service mesh from the ground up
play

Service Mesh from the Ground Up: How Istio Can Transform Your - PowerPoint PPT Presentation

Service Mesh from the Ground Up: How Istio Can Transform Your Organization Megan O'Keefe Hello! I'm a Developer Relations Engineer at Google Cloud. I help make Google's products easy to adopt and use. I test-drive new features,


  1. Node Node TLS certs Agent Agent to proxies via Secrets Service A Service B Proxy Proxy Proxy Policy checks and telemetry Discovery & config TLS certs Mixer data to proxies to node agents Pilot Galley Citadel Mesh config to control plane YAML Injector Istio Control Plane Sidecar configuration to Pods

  2. Node Node TLS certs Agent Agent to proxies via Secrets Service A Service B Proxy Proxy Proxy Policy checks and telemetry Discovery & config TLS certs Mixer data to proxies to node agents Pilot Galley Citadel Mesh config to control plane YAML Ingress Ingress Traffic Gateway Injector Istio Control Plane Sidecar configuration to Pods

  3. Installing Istio

  4. dev us-east1-b

  5. dev us-east1-b Mixer Pilot Galley Citadel Ingress Gateway Injector Istio Control Plane

  6. AdService dev EmailService us-east1-b CartService PaymentService CheckoutService Frontend Redis ShippingService CurrencyService Recommendation ProductCatalog Service Service Mixer Pilot Galley Citadel Ingress Gateway Injector Istio Control Plane

  7. dev AdService EmailService us-east1-b CartService PaymentService CheckoutService Frontend Redis ShippingService CurrencyService Recommendation ProductCatalog Service Service Mixer Pilot Galley Citadel Ingress Ingress Traffic Gateway Injector Istio Control Plane

  8. Demo

  9. Questions? ⛵

  10. Observability

  11. Observability is a measure of how well internal states of a system can be inferred from knowledge of its external outputs .

  12. Istio Observability Features Service graph - track dependencies at runtime Bird’s eye view of service behavior for issue triage, reduce time to detect and fjx outages Automatically collects the "golden signals" for every service - latency , error rate , throughput Set, monitor and enforce Service-Level Objectives (SLOs) Tracing : track a request from end to end, across service boundaries

  13. Demo

  14. Security

  15. Moving from VMs to Kubernetes introduces new security challenges.

  16. Viruual Machines Kubernetes Isolation at the host level Containers share a host (Node) Workloads allocated to hosts Nodes work as one viruual host Workloads share OS, dependencies Containers have own dependencies Stable host IPs Ephemeral Pod IPs May run in a trusted , on-prem May run in a cloud environment environment

  17. Istio - Security Automatically secure your services through managed authentication, authorization, and encryption of communication between services. Traffjc encryption Service auth Auditing controls Access policies

  18. Demo: Mutual TLS

  19. Node Node TLS certs Agent Agent to proxies via Secrets Service A Service B Proxy Proxy Proxy Policy checks and telemetry Discovery & config TLS certs Mixer data to proxies to node agents Pilot Galley Citadel Mesh config to control plane YAML Injector Istio Control Plane Sidecar configuration to Pods

  20. MeshPolicy apiVersion: "authentication.istio.io/v1alpha1" kind: "MeshPolicy" metadata: name: "default" spec: peers: - mtls: {}

  21. DestinationRule apiVersion: "networking.istio.io/v1alpha3" kind: "DestinationRule" metadata: name: "default" namespace: "istio-system" spec: host: "*.local" trafficPolicy: tls: mode: ISTIO_MUTUAL

  22. Demo: Authorization

  23. Node Node TLS certs Agent Agent to proxies via Secrets Service A Service B Proxy Proxy Proxy Policy checks and telemetry Discovery & config TLS certs Mixer data to proxies to node agents Pilot Galley Citadel Mesh config to control plane YAML Injector Istio Control Plane Sidecar configuration to Pods

  24. AuthorizationPolicy apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "currency-policy" namespace: default spec: selector: matchLabels: app: currencyservice rules: - from: - source: principals: ["cluster.local/ns/default/sa/frontend-sa"]

  25. Questions?

  26. DevOps

  27. DevOps is an organizational and cultural movement that aims to increase sofuware delivery velocity , improve service reliability , and build shared ownership among sofuware stakeholders. cloud.google.com/devops

  28. What is DevOps? release deploy n plan g i s e d OPS DEV monitor e build t a r t e s p e t o

  29. DevOps is an organizational and cultural movement that aims to increase sofuware delivery velocity , improve service reliability , and build shared ownership among sofuware stakeholders. cloud.google.com/devops

  30. DevOps with Istio Velocity: safe rollouts with traffjc splituing. deprecate legacy services with redirects. accelerate the customer feedback loop with A/B testing. Reliability: set SLOs and alerus on generated metrics. use circuit breaking and fault injection to harden services. Shared ownership: declarative traffjc/security policies in a shared Git repo. scope Istio policies at the namespace level.

  31. Istio - Traffjc Management VirtualService , Gateway , Traffjc splituing Traffjc steering Fault injection DestinationRule , and ServiceEntry Circuit breaking Egress control

  32. VirtualService apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: frontend spec: hosts: - "frontend.default.svc.cluster.local" http: - route: - destination: host: frontend

  33. Gateway apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: frontend-gateway spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"

  34. DestinationRule apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: frontend spec: host: frontend.default.svc.cluster.local subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2

  35. Kubernetes Deployment Pods Pods

  36. Kubernetes Service Kubernetes Deployment Pods Pods

  37. Kubernetes Service Kubernetes Deployment Kubernetes Deployment Pods Pods v1 v2

  38. Kubernetes Service DestinationRule Pods Pods v1 v2

  39. VirtualService Kubernetes Service DestinationRule Pods Pods v1 v2

  40. VirtualService VirtualService Kubernetes Service Kubernetes Service DestinationRule DestinationRule Pods Pods Pods Pods v1 v2 v1 v2

  41. Gateway VirtualService VirtualService Kubernetes Service Kubernetes Service DestinationRule DestinationRule Pods Pods Pods Pods v1 v2 v1 v2

  42. release deploy n plan g i s e d OPS DEV monitor e build t a r t e s p e t o

  43. release deploy n plan g i s e d OPS DEV monitor e build t a r t e s p e t o

  44. Demo: Service Redirect

  45. Service Redirect Scenario - we've moved to a faster payments Frontend payments service, coolcash. We want to deprecate paymentservice paymentservice:80 and redirect calls to coolcash. coolcash

  46. release deploy n plan g i s e d OPS DEV monitor e build t a r t e s p e t o

  47. Demo: Canary Deployment

Recommend


More recommend