Microservices With Istio Service Mesh
Download as PPTX, PDF2 likes589 views
The document presents a detailed overview of microservices architecture with a focus on service mesh concepts, particularly emphasizing Istio as a solution for managing microservices communication. Key topics include traffic control, service resilience, chaos testing, observability, and security within microservices using patterns and tools such as Spring Cloud, Envoy, and various Istio components. The presentation also highlights deployment strategies like canary deployments and discusses Istio's security features like mutual TLS and role-based access control.
Microservices With Istio Service Mesh
- 2. Hello! I am Natanael Fonseca Solution Architect at Everis. You can find me at: @natanaelfonseca 2
- 3. Session Agenda - Microservices Patterns; - Spring Cloud; - What is a Service Mesh? - What is ISTIO? - Before and After; 3 - Traffic Control; - Service Resilience; - Chaos Testing; - Observability; - Security.
- 4. Microservices Patterns ▷ Netflix Hystrix (Circuit Breaking) ▷ Netflix Zuul (Edge Routing) ▷ Netflix Ribbon ( Client-Side Service Discovery ) ▷ Netflix Eureka (Service Discovery Registry) ▷ Brave / Zipkin (Tracing) ▷ Netflix Spectator / Atlas (Metrics) 4
- 5. Spring Cloud Projects ▷ Spring Cloud Config; ▷ Spring Cloud Netflix; ▷ Spring Cloud Bus; ▷ Spring Cloud Foundry; ▷ Spring Cloud Open Service Broker; ▷ Spring Cloud Cluster; ▷ Spring Cloud Consul; ▷ And others….. 5 https://spring.io/projects/spring-cloud
- 6. Spring Cloud Netflix ▷ Service Discovery; ▷ Circuit Breaker; ▷ Declarative REST Client with Feign; ▷ Client Side Load Balancer with Ribbon; ▷ Router and Filter with Zuul. 6
- 7. Example 7
- 8. “A service mesh is the connective tissue between your services that adds additional capabilities like traffic control, service discovery, load balancing, resilience, observability, security, and so on… 8 What is a service mesh?
- 9. “Developed by a collaboration between Google, IBM, and Lyft, Istio is an open-source service mesh that lets you connect, monitor, and secure microservices deployed on- premise, in the cloud, or with orchestration platforms like Kubernetes and Mesos. 9 What is ISTIO?
- 10. What are the biggest changes 10 Before and After
- 13. Two areas to aim complete solution 13 Control and Data Plane
- 14. Data Plane Comprises the primary Istio sidecar: ▷ Envoy 14
- 15. Envoy A layer 7 load-balancer takes routing decision based on IPs, TCP or UDP ports or any information it can get from the application protocol (mainly HTTP). The layer 7 load-balancer acts as a proxy, which means it maintains two TCP connections: one with the client and one with the server. 15
- 17. Envoy as sidecar container 17
- 18. Control Plane Comprises three primary Istio services: ▷ Pilot ▷ Mixer ▷ Citadel 18
- 19. Pilot Provides capabilities like service discovery as well as support for VirtualService. The VirtualService is what gives you fine-grained request distribution, retries, timeouts, etc 19
- 20. Mixer With Mixer, you can create policies, apply rate-limiting rules, and even capture custom metrics. Mixer has a pluggable backend architecture that is rapidly evolving with new plug-ins and partners that are extending Mixer’s default capabilities in many new and interesting ways. 20
- 21. Citadel Formerly known as Istio CA or Auth, is responsible for certificate signing, certificate issuance, and revocation/rotation. Istio issues X.509 certificates to all your microservices, allowing for mutual Transport Layer Security (mTLS) between those services, encrypting all their traffic transparently. 21
- 22. Examine Istio patterns including smarter canaries and dark launches 22 Traffic Control
- 23. “With a canary deployment, you deploy a new version of your code to production but allow only a subset of traffic to reach it 23 Canary Deployment
- 24. Destination Rule and Virtual Service 24 In this case, 100% of traffic for the recommendation service will always go to pods matching the label version v1.
- 25. Canary Release for API V2 25 We’re sending 90% of the traffic to v1 and 10% of the traffic to v2 with this VirtualService
- 26. Header Based 26 This rule uses a request header–based matching clause that will match only if the request includes “Safari” as part of the user-agent header
- 27. Dark Launch 27 Istio allows you to duplicate or mirror traffic to a new version of your application and see how it behaves compared to the live application pod
- 28. Egress Gateway 28 Controlling all outbound traffic with rules.
