SlideShare a Scribd company logo

Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient Mesh.pptx.pdf

M
MichaelOLeary82

Kevin Dorosh presented on operationalizing multi-cluster Istio and developing ambient mesh. He discussed connectivity and communication challenges when services span multiple clusters. He then explained how Istio provides service discovery, secure communication, traffic control, policy enforcement, and resilience. Dorosh also covered ambient mesh, which removes the sidecar proxy and instead runs a single proxy on each node for lower overhead and easier operations. He demonstrated how ambient mesh maintains Istio's security features like mTLS and access control.

Technology
1 of 45
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Operationalizing Multi Cluster Istio: Lessons Learned and Developing Ambient Mesh Kevin Dorosh Engineer @ Solo.io Istio Contributor
01 02 03 04 05 06 2 Istio Intro Securing traffic Resilience Ambient Mesh Ambient Mesh Demo Brief Multicluster Considerations What this talk will cover
3 Connectivity & communication challenges
4 Solo.io solves API connectivity & communication challenges
5 Communication without Istio frontend backend
6 Istio • Service discovery / Load balancing • Secure service-to-service communication • Traffic control / shaping / shifting • Policy / Intention based access control • Traffic metric collection • Service resilience • API / programmable interface frontend backend Istio
7 Istio Architecture https://istio.io/latest/docs/concepts/security/
8 Secure outbound traffic Application Cloud Services API Endpoints Malicious website
9 Find external services using the Kiali service graph
10 Find external services using Prometheus https://istio.io/latest/blog/2019/monitoring-external-service-traffic/
11 Find external services using Envoy access logging [2021-03-17T13:52:48.695Z] "GET /headers HTTP/1.1 -" 200 - "-" "-" 0 2128 63 62 "-" "curl/7.52.1" "66e67f6d-4fa9-41e1-a103-1078b62221a5" "httpbin.org" "54.91.118.50:80" PassthroughCluster 10.44.0.7:34694 54.91.118.50:80 10.44.0.7:34692 - allow_any log for HTTP: curl http://httpbin.org/headers [2021-03-17T13:56:04.611Z] "- - -" 0 - - - "-" 930 5818 153 - "-" "-" "-" "-" "54.91.118.50:443" PassthroughCluster 10.44.0.7:47868 54.91.118.50:443 10.44.0.7:47866 - - log for HTTPS/TCP: spec: meshConfig: accessLogFile: /dev/stdout frontend
12 Create ServiceEntries for external services apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: httpbin-ext spec: hosts: - httpbin.org ports: - number: 80 name: http protocol: HTTP resolution: DNS location: MESH_EXTERNAL $ istioctl proxy-config endpoints ratings-v1-fd78f799f-gj8td | grep httpbin 34.199.75.4:80 HEALTHY OK outbound|80||httpbin.org 34.231.30.52:80 HEALTHY OK outbound|80||httpbin.org 54.166.163.67:80 HEALTHY OK outbound|80||httpbin.org 54.91.118.50:80 HEALTHY OK outbound|80||httpbin.org https://istio.io/latest/docs/reference/config/networking/service-entry/
13 Block undefined external endpoints myapp envoy Change outboundTrafficPolicy to REGISTRY_ONLY NOTE: Traffic can be configured to bypass envoy using annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges traffic.sidecar.istio.io/excludeOutboundPorts spec: meshConfig: outboundTrafficPolicy: mode: REGISTRY_ONLY https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/
14 Direct external traffic thru egress gateways myapp envoy curl http://httpbin.org/headers Egress GW httpbin.org • Dedicated traffic exit points • Only Egress gateways can run on internet enabled nodes • Meet compliance requirements • Use Network Policies on workloads to prevent bypassing the egress gateway https://istio.io/latest/blog/2019/egress-traffic-control-in-istio-part-1/ https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/
