Node Node TLS certs Agent Agent to proxies via Secrets Service A Service B Proxy Proxy Proxy Policy checks and telemetry Discovery & config TLS certs Mixer data to proxies to node agents Pilot Galley Citadel Mesh config to control plane YAML Injector Istio Control Plane Sidecar configuration to Pods
Node Node TLS certs Agent Agent to proxies via Secrets Service A Service B Proxy Proxy Proxy Policy checks and telemetry Discovery & config TLS certs Mixer data to proxies to node agents Pilot Galley Citadel Mesh config to control plane YAML Ingress Ingress Traffic Gateway Injector Istio Control Plane Sidecar configuration to Pods
Installing Istio
dev us-east1-b
dev us-east1-b Mixer Pilot Galley Citadel Ingress Gateway Injector Istio Control Plane
AdService dev EmailService us-east1-b CartService PaymentService CheckoutService Frontend Redis ShippingService CurrencyService Recommendation ProductCatalog Service Service Mixer Pilot Galley Citadel Ingress Gateway Injector Istio Control Plane
dev AdService EmailService us-east1-b CartService PaymentService CheckoutService Frontend Redis ShippingService CurrencyService Recommendation ProductCatalog Service Service Mixer Pilot Galley Citadel Ingress Ingress Traffic Gateway Injector Istio Control Plane
Demo
Questions? ⛵
Observability
Observability is a measure of how well internal states of a system can be inferred from knowledge of its external outputs .
Istio Observability Features Service graph - track dependencies at runtime Bird’s eye view of service behavior for issue triage, reduce time to detect and fjx outages Automatically collects the "golden signals" for every service - latency , error rate , throughput Set, monitor and enforce Service-Level Objectives (SLOs) Tracing : track a request from end to end, across service boundaries
Demo
Security
Moving from VMs to Kubernetes introduces new security challenges.
Viruual Machines Kubernetes Isolation at the host level Containers share a host (Node) Workloads allocated to hosts Nodes work as one viruual host Workloads share OS, dependencies Containers have own dependencies Stable host IPs Ephemeral Pod IPs May run in a trusted , on-prem May run in a cloud environment environment
Istio - Security Automatically secure your services through managed authentication, authorization, and encryption of communication between services. Traffjc encryption Service auth Auditing controls Access policies
Demo: Mutual TLS
Node Node TLS certs Agent Agent to proxies via Secrets Service A Service B Proxy Proxy Proxy Policy checks and telemetry Discovery & config TLS certs Mixer data to proxies to node agents Pilot Galley Citadel Mesh config to control plane YAML Injector Istio Control Plane Sidecar configuration to Pods
MeshPolicy apiVersion: "authentication.istio.io/v1alpha1" kind: "MeshPolicy" metadata: name: "default" spec: peers: - mtls: {}
DestinationRule apiVersion: "networking.istio.io/v1alpha3" kind: "DestinationRule" metadata: name: "default" namespace: "istio-system" spec: host: "*.local" trafficPolicy: tls: mode: ISTIO_MUTUAL
Demo: Authorization
Node Node TLS certs Agent Agent to proxies via Secrets Service A Service B Proxy Proxy Proxy Policy checks and telemetry Discovery & config TLS certs Mixer data to proxies to node agents Pilot Galley Citadel Mesh config to control plane YAML Injector Istio Control Plane Sidecar configuration to Pods
AuthorizationPolicy apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "currency-policy" namespace: default spec: selector: matchLabels: app: currencyservice rules: - from: - source: principals: ["cluster.local/ns/default/sa/frontend-sa"]
Questions?
DevOps
DevOps is an organizational and cultural movement that aims to increase sofuware delivery velocity , improve service reliability , and build shared ownership among sofuware stakeholders. cloud.google.com/devops
What is DevOps? release deploy n plan g i s e d OPS DEV monitor e build t a r t e s p e t o
DevOps is an organizational and cultural movement that aims to increase sofuware delivery velocity , improve service reliability , and build shared ownership among sofuware stakeholders. cloud.google.com/devops
DevOps with Istio Velocity: safe rollouts with traffjc splituing. deprecate legacy services with redirects. accelerate the customer feedback loop with A/B testing. Reliability: set SLOs and alerus on generated metrics. use circuit breaking and fault injection to harden services. Shared ownership: declarative traffjc/security policies in a shared Git repo. scope Istio policies at the namespace level.
Istio - Traffjc Management VirtualService , Gateway , Traffjc splituing Traffjc steering Fault injection DestinationRule , and ServiceEntry Circuit breaking Egress control
VirtualService apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: frontend spec: hosts: - "frontend.default.svc.cluster.local" http: - route: - destination: host: frontend
Gateway apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: frontend-gateway spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"
DestinationRule apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: frontend spec: host: frontend.default.svc.cluster.local subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2
Kubernetes Deployment Pods Pods
Kubernetes Service Kubernetes Deployment Pods Pods
Kubernetes Service Kubernetes Deployment Kubernetes Deployment Pods Pods v1 v2
Kubernetes Service DestinationRule Pods Pods v1 v2
VirtualService Kubernetes Service DestinationRule Pods Pods v1 v2
VirtualService VirtualService Kubernetes Service Kubernetes Service DestinationRule DestinationRule Pods Pods Pods Pods v1 v2 v1 v2
Gateway VirtualService VirtualService Kubernetes Service Kubernetes Service DestinationRule DestinationRule Pods Pods Pods Pods v1 v2 v1 v2
release deploy n plan g i s e d OPS DEV monitor e build t a r t e s p e t o
release deploy n plan g i s e d OPS DEV monitor e build t a r t e s p e t o
Demo: Service Redirect
Service Redirect Scenario - we've moved to a faster payments Frontend payments service, coolcash. We want to deprecate paymentservice paymentservice:80 and redirect calls to coolcash. coolcash
release deploy n plan g i s e d OPS DEV monitor e build t a r t e s p e t o
Demo: Canary Deployment
Recommend
More recommend