Stop reinventing the wheel with Istio by Mete Atamel (Google)
15 likes2,512 views
The document discusses the integration of Istio with containers and Kubernetes, emphasizing its role in managing microservices through traffic management, observability, and policy enforcement. Key components such as Envoy, Mixer, and Pilot are introduced, along with the functionality they provide for service identity, authentication, and load balancing. The presentation outlines the need for Istio in enhancing the deployment and management of production-ready applications across various environments.
![7
Docker: Tooling for the masses
FROM debian:latest
RUN apt-get update
RUN apt-get install -y nginx
CMD [“nginx”,”-g”,”daemon off;”]
EXPOSE 80
Docker is a container runtime and image format
Dockerfile defines the dependencies,
environment and the code to run
Container is a consistent invocation of a
Dockerfile](https://image.slidesharecdn.com/atamel-codemotion-romestopreinventingthewheelwithistio-180503141121/85/Stop-reinventing-the-wheel-with-Istio-by-Mete-Atamel-Google-7-320.jpg)
![18
$ gcloud container clusters create hello-istio
--enable-kubernetes-alpha
--machine-type=n1-standard-2
--num-nodes=4
--no-enable-legacy-authorization
--zone europe-west1-b
Creating cluster hello-istio...done.
Created [https://container.googleapis.com/v1/projects/dotnet-atamel/zones/europe-west1-b/clusters/hello-istio]
NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS
hello-istio europe-west1-b 1.7.12-gke.0 ALPHA 35.190.192.251 n1-standard-2 1.7.12-gke.0 4 RUNNING
$ kubectl create clusterrolebinding cluster-admin-binding
--clusterrole=cluster-admin
--user=$(gcloud config get-value core/account)
clusterrolebinding "cluster-admin-binding" created](https://image.slidesharecdn.com/atamel-codemotion-romestopreinventingthewheelwithistio-180503141121/85/Stop-reinventing-the-wheel-with-Istio-by-Mete-Atamel-Google-18-320.jpg)
Stop reinventing the wheel with Istio by Mete Atamel (Google)
- 1. Confidential & Proprietary Stop reinventing the wheel with Istio Mete Atamel Developer Advocate at Google @meteatamel
- 2. Confidential & Proprietary Agenda 1. The need for Istio Containers, Kubernetes, Istio 2. What is Istio? Istio at the high level, setup 3. Building Blocks Envoy, Mixer, Pilot, Istio-Auth 4. Add-ons Grafana, Prometheus, Zipkin, ServiceGraph 5. Traffic Management Request Routing, Discovery & Load Balancing, Failure Recovery & Injection
- 3. The need for Istio Containers, Kubernetes, Istio
- 4. Confidential & Proprietary Code that solves a problem Make that code production ready (logging, tracing, auth, load balancing, etc) A way to package and run that code consistently on different environments A way to deploy (hopefully optimally) and manage that code Solving a problem with software
- 5. Confidential & Proprietary Code that solves a problem => You Make that code production ready => Istio A way to package and run that code consistently => Docker A way to deploy and manage that code => Kubernetes Solving a problem with software
- 6. Confidential & Proprietary What is a container? Lightweight Hermetically sealed Isolated Easily deployable Introspectable Composable Linux (or Windows) processes A lightweight way to virtualize applications
- 7. 7 Docker: Tooling for the masses FROM debian:latest RUN apt-get update RUN apt-get install -y nginx CMD [“nginx”,”-g”,”daemon off;”] EXPOSE 80 Docker is a container runtime and image format Dockerfile defines the dependencies, environment and the code to run Container is a consistent invocation of a Dockerfile
- 8. Confidential & Proprietary Containers are not enough Service Discovery Redundancy Scheduling Scaling up & down Rolling out & back Resiliency Config & Secrets Health Checks
- 9. Confidential & Proprietary Kubernetes Κυβερνήτης means “governor” in Greek • Manages container clusters • Inspired and informed by Google’s internal container system called Borg • Supports multiple cloud and bare-metal environments • 100% Open source, written in Go Manage applications, not machines
- 10. Confidential & Proprietary Microservices in Kubernetes world Service Pods Each pod containers one or more containers Nodes Role: frontend Role: frontend Role: frontend Role: frontend Replication controller Replicas: 3 Env: prod microservice labels Service communication channel Blueprint “pod template” Env: prod Env: prod Env: prod registry containers
- 11. Confidential & Proprietary Kubernetes is not enough either Dependency Visualisation Tracing Metrics Logging Circuit Breaking Service Identity & Auth Fault Injection Traffic Flow & Policies Failover
- 13. What is Istio? Istio at the high level, setup
- 14. Confidential & Proprietary Istio: High level goals Community maturing and gathering around common tools Decouple application code from underlying platform and policies