15 Encrypting traffic frontend backend frontend backend fake-backend
16 Istio Identity $ istioctl dashboard envoy productpage-v1-5d9b4c9849-l8jjq.default http://localhost:15000
17 Istio mutual TLS mode apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: istio-system # can be granular spec: mtls: mode: PERMISSIVE # or STRICT • Change PERMISSIVE to STRICT after onboarding all your workloads to the mesh • Can be disabled at the port level frontend backend Another App
18 Verify secure traffic using Kiali
19 Verify secure traffic using Envoy access logging format: "[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL% %DOWNSTREAM_TLS_VERSION%" %RESPONSE_CODE% … $ kubectl logs reviews-v1-6549ddccc5-f28vj -c istio-proxy [2021-03-17T00:52:08.689Z] "GET /reviews/0 HTTP/1.1 TLSv1.2" 200 - "-" "-" 0 295 8 7 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) Add %DOWNSTREAM_TLS_VERSION% to your access log formatting: Check the proxy logs:
20 Check for envoy listeners $ istioctl pc listener reviews-v1-6549ddccc5-f28vj | grep inbound 0.0.0.0 15006 Trans: tls; Addr: *:9080 Cluster: inbound|9080|| PERMISSIVE: $ istioctl pc listener reviews-v1-6549ddccc5-f28vj | grep inbound 0.0.0.0 15006 Trans: tls; App: Istio HTTP Plain; Addr: *:9080 Cluster: inbound|9080|| 0.0.0.0 15006 Trans: raw_buffer; Addr: *:9080 Cluster: inbound|9080|| STRICT:
21 Controlling workload access catalog orders GET GET PUT POST PUT ui database
22 AuthorizationPolicy apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "database-viewer" namespace: default spec: selector: matchLabels: app: database action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/myapp-orders"] to: - operation: methods: ["GET"] paths: ["/data"] orders PUT database Can also target Ingress Gateway Optional Can also support IP blocks Or DENY https://istio.io/latest/docs/reference/config/security/authorization-policy/
23 Use access logs to create your rules $ kubectl logs reviews-v2-76c4865449-6wblx -c istio-proxy … [2021-03-17T02:27:18.143Z] “POST /reviews/0 HTTP/1.1 TLSv1.2" 200 - "-" "-" 0 379 29 28 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" "2dc83abd-71e1-40f5-9a6d-5f02dfceaa78" "reviews:9080" "127.0.0.1:9080" inbound|9080|| 127.0.0.1:59238 10.44.0.8:9080 10.44.0.9:37276 outbound_.9080_._.reviews.default.svc.cluster.local default … [2021-03-17T02:29:31.493Z] "GET /ratings/0 HTTP/1.1 -" 200 - "-" "-" 0 48 3 2 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" "a51c2b7b-a8e3-417e-8566-4258b734c287" "ratings:9080" "10.44.0.7:9080" outbound|9080||ratings.default.svc.cluster.local 10.44.0.8:51176 10.56.48.22:9080 10.44.0.8:56738 - default https://istio.io/latest/docs/tasks/observability/logs/access-log/ IP of pod sending the request (kubectl get pods -o wide) method Outbound traffic going to ratings Inbound traffic
24 Debugging Authorization Policies $ istioctl x authz check mydatabasepod ACTION AuthorizationPolicy RULES ALLOW database-viewer.default 1 ALLOW _anonymous_match_nothing_ 1 $ curl —-request POST database:9080 RBAC: access denied $ kubectl logs mydatabasepod -c istio-proxy [2021-03-17T19:31:34.595Z] "GET / HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "-" "curl/7.52.1" "8510e2fd-53f7-4a5a-95da-8796d90c51a2" “database:9080" "-" - - 10.44.1.8:9080 10.44.0.7:51260 outbound_.9080_._.database.default.svc.cluster.local - Response to caller when denied: Check what policies are applied on a pod: Access log entry on the server sidecar:
25 Request Authentication JWT catalog orders GET POST ui
Request Authentication apiVersion: "security.istio.io/v1beta1" kind: "RequestAuthentication" metadata: name: "jwt-example" spec: selector: matchLabels: app: orders jwtRules: - issuer: "example-provider" jwksUri: "https://example-provider.com/jwks.json" ui JWT orders https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/