- 29. Service resiliency How Istio provides load balancing, circuit breaking, and pool ejection 29
- 30. Load Balancing 30 ROUND_ROBIN This algorithm evenly distributes the load, in order, across the endpoints in the load-balancing pool. RANDOM This evenly distributes the load across the endpoints in the load-balancing pool but without any order. LEAST_CONN This algorithm picks two random hosts from the load- balancing pool and determines which host has fewer outstanding requests (of the two) and sends to that endpoint. This is an implementation of weighted least request load balancing.
- 31. Timeout 31 Calls to services over a network can result in lots of unpredictable behavior, but the worst behavior is latency. Did the service fail? Is it just slow? Is it not even available? Unbounded latency means any of those things could have happened
- 32. Retry 32 With Istio’s retry capability, you can make a few more attempts before having to truly deal with the error, potentially falling back to default logic. To forward the request to another instance just in case you get an open circuit breaker or pool ejection
- 33. Circuit Breaker 33 Istio puts more of the resilience implementation into the infrastructure so that you can focus more of your valuable time and energy on code that differentiates your business from the ever-growing competitive field. To create circuit breaker functionality for our services, we use an Istio DestinationRule To avoid multiple concurrent requests to an instance
- 34. Pool Ejection 34 If the request is forwarded to a certain instance and it fails (e.g., returns a 50x error code), Istio will eject this instance from the pool for a certain sleep window. In our example, the sleep window is configured to be 15s. To remove failing instances from the pool of responding instances
- 35. Chaos testing Turbulent conditions through fault injection 35
- 36. “Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s capability to withstand turbulent conditions in production 36 Principles of Chaos Engineering http://principlesofchaos.org/?lang=ENcontent
- 37. HTTP Errors 37 We use the combination of Istio’s DestinationRule and VirtualService to inject a percentage of faults—in this case, returning the HTTP 503 error code 50% of the time. Injecting errors via Istio instead of using Java code
- 38. Delays 38 The following manifest injects 7 seconds of delay into 50% of the responses from the recommendation service The most insidious of possible distributed computing faults is not a “dead” service but a service that is responding slowly
- 40. Tracing 40 Jaeger implements OpenTracing, a vendor-neutral tracing API. Jaeger was originally open sourced by the Uber Technologies team and is a distributed tracing system specifically focused on microservices architecture.
- 41. Metrics 41 Istio will gather telemetry data across the service mesh by leveraging Prometheus and Grafana to get started with this important capability
- 42. Service Graph 42 Istio has provided the out-of-the-box basic Servicegraph visualization since its earliest days
- 43. Security Istio’s security capabilities, such as mTLS, RBAC, and policy enforcement 43
- 44. Mutual Transport Layer Security 44 Enabling mTLS in Istio uses the combination of Policy and DestinationRule objects (mTLS)
- 45. Access Control with Mixer Policy 45 Istio’s Mixer Policy service allows you to construct a series of rules that ensure the various microservices that make up your application follow an approved invocation path For example: • customer is not allowed to call recommendation; • preference is not allowed to call customer; • recommendation is not allowed to call customer; • recommendation is not allowed to call preference.
- 46. Role-Based Access Control (RBAC) 46 Istio includes a Role-Based Access Control (RBAC) authorization feature that can be used to further constrain which services (e.g., customer, preference, recommendation) are accessible by particular users. Where mode can be: OFF: Istio authorization is disabled. ON: Istio authorization is enabled for all services in the mesh. ON_WITH_INCLUSION: Enabled only for services and namespaces specified in the inclusion field. ON_WITH_EXCLUSION: Enabled for all services in the mesh except the services and namespaces specified in the exclusion field.
- 47. Role-Based Access Control (RBAC) 47 Istio’s RBAC uses a deny-by-default strategy, meaning that nothing is permitted until you explicitly define an access-control policy to grant access to any service. To reopen the customer endpoint to end-user traffic, create a ServiceRole and a ServiceRoleBinding
- 48. JWT 48 Istio has support for user authentication and authorization via JWT (JSON Web Token)Istio has support for user authentication and authorization via JWT (JSON Web Token)
- 49. Thanks! Any questions? You can find me at: @natanaelfonseca natanael.vaz@gmail.com 49