SlideShare a Scribd company logo

Why Is Istio That Shape?

Matt Turner, profile picture
Matt Turner

The document explores the architecture and implications of Istio, an open platform for connecting, securing, controlling, and observing microservices. It discusses the reasons for Istio's design choices, its business value, and how it impacts service mesh implementations, including benefits and drawbacks of microservices. The text also touches upon performance, scalability, and practical usage considerations in modern software environments.

Technology
1 of 66
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Why Is Istio That Shape? @mt165 Why Is Istio That Shape? Matt Turner Software Architecture Gathering, Virtual | November 2022 @mt165 | mt165.co.uk
Why Is Istio That Shape? @mt165 THE ENTERPRISE SERVICE MESH COMPANY
Why Is Istio That Shape? @mt165 Pop Quiz!
Why Is Istio That Shape? @mt165 Background Service Meshes and Istio
Why Is Istio That Shape? @mt165 Business Value ● Top Line ● Bottom Line ● Time to Market & Speed of Iteration ● Risk Reduction
Why Is Istio That Shape? @mt165 Break the Monolith
Why Is Istio That Shape? @mt165 Pod Pod Pod Break the Monolith Namespace A Namespace B Namespace C Namespace A Namespace B Namespace C
Why Is Istio That Shape? @mt165 But Don’t Just Distribute It!
Why Is Istio That Shape? @mt165 Technical Implications
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165
Why Is Istio That Shape? @mt165 Service A Service B
Why Is Istio That Shape? @mt165 Lots of Options: In-process libraries and frameworks
Why Is Istio That Shape? @mt165 Polyglot environments
Why Is Istio That Shape? @mt165 Polyglot environments
Why Is Istio That Shape? @mt165 Take the Network Smarts out of the Process
Why Is Istio That Shape? @mt165 Add a Control Plane
Why Is Istio That Shape? @mt165 Istio “An open platform to connect, secure, control, and observe services.”
Why Is Istio That Shape? @mt165 What Shape is Istio?
Why Is Istio That Shape? @mt165 Istio 0.1 - 1.4
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B TLS certs to Envoys
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy k8s consul zk K8s API Server
Why Is Istio That Shape? @mt165 Have We Seen This Before?
Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base Forwarding Engine
Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base Forwarding Engine Latency Throughput Concurrency Availability
Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP PILOT ENVOY Router Information Base Forwarding Information Base Forwarding Engine
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Policy checks, Telemetry Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 IP Router Architecture Interrupt Kernel module User process DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base
Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP PILOT MIXER ENVOY Interrupt Kernel module User process Router Information Base Forwarding Information Base
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys prom ES REPORT CHECK ACL Rate limit Mixer fat client Mixer fat client Citadel
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
Why Is Istio That Shape? @mt165 Why Isn’t Istio This Shape?
Why Is Istio That Shape? @mt165 Mixer Pros ● Recognisable mental mode ● Good availability ● Can horizontally scale ○ Load ○ High availability Cons ● Performance was never great ● Very few things need coördination between proxies
Why Is Istio That Shape? @mt165 µServices! Pros ● Decoupled deployments ● Isolated security contexts ● Isolated failure domains ● Individual scaling ● Multiple languages ● Clean mapping to individual teams/domains Cons ● Complex to debug ● Fiddly to deploy ● Inefficient ○ Message-passing ○ Missed shared cache opportunities
Why Is Istio That Shape? @mt165 µServices? Decoupled deployments ● No-one ever did
Why Is Istio That Shape? @mt165 µServices? Isolated security contexts ● Citadel is obviously a security component, but… ● Pilot can re-route all your requests ● Mixer can steal all your traffic ● …a breach in any one is as bad as the others
Why Is Istio That Shape? @mt165 µServices? Isolated failure domains ● Mixer is the only acutely critical service
Why Is Istio That Shape? @mt165 µServices? Individual scaling ● Resource usage was dominated by one component of service: Pilot’s XDS serving
Why Is Istio That Shape? @mt165 µServices? Multiple languages ● It’s all Go
Why Is Istio That Shape? @mt165 µServices? Clean mapping to individual teams/domains ● We’re good at writing monoliths ● µServices were never about this anyway
Why Is Istio That Shape? @mt165 Istio 1.5 - Date
Why Is Istio That Shape? @mt165 Pilot ● That thing I said about a compiler… ● It’s a nice mental model ● It wasn’t true
Why Is Istio That Shape? @mt165 Pilot Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
Why Is Istio That Shape? @mt165 Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
Why Is Istio That Shape? @mt165 Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB istiod Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy µServices
Why Is Istio That Shape? @mt165 Mixer ● Policy: implemented with (new) Envoy-native features
Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB istiod Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy WASM WASM WASM WASM Telem etry
Why Is Istio That Shape? @mt165 Dataplane Topology - Host-Based Proxy #eBPF #sidecarless #nomesh
Why Is Istio That Shape? @mt165 Envoy Service A Service B WASM WASM host istiod Control Plane API
Why Is Istio That Shape? @mt165 CPU Usage Per Request Idle
Why Is Istio That Shape? @mt165 Memory Usage Per Service Config Overhead: programme
Why Is Istio That Shape? @mt165 Dataplane Topology - “Ambient Mesh”
Why Is Istio That Shape? @mt165 Ambient Mesh - zTunnel host host Service A Service B zTunnel zTunnel Service A
Why Is Istio That Shape? @mt165 Ambient Mesh - “Waypoint” Proxies host host Service A Service B zTunnel zTunnel Service A Envoy K8s ServiceAccount A Envoy K8s ServiceAccount B
Why Is Istio That Shape? @mt165 Thanks! Slides Videos Demo code mt165.co.uk Questions @mt165