27 Improve application resilience frontend backend
Timeouts, circuit breaking and rate limiting apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v2 timeout: 0.5s apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: httpbin spec: host: httpbin trafficPolicy: connectionPool: tcp: maxConnections: 1 http: http1MaxPendingRequests: 1 maxRequestsPerConnection: 1 outlierDetection: consecutive5xxErrors: 1 interval: 1s baseEjectionTime: 3m maxEjectionPercent: 100 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: filter-local-ratelimit-svc namespace: istio-system spec: workloadSelector: labels: app: productpage configPatches: - applyTo: HTTP_FILTER listener: filterChain: filter: name: "envoy.http_connection_manager" patch: … stat_prefix: http_local_rate_limiter token_bucket: max_tokens: 10 tokens_per_fill: 10 fill_interval: 60s … https://istio.io/latest/docs/tasks/traffic-management/request-timeouts/ https://istio.io/latest/docs/tasks/traffic-management/circuit-breaking/ https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/
Istio Ambient Mesh
Istio - The Industry’s Leading Service Mesh 2017 Istio Launched 2022 Ambient Mesh Launched Data Plane Enhancements 2019-20 7 New Community Releases 1000s Production Customers ~ 1000 Community Contributors 2022 CNCF 2019-2022
Introducing Istio Ambient Mesh 31 | Copyright © 2022 A new, open source contribution to the Istio project, that defines a new sidecar-less data plane. Solo.io and Google are the lead contributors to Istio Ambient Mesh. Cost Reduction Simplify Operations Improve Performance
What is Istio Ambient Mesh? P P P P P P P P P P P P P P P P P P Proxy Istio Sidecar Data Plane 1 Pod/Container = 1 Proxy Ambient Mesh Data Plane 1 Node = 1 Proxy Move from Sidecar Proxy per-pod architecture to a Proxy per-node architecture. “Making the Mesh Transparent to Applications” ● Reduced Compute Cost ● Improve Business Continuity ● Increase Business Flexibility ● Simplified Operations ● Reduced Maintenance ● Simplified Upgrades ● Easier to Add Applications ● Less Day-2-Day Complexity ● Adapt to Application Needs ● Offer SLAs for Applications ● Many Apps = 1 Platform Application Team ● Mesh is transparent to Apps ● Applications won’t break ● Flexible Performance Available ● Manage Security vs Performance Business Owner Platform Team
Istio enables Zero-Trust Security P P P P P P P P P P P P P P P P P P L4 Proxy P P P P P P P P P P P P P P P P P P Istio Security with Sidecar Proxy Istio Security with Ambient Mesh L4 Proxy L7 Proxy ● All traffic goes through Proxy ● Proxy manages mTLS, Identity ● Proxy manages L7 Application Filters | Policies ● All traffic goes through Proxy ● L4 Proxy manages mTLS, Identity ● L7 Proxy manages L7 Application Filters | Policies
Istio enables Service Mesh flexibility P P P P P P P P P P P P P P P P P P Proxy Istio Sidecar Data Plane 1 Pod/Container = 1 Proxy Ambient Mesh Data Plane 1 Node = 1 Proxy Istio Control Plane Cost Flexibility Operational Flexibility Performance Flexibility
Architecture: Visualizing ztunnel
Architecture: Visualizing ztunnel
HBONE - The protocol used to connect nodes HTTP Based Overlay Network Encapsulation protocol source: https://www.solo.io/blog/understanding-istio-ambient-ztunnel-and-secure-overlay/
Latest Ambient Developments Rust Ztunnel source: https://www.solo.io/blog/rust-ztunnel-istio-ambient-mesh/ https://www.semanticscholar.org/paper/A-work-stealing-scheduling-framework-supporting-Wang-Ji/2b956f8fcd744c4aaf8b0a ed417f4706cc046545
Ambient Mesh Demo
Multicluster Considerations
41 | Copyright © 2022
42 | Copyright © 2022
43 | Copyright © 2022
44 | Copyright © 2022
Thank You!

