, not bytes ● Traffic Control ● Visibility ● Resiliency & Efficiency ● Security ● Policy Enforcement
- 25. Securing Microservices ● Verifiable identity ● Secure naming / addressing ● Traffic encryption ● Revocation
- 26. Istio - Security at Scale spiffe.io
- 27. Istio Service Mesh A network for services, not bytes ● Traffic Control ● Visibility ● Resiliency & Efficiency ● Security ● Policy Enforcement
- 28. Putting it all together svcA Envoy Pod Service A svcB Envoy Service B Pilot Control Plane API Mixer Control flow during request processing Istio-Auth
- 29. What does Mixer do? ● Check() ○ Precondition checking ○ Quotas & Rate Limiting ● Report() ○ telemetry reporting ● Primary point of extensibility ● Enabler for platform mobility ● Operator-focused configuration model
- 30. Mixer - Proxy Filter Extension
- 31. Mixer Metrics kind: metrics metadata: name: requestcount spec: value: “1” dimensions: Destination_service: destination.service Source_service: source.service Response_code: response.code kind: rule metadata: name: prometheus spec: match: request.headers[“x-user”] != “admin” actions: - handler: handler.prometheus instances: - requestcount.metric