More Related Content

PPTX
Istio a service mesh
Chandresh Pancholi
 
PPTX
ISTIO Deep Dive
Yong Feng
 
PPTX
An Open-Source Platform to Connect, Manage, and Secure Microservices
DoiT International
 
PDF
Service Mesh in Practice
Ballerina
 
PDF
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Michael Man
 
PDF
Istio (service mesh) why and how
Milan Das
 
PPTX
Introduction to Istio for APIs and Microservices meetup
Daniel Ciruli
 
PDF
Service Mesh For Beginner
Mien Dinh
 
Istio a service mesh
Chandresh Pancholi
 
ISTIO Deep Dive
Yong Feng
 
An Open-Source Platform to Connect, Manage, and Secure Microservices
DoiT International
 
Service Mesh in Practice
Ballerina
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Michael Man
 
Istio (service mesh) why and how
Milan Das
 
Introduction to Istio for APIs and Microservices meetup
Daniel Ciruli
 
Service Mesh For Beginner
Mien Dinh
 

Similar to Why Is Istio That Shape? (20)

PDF
Istio and Kubernetes Relationship
Knoldus Inc.
 
PDF
Api observability
Red Hat
 
PDF
APIdays Paris 2018 - Microservices the right way : an introduction to Istio, ...
apidays
 
PDF
Istio service mesh: past, present, future (TLV meetup)
elevran
 
PDF
Istio Triangle Kubernetes Meetup Aug 2019
Ram Vennam
 
PPTX
istio: service mesh for all
Mandar Jog
 
PDF
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
WSO2
 
PDF
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Codemotion
 
PDF
Istio Up Running Using a Service Mesh to Connect Secure Control and Observe 1...
kecketatyz
 
PDF
How to Make Istio Work with Your App
KarenBruner
 
PDF
How to Make Istio Work with Your App
StackRox
 
PPTX
Connecting All Abstractions with Istio
VMware Tanzu
 
PPTX
Microservices With Istio Service Mesh
Natanael Fonseca
 
PDF
What is a Service Mesh and what can it do for your Microservices
Matt Turner
 
PPTX
Istio Mesh – Managing Container Deployments at Scale
Mofizur Rahman
 
PPTX
Manging Container Deployments at Scale
Mofizur Rahman
 
PDF
Managing Microservices With The Istio Service Mesh on Kubernetes
Iftach Schonbaum
 
PDF
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
apidays
 
PDF
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
CodeOps Technologies LLP
 
PPTX
Istio Security Overview
Michael Furman
 
Istio and Kubernetes Relationship
Knoldus Inc.
 