More Related Content

PDF
Learning how AWS implement AWS VPC CNI
HungWei Chiu
 
PDF
Why HATEOAS
Lee Wayne
 
PDF
HTTP Request Smuggling via higher HTTP versions
neexemil
 
PDF
Istio service mesh introduction
Kyohei Mizumoto
 
PDF
Kubernetes Problem-Solving
All Things Open
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PPTX
High Availability Content Caching with NGINX
NGINX, Inc.
 
PPTX
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
 
Learning how AWS implement AWS VPC CNI
HungWei Chiu
 
Why HATEOAS
Lee Wayne
 
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Istio service mesh introduction
Kyohei Mizumoto
 
Kubernetes Problem-Solving
All Things Open
 
OAuth 2.0
Uwe Friedrichsen
 
High Availability Content Caching with NGINX
NGINX, Inc.
 
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
 

What's hot (20)

PPTX
OVS v OVS-DPDK
Md Safiyat Reza
 
PDF
Kubernetes networking in AWS
Zvika Gazit
 
PPTX
Securing and Automating Kubernetes with Kyverno
Saim Safder
 
PPTX
F5 - BigIP ASM introduction
Jimmy Saigon
 
PPTX
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
PDF
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
PDF
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
Amazon Web Services Korea
 
PDF
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...
Amazon Web Services Korea
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
PDF
Introduction to GitHub Actions
Bo-Yi Wu
 
PDF
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
InfraEngineer
 
PDF
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
OpenStack Korea Community
 
PDF
Kubernetes & helm 활용
SK Telecom
 
PPTX
Building secure applications with keycloak
Abhishek Koserwal
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
PPTX
DataPower Restful API Security
Jagadish Vemugunta
 
PDF
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
PPTX
웹서버와 ProudNet 서버간 상호작용 가이드
Hyunjik Bae
 
PPTX
Minio ♥ Go
Minio
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
OVS v OVS-DPDK
Md Safiyat Reza
 
Kubernetes networking in AWS
Zvika Gazit
 
Securing and Automating Kubernetes with Kyverno
Saim Safder
 
F5 - BigIP ASM introduction
Jimmy Saigon
 
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
Amazon Web Services Korea
 
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...
Amazon Web Services Korea
 
OWASP API Security Top 10 - API World
42Crunch
 
Introduction to GitHub Actions
Bo-Yi Wu
 
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
InfraEngineer
 
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
OpenStack Korea Community
 
Kubernetes & helm 활용
SK Telecom
 
Building secure applications with keycloak
Abhishek Koserwal
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
DataPower Restful API Security
Jagadish Vemugunta
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
웹서버와 ProudNet 서버간 상호작용 가이드
Hyunjik Bae
 
Minio ♥ Go
Minio
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
Ad

Similar to Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient Mesh.pptx.pdf (20)

PDF
Securing Microservices with Istio
Daniel Berg
 
PDF
Istio Triangle Kubernetes Meetup Aug 2019
Ram Vennam
 
PDF
21st Docker Switzerland Meetup - ISTIO
Niklaus Hirt
 
PDF
Managing Microservices With The Istio Service Mesh on Kubernetes
Iftach Schonbaum
 
PDF
Service Mesh For Beginner
Mien Dinh
 
PDF
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
 
PDF
Managing microservices with Istio Service Mesh
Rafik HARABI
 
PDF
Istio and Kubernetes Relationship
Knoldus Inc.
 
PDF
How to Make Istio Work with Your App
KarenBruner
 
PDF
How to Make Istio Work with Your App
StackRox
 
PPTX
ISTIO Deep Dive
Yong Feng
 
PPTX
Service Mesh 101 - Digging into your service
Huynh Thai Bao
 
PDF
Using Istio to Secure & Monitor Your Services
Alcide
 
PPTX
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes Down
Aspen Mesh
 
PPTX
istio: service mesh for all
Mandar Jog
 
PDF
Hello istio
Jooho Lee
 
PDF
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Codemotion
 
PDF
Istio
Diego Pacheco
 
PPTX
Connecting All Abstractions with Istio
VMware Tanzu
 
PDF
Istio as a Service Mesh
Knoldus Inc.
 
Securing Microservices with Istio
Daniel Berg
 
Istio Triangle Kubernetes Meetup Aug 2019
Ram Vennam
 
21st Docker Switzerland Meetup - ISTIO
Niklaus Hirt
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Iftach Schonbaum
 
Service Mesh For Beginner
Mien Dinh
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
 
Managing microservices with Istio Service Mesh
Rafik HARABI
 
Istio and Kubernetes Relationship
Knoldus Inc.
 