- 15. Confidential & Proprietary Istio Ιστιο means “sail”. An open platform to connect, manage, and secure microservices. ● Platform support: Kubernetes, Mesos, Cloud Foundry ● Observability: Metrics, logs, traces, dependency visualisation ● Service Identity & Security: Provide verifiable identity to services, service-to-service authentication ● Traffic Management: Dynamically control traffic between services, ingress/egress routing, fault injection ● Policy enforcement: Precondition checking, quota management between services
- 16. Confidential & Proprietary Istio: At the very high level Users Cloud SQL frontend pictures payments auth External Payment Processor
- 17. Confidential & Proprietary Istio: At the very high level Users Cloud SQL frontend pictures payments auth External Payment Processor proxy proxy proxy proxy ingress
- 18. 18 $ gcloud container clusters create hello-istio --enable-kubernetes-alpha --machine-type=n1-standard-2 --num-nodes=4 --no-enable-legacy-authorization --zone europe-west1-b Creating cluster hello-istio...done. Created [https://container.googleapis.com/v1/projects/dotnet-atamel/zones/europe-west1-b/clusters/hello-istio] NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS hello-istio europe-west1-b 1.7.12-gke.0 ALPHA 35.190.192.251 n1-standard-2 1.7.12-gke.0 4 RUNNING $ kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account) clusterrolebinding "cluster-admin-binding" created
- 19. Confidential & Proprietary Demo: Install Istio
- 20. Building Blocks Envoy, Mixer, Pilot, Istio-Auth
- 21. Confidential & Proprietary Istio Architecture Mixer Istio-Auth frontend payments proxy proxy Pilot Discovery & config data to Envoy sidecars TLS certs to Envoy sidecars Policy checks, telemetry Traffic transparently proxied — unaware of Envoy sidecars Control Plane HTTP/1.1, HTTP/2, gRPC with or without TLS
- 22. Confidential & Proprietary Envoy Proxy A high-performance proxy in C++, to mediate all inbound/outbound traffic ● Dynamic service discovery ● Load balancing, TLS termination ● HTTP/2 & gRPC proxying ● Circuit breakers, health checks, rich metrics Deployed as a sidecar to the relevant service in the same Kubernetes pod
- 23. Confidential & Proprietary Pilot Responsible for managing Envoy proxies in the service mesh. ● Service discovery for Envoy ● Traffic management capabilities for routing (A/B testing, canary deployments) ● Resiliency (timeouts, retries, circuit breakers) ● Converts high level routing rules into Envoy specific configurations and propogates them to sidecars at runtime
- 25. Confidential & Proprietary Mixer 1. Precondition Checking. Enables callers to verify a number of preconditions before responding to an incoming request from a service consumer. 2. Quota Management. Enables services to allocate and free quota (eg. rate limits) 3. Telemetry Reporting. Enables services to report logging and monitoring
- 26. Confidential & Proprietary Istio-Auth 1. Provides each service with a strong identity 2. Provides service-to-service and end-user authentication using mutual TLS 3. Provides a key management system to automate key and certificate generation, distribution, rotation, and revocation
- 27. Confidential & Proprietary Demo: Deploy App
- 28. Add-ons Grafana, Prometheus, Zipkin, ServiceGraph
- 29. Confidential & Proprietary Grafana: Analytics and monitoring
- 30. Confidential & Proprietary Prometheus: Query metrics
- 31. Confidential & Proprietary Zipkin: Tracing
- 33. Confidential & Proprietary Demo: Install add-ons
- 34. Traffic Management Request Routing, Discovery & Load Balancing, Failure Recovery & Injection
- 35. Confidential & Proprietary Traffic Management Istio’s traffic management decouples traffic flow and infrastructure scaling Dynamic request routing for A/B testing, gradual rollouts, canary releases Discovery & load balancing across services Failure recovery using timeouts, retries, and circuit breakers Fault injection to test the compatibility of recovery policies across services
- 36. Confidential & Proprietary Request Routing
- 38. Confidential & Proprietary Discovery & Load Balancing
- 39. Confidential & Proprietary Failure Recovery Out-of-the-box opt-in failure recovery features: ● Timeouts ● Bounded retries with timeout budgets and variable jitter between retries ● Limits on number of concurrent connections ● Periodic health checks on each member of the load balancing pool ● Fine-grained circuit breakers (passive health checks) – applied per instance in the load balancing pool
- 40. Confidential & Proprietary Fault Injection Systematic fault injection to identify weaknesses in failure recovery policies ● HTTP/gRPC error codes ● Delay injection frontend movies proxy proxy stars proxy timeout: 100ms retries: 3 300ms timeout: 200ms retries: 2 400ms
- 41. Confidential & Proprietary Demo: Change routes
- 42. Confidential & Proprietary Demo: Cleanup
- 43. Confidential & Proprietary Thank you! Mete Atamel @meteatamel