Api observability
Red Hat
 
APIdays Paris 2018 - Microservices the right way : an introduction to Istio, ...
apidays
 
Istio service mesh: past, present, future (TLV meetup)
elevran
 
Istio Triangle Kubernetes Meetup Aug 2019
Ram Vennam
 
istio: service mesh for all
Mandar Jog
 
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
WSO2
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Codemotion
 
Istio Up Running Using a Service Mesh to Connect Secure Control and Observe 1...
kecketatyz
 
How to Make Istio Work with Your App
KarenBruner
 
How to Make Istio Work with Your App
StackRox
 
Connecting All Abstractions with Istio
VMware Tanzu
 
Microservices With Istio Service Mesh
Natanael Fonseca
 
What is a Service Mesh and what can it do for your Microservices
Matt Turner
 
Istio Mesh – Managing Container Deployments at Scale
Mofizur Rahman
 
Manging Container Deployments at Scale
Mofizur Rahman
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Iftach Schonbaum
 
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
apidays
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
CodeOps Technologies LLP
 
Istio Security Overview
Michael Furman
 
Ad

More from Matt Turner (20)

PDF
The Life of a Packet through Istio III
Matt Turner
 
PDF
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Matt Turner
 
PDF
apiserver-Only "Clusters" for fun and profit
Matt Turner
 
PDF
Istio + SPIRE for cross-domain traffic trust in hybrid-cloud scenarios
Matt Turner
 
PDF
Dynamically Testing Individual Microservice Releases In Production
Matt Turner
 
PDF
Gateway APIs, Envoy Gateway, and API Gateways
Matt Turner
 
PDF
The Life of a Packet III - Service Mesh London
Matt Turner
 
PDF
Cloud-Native Progressive Delivery
Matt Turner
 
PDF
An Introduction to Bazel
Matt Turner
 
PDF
Networks, Linux, Containers, Pods
Matt Turner
 
PDF
Debugging an RBAC Problem in Istio
Matt Turner
 
PDF
Running Resillient Workloads with Istio - KubeCon China 2019
Matt Turner
 
PDF
Software Networking and Interfaces on Linux
Matt Turner
 
PDF
Running Resillient Workloads with Istio - OpenInfra Days 2019
Matt Turner
 
PDF
The Life of a Packet through Istio - DevExperience Romania, April 2019
Matt Turner
 
PDF
The life of a packet through Istio - QCon London 2019
Matt Turner
 
PDF
Do You Need a Service Mesh? @ London Devops, January 2019
Matt Turner
 
PDF
Istio, The Packet's-Eye View - KubeCon NA 2018
Matt Turner
 
PDF
The life of a packet through Istio
Matt Turner
 
PDF
Bash is Testing
Matt Turner
 
The Life of a Packet through Istio III
Matt Turner
 
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Matt Turner
 
apiserver-Only "Clusters" for fun and profit
Matt Turner
 
Istio + SPIRE for cross-domain traffic trust in hybrid-cloud scenarios
Matt Turner
 