How to Make Istio Work with Your App
KarenBruner
 
How to Make Istio Work with Your App
StackRox
 
ISTIO Deep Dive
Yong Feng
 
Service Mesh 101 - Digging into your service
Huynh Thai Bao
 
Using Istio to Secure & Monitor Your Services
Alcide
 
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes Down
Aspen Mesh
 
istio: service mesh for all
Mandar Jog
 
Hello istio
Jooho Lee
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Codemotion
 
Istio
Diego Pacheco
 
Connecting All Abstractions with Istio
VMware Tanzu
 
Istio as a Service Mesh
Knoldus Inc.
 
Ad

More from MichaelOLeary82 (6)

PDF
BOS K8S Meetup - Finetuning LLama 2 Model on GKE.pdf
MichaelOLeary82
 
PDF
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
MichaelOLeary82
 
PDF
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
MichaelOLeary82
 
PPTX
Sampling strategies with Otel.pptx
MichaelOLeary82
 
PDF
KubeConNA23 Recap.pdf
MichaelOLeary82
 
PPTX
Platform Engineering using GitOps, Boston Kubernetes Meetup
MichaelOLeary82
 
BOS K8S Meetup - Finetuning LLama 2 Model on GKE.pdf
MichaelOLeary82
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
MichaelOLeary82
 
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
MichaelOLeary82
 
Sampling strategies with Otel.pptx
MichaelOLeary82
 
KubeConNA23 Recap.pdf
MichaelOLeary82
 
Platform Engineering using GitOps, Boston Kubernetes Meetup
MichaelOLeary82
 

Recently uploaded (20)

PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient Mesh.pptx.pdf

  • 1. Operationalizing Multi Cluster Istio: Lessons Learned and Developing Ambient Mesh Kevin Dorosh Engineer @ Solo.io Istio Contributor
  • 2. 01 02 03 04 05 06 2 Istio Intro Securing traffic Resilience Ambient Mesh Ambient Mesh Demo Brief Multicluster Considerations What this talk will cover
  • 4. 4 Solo.io solves API connectivity & communication challenges
  • 6. 6 Istio • Service discovery / Load balancing • Secure service-to-service communication • Traffic control / shaping / shifting • Policy / Intention based access control • Traffic metric collection • Service resilience • API / programmable interface frontend backend Istio
  • 8. 8 Secure outbound traffic Application Cloud Services API Endpoints Malicious website
  • 9. 9 Find external services using the Kiali service graph
  • 10. 10 Find external services using Prometheus https://istio.io/latest/blog/2019/monitoring-external-service-traffic/
  • 11. 11 Find external services using Envoy access logging [2021-03-17T13:52:48.695Z] "GET /headers HTTP/1.1 -" 200 - "-" "-" 0 2128 63 62 "-" "curl/7.52.1" "66e67f6d-4fa9-41e1-a103-1078b62221a5" "httpbin.org" "54.91.118.50:80" PassthroughCluster 10.44.0.7:34694 54.91.118.50:80 10.44.0.7:34692 - allow_any log for HTTP: curl http://httpbin.org/headers [2021-03-17T13:56:04.611Z] "- - -" 0 - - - "-" 930 5818 153 - "-" "-" "-" "-" "54.91.118.50:443" PassthroughCluster 10.44.0.7:47868 54.91.118.50:443 10.44.0.7:47866 - - log for HTTPS/TCP: spec: meshConfig: accessLogFile: /dev/stdout frontend
  • 12. 12 Create ServiceEntries for external services apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: httpbin-ext spec: hosts: - httpbin.org ports: - number: 80 name: http protocol: HTTP resolution: DNS location: MESH_EXTERNAL $ istioctl proxy-config endpoints ratings-v1-fd78f799f-gj8td | grep httpbin 34.199.75.4:80 HEALTHY OK outbound|80||httpbin.org 34.231.30.52:80 HEALTHY OK outbound|80||httpbin.org 54.166.163.67:80 HEALTHY OK outbound|80||httpbin.org 54.91.118.50:80 HEALTHY OK outbound|80||httpbin.org https://istio.io/latest/docs/reference/config/networking/service-entry/
  • 13. 13 Block undefined external endpoints myapp envoy Change outboundTrafficPolicy to REGISTRY_ONLY NOTE: Traffic can be configured to bypass envoy using annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges traffic.sidecar.istio.io/excludeOutboundPorts spec: meshConfig: outboundTrafficPolicy: mode: REGISTRY_ONLY https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/
  • 14. 14 Direct external traffic thru egress gateways myapp envoy curl http://httpbin.org/headers Egress GW httpbin.org • Dedicated traffic exit points • Only Egress gateways can run on internet enabled nodes • Meet compliance requirements • Use Network Policies on workloads to prevent bypassing the egress gateway https://istio.io/latest/blog/2019/egress-traffic-control-in-istio-part-1/ https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/
  • 16. 16 Istio Identity $ istioctl dashboard envoy productpage-v1-5d9b4c9849-l8jjq.default http://localhost:15000
  • 17. 17 Istio mutual TLS mode apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: istio-system # can be granular spec: mtls: mode: PERMISSIVE # or STRICT • Change PERMISSIVE to STRICT after onboarding all your workloads to the mesh • Can be disabled at the port level frontend backend Another App
  • 19. 19 Verify secure traffic using Envoy access logging format: "[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL% %DOWNSTREAM_TLS_VERSION%" %RESPONSE_CODE% … $ kubectl logs reviews-v1-6549ddccc5-f28vj -c istio-proxy [2021-03-17T00:52:08.689Z] "GET /reviews/0 HTTP/1.1 TLSv1.2" 200 - "-" "-" 0 295 8 7 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) Add %DOWNSTREAM_TLS_VERSION% to your access log formatting: Check the proxy logs:
  • 20. 20 Check for envoy listeners $ istioctl pc listener reviews-v1-6549ddccc5-f28vj | grep inbound 0.0.0.0 15006 Trans: tls; Addr: *:9080 Cluster: inbound|9080|| PERMISSIVE: $ istioctl pc listener reviews-v1-6549ddccc5-f28vj | grep inbound 0.0.0.0 15006 Trans: tls; App: Istio HTTP Plain; Addr: *:9080 Cluster: inbound|9080|| 0.0.0.0 15006 Trans: raw_buffer; Addr: *:9080 Cluster: inbound|9080|| STRICT:
  • 22. 22 AuthorizationPolicy apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "database-viewer" namespace: default spec: selector: matchLabels: app: database action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/myapp-orders"] to: - operation: methods: ["GET"] paths: ["/data"] orders PUT database Can also target Ingress Gateway Optional Can also support IP blocks Or DENY https://istio.io/latest/docs/reference/config/security/authorization-policy/