Dynamically Testing Individual Microservice Releases In Production
Matt Turner
 
Gateway APIs, Envoy Gateway, and API Gateways
Matt Turner
 
The Life of a Packet III - Service Mesh London
Matt Turner
 
Cloud-Native Progressive Delivery
Matt Turner
 
An Introduction to Bazel
Matt Turner
 
Networks, Linux, Containers, Pods
Matt Turner
 
Debugging an RBAC Problem in Istio
Matt Turner
 
Running Resillient Workloads with Istio - KubeCon China 2019
Matt Turner
 
Software Networking and Interfaces on Linux
Matt Turner
 
Running Resillient Workloads with Istio - OpenInfra Days 2019
Matt Turner
 
The Life of a Packet through Istio - DevExperience Romania, April 2019
Matt Turner
 
The life of a packet through Istio - QCon London 2019
Matt Turner
 
Do You Need a Service Mesh? @ London Devops, January 2019
Matt Turner
 
Istio, The Packet's-Eye View - KubeCon NA 2018
Matt Turner
 
The life of a packet through Istio
Matt Turner
 
Bash is Testing
Matt Turner
 
Ad

Recently uploaded (20)

PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Teaching material agriculture food technology
LiaRayya
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 

Why Is Istio That Shape?

  • 1. Why Is Istio That Shape? @mt165 Why Is Istio That Shape? Matt Turner Software Architecture Gathering, Virtual | November 2022 @mt165 | mt165.co.uk
  • 2. Why Is Istio That Shape? @mt165 THE ENTERPRISE SERVICE MESH COMPANY
  • 3. Why Is Istio That Shape? @mt165 Pop Quiz!
  • 4. Why Is Istio That Shape? @mt165 Background Service Meshes and Istio
  • 5. Why Is Istio That Shape? @mt165 Business Value ● Top Line ● Bottom Line ● Time to Market & Speed of Iteration ● Risk Reduction
  • 6. Why Is Istio That Shape? @mt165 Break the Monolith
  • 7. Why Is Istio That Shape? @mt165 Pod Pod Pod Break the Monolith Namespace A Namespace B Namespace C Namespace A Namespace B Namespace C
  • 8. Why Is Istio That Shape? @mt165 But Don’t Just Distribute It!
  • 9. Why Is Istio That Shape? @mt165 Technical Implications
  • 10. Why Is Istio That Shape? @mt165
  • 11. Why Is Istio That Shape? @mt165
  • 12. Why Is Istio That Shape? @mt165
  • 13. Why Is Istio That Shape? @mt165
  • 14. Why Is Istio That Shape? @mt165
  • 15. Why Is Istio That Shape? @mt165
  • 16. Why Is Istio That Shape? @mt165 Service A Service B
  • 17. Why Is Istio That Shape? @mt165 Lots of Options: In-process libraries and frameworks
  • 18. Why Is Istio That Shape? @mt165 Polyglot environments
  • 19. Why Is Istio That Shape? @mt165 Polyglot environments
  • 20. Why Is Istio That Shape? @mt165 Take the Network Smarts out of the Process
  • 21. Why Is Istio That Shape? @mt165 Add a Control Plane
  • 22. Why Is Istio That Shape? @mt165 Istio “An open platform to connect, secure, control, and observe services.”
  • 23. Why Is Istio That Shape? @mt165 What Shape is Istio?
  • 24. Why Is Istio That Shape? @mt165 Istio 0.1 - 1.4
  • 25. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 26. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 27. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 28. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B
  • 29. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B
  • 30. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B TLS certs to Envoys
  • 31. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 32. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy k8s consul zk K8s API Server
  • 33. Why Is Istio That Shape? @mt165 Have We Seen This Before?
  • 34. Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base Forwarding Engine
  • 35. Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base Forwarding Engine Latency Throughput Concurrency Availability
  • 36. Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP PILOT ENVOY Router Information Base Forwarding Information Base Forwarding Engine