  • 23. 23 Use access logs to create your rules $ kubectl logs reviews-v2-76c4865449-6wblx -c istio-proxy … [2021-03-17T02:27:18.143Z] “POST /reviews/0 HTTP/1.1 TLSv1.2" 200 - "-" "-" 0 379 29 28 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" "2dc83abd-71e1-40f5-9a6d-5f02dfceaa78" "reviews:9080" "127.0.0.1:9080" inbound|9080|| 127.0.0.1:59238 10.44.0.8:9080 10.44.0.9:37276 outbound_.9080_._.reviews.default.svc.cluster.local default … [2021-03-17T02:29:31.493Z] "GET /ratings/0 HTTP/1.1 -" 200 - "-" "-" 0 48 3 2 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" "a51c2b7b-a8e3-417e-8566-4258b734c287" "ratings:9080" "10.44.0.7:9080" outbound|9080||ratings.default.svc.cluster.local 10.44.0.8:51176 10.56.48.22:9080 10.44.0.8:56738 - default https://istio.io/latest/docs/tasks/observability/logs/access-log/ IP of pod sending the request (kubectl get pods -o wide) method Outbound traffic going to ratings Inbound traffic
  • 24. 24 Debugging Authorization Policies $ istioctl x authz check mydatabasepod ACTION AuthorizationPolicy RULES ALLOW database-viewer.default 1 ALLOW _anonymous_match_nothing_ 1 $ curl —-request POST database:9080 RBAC: access denied $ kubectl logs mydatabasepod -c istio-proxy [2021-03-17T19:31:34.595Z] "GET / HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "-" "curl/7.52.1" "8510e2fd-53f7-4a5a-95da-8796d90c51a2" “database:9080" "-" - - 10.44.1.8:9080 10.44.0.7:51260 outbound_.9080_._.database.default.svc.cluster.local - Response to caller when denied: Check what policies are applied on a pod: Access log entry on the server sidecar:
  • 26. Request Authentication apiVersion: "security.istio.io/v1beta1" kind: "RequestAuthentication" metadata: name: "jwt-example" spec: selector: matchLabels: app: orders jwtRules: - issuer: "example-provider" jwksUri: "https://example-provider.com/jwks.json" ui JWT orders https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/
  • 28. Timeouts, circuit breaking and rate limiting apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v2 timeout: 0.5s apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: httpbin spec: host: httpbin trafficPolicy: connectionPool: tcp: maxConnections: 1 http: http1MaxPendingRequests: 1 maxRequestsPerConnection: 1 outlierDetection: consecutive5xxErrors: 1 interval: 1s baseEjectionTime: 3m maxEjectionPercent: 100 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: filter-local-ratelimit-svc namespace: istio-system spec: workloadSelector: labels: app: productpage configPatches: - applyTo: HTTP_FILTER listener: filterChain: filter: name: "envoy.http_connection_manager" patch: … stat_prefix: http_local_rate_limiter token_bucket: max_tokens: 10 tokens_per_fill: 10 fill_interval: 60s … https://istio.io/latest/docs/tasks/traffic-management/request-timeouts/ https://istio.io/latest/docs/tasks/traffic-management/circuit-breaking/ https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/
  • 30. Istio - The Industry’s Leading Service Mesh 2017 Istio Launched 2022 Ambient Mesh Launched Data Plane Enhancements 2019-20 7 New Community Releases 1000s Production Customers ~ 1000 Community Contributors 2022 CNCF 2019-2022
  • 31. Introducing Istio Ambient Mesh 31 | Copyright © 2022 A new, open source contribution to the Istio project, that defines a new sidecar-less data plane. Solo.io and Google are the lead contributors to Istio Ambient Mesh. Cost Reduction Simplify Operations Improve Performance
  • 32. What is Istio Ambient Mesh? P P P P P P P P P P P P P P P P P P Proxy Istio Sidecar Data Plane 1 Pod/Container = 1 Proxy Ambient Mesh Data Plane 1 Node = 1 Proxy Move from Sidecar Proxy per-pod architecture to a Proxy per-node architecture. “Making the Mesh Transparent to Applications” ● Reduced Compute Cost ● Improve Business Continuity ● Increase Business Flexibility ● Simplified Operations ● Reduced Maintenance ● Simplified Upgrades ● Easier to Add Applications ● Less Day-2-Day Complexity ● Adapt to Application Needs ● Offer SLAs for Applications ● Many Apps = 1 Platform Application Team ● Mesh is transparent to Apps ● Applications won’t break ● Flexible Performance Available ● Manage Security vs Performance Business Owner Platform Team
  • 33. Istio enables Zero-Trust Security P P P P P P P P P P P P P P P P P P L4 Proxy P P P P P P P P P P P P P P P P P P Istio Security with Sidecar Proxy Istio Security with Ambient Mesh L4 Proxy L7 Proxy ● All traffic goes through Proxy ● Proxy manages mTLS, Identity ● Proxy manages L7 Application Filters | Policies ● All traffic goes through Proxy ● L4 Proxy manages mTLS, Identity ● L7 Proxy manages L7 Application Filters | Policies
  • 34. Istio enables Service Mesh flexibility P P P P P P P P P P P P P P P P P P Proxy Istio Sidecar Data Plane 1 Pod/Container = 1 Proxy Ambient Mesh Data Plane 1 Node = 1 Proxy Istio Control Plane Cost Flexibility Operational Flexibility Performance Flexibility
  • 37. HBONE - The protocol used to connect nodes HTTP Based Overlay Network Encapsulation protocol source: https://www.solo.io/blog/understanding-istio-ambient-ztunnel-and-secure-overlay/
  • 38. Latest Ambient Developments Rust Ztunnel source: https://www.solo.io/blog/rust-ztunnel-istio-ambient-mesh/ https://www.semanticscholar.org/paper/A-work-stealing-scheduling-framework-supporting-Wang-Ji/2b956f8fcd744c4aaf8b0a ed417f4706cc046545
  • 41. 41 | Copyright © 2022
  • 42. 42 | Copyright © 2022
  • 43. 43 | Copyright © 2022
  • 44. 44 | Copyright © 2022