  • 37. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Policy checks, Telemetry Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 38. Why Is Istio That Shape? @mt165 IP Router Architecture Interrupt Kernel module User process DATA PLANE CONTROL PLANE OSPF ARP BGP STP Router Information Base Forwarding Information Base
  • 39. Why Is Istio That Shape? @mt165 IP Router Architecture DATA PLANE CONTROL PLANE OSPF ARP BGP STP PILOT MIXER ENVOY Interrupt Kernel module User process Router Information Base Forwarding Information Base
  • 40. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys prom ES REPORT CHECK ACL Rate limit Mixer fat client Mixer fat client Citadel
  • 41. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy
  • 42. Why Is Istio That Shape? @mt165 Why Isn’t Istio This Shape?
  • 43. Why Is Istio That Shape? @mt165 Mixer Pros ● Recognisable mental mode ● Good availability ● Can horizontally scale ○ Load ○ High availability Cons ● Performance was never great ● Very few things need coördination between proxies
  • 44. Why Is Istio That Shape? @mt165 µServices! Pros ● Decoupled deployments ● Isolated security contexts ● Isolated failure domains ● Individual scaling ● Multiple languages ● Clean mapping to individual teams/domains Cons ● Complex to debug ● Fiddly to deploy ● Inefficient ○ Message-passing ○ Missed shared cache opportunities
  • 45. Why Is Istio That Shape? @mt165 µServices? Decoupled deployments ● No-one ever did
  • 46. Why Is Istio That Shape? @mt165 µServices? Isolated security contexts ● Citadel is obviously a security component, but… ● Pilot can re-route all your requests ● Mixer can steal all your traffic ● …a breach in any one is as bad as the others
  • 47. Why Is Istio That Shape? @mt165 µServices? Isolated failure domains ● Mixer is the only acutely critical service
  • 48. Why Is Istio That Shape? @mt165 µServices? Individual scaling ● Resource usage was dominated by one component of service: Pilot’s XDS serving
  • 49. Why Is Istio That Shape? @mt165 µServices? Multiple languages ● It’s all Go
  • 50. Why Is Istio That Shape? @mt165 µServices? Clean mapping to individual teams/domains ● We’re good at writing monoliths ● µServices were never about this anyway
  • 51. Why Is Istio That Shape? @mt165 Istio 1.5 - Date
  • 52. Why Is Istio That Shape? @mt165 Pilot ● That thing I said about a compiler… ● It’s a nice mental model ● It wasn’t true
  • 53. Why Is Istio That Shape? @mt165 Pilot Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
  • 54. Why Is Istio That Shape? @mt165 Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
  • 55. Why Is Istio That Shape? @mt165 Pilot K8s API Server Envoy Envoy Envoy Envoy k8s consul zk
  • 56. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB istiod Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy µServices
  • 57. Why Is Istio That Shape? @mt165 Mixer ● Policy: implemented with (new) Envoy-native features
  • 58. Why Is Istio That Shape? @mt165 Envoy SvcA Envoy SvcB istiod Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Envoy Envoy Envoy Envoy Ingress Egress Envoy Envoy Envoy Envoy WASM WASM WASM WASM Telem etry
  • 59. Why Is Istio That Shape? @mt165 Dataplane Topology - Host-Based Proxy #eBPF #sidecarless #nomesh
  • 60. Why Is Istio That Shape? @mt165 Envoy Service A Service B WASM WASM host istiod Control Plane API
  • 61. Why Is Istio That Shape? @mt165 CPU Usage Per Request Idle
  • 62. Why Is Istio That Shape? @mt165 Memory Usage Per Service Config Overhead: programme
  • 63. Why Is Istio That Shape? @mt165 Dataplane Topology - “Ambient Mesh”
  • 64. Why Is Istio That Shape? @mt165 Ambient Mesh - zTunnel host host Service A Service B zTunnel zTunnel Service A
  • 65. Why Is Istio That Shape? @mt165 Ambient Mesh - “Waypoint” Proxies host host Service A Service B zTunnel zTunnel Service A Envoy K8s ServiceAccount A Envoy K8s ServiceAccount B
  • 66. Why Is Istio That Shape? @mt165 Thanks! Slides Videos Demo code mt165.co.uk Questions @mt165