Istio Playground

Istio Playground
@adersberger @qaware

Our network today
— Optimize ﬁrst: Switch network off and on again and
use 5GHz networking
— Plan A: Local installation
— Plan B: Use GKE clusters
— Plan C: Use Katacoda
— Plan D: Steamworks

Workshop Prerequisites
— Bash
— git Client
— Text editor (like VS.Code)

Baby Step: Grab the Code
git clone https://github.com/adersberger/istio-playground
cd istio-playground/code

Baby Step: Install a (local) Kubernetes Cluster
https://www.docker.com/community-edition
— Preferences: enable Kubernetes
— Preferences: increase resource usage to 3 cores and 8
GB memory

The Ultimate Guide to Fix Strange Kubernetes Behavior

Setup Kubernetes Environment
# Switch k8s context
kubectl config use-context docker-for-desktop
# Deploy k8s dashboard
kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
# Extract id of default service account token (referred as TOKENID)
kubectl describe serviceaccount default
# Grab token and insert it into k8s Dashboard UI auth dialog
kubectl describe secret TOKENID
# Start local proxy
kubectl proxy --port=8001 &
# Open k8s Dashboard
open http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login

Deploy Istio
curl -L https://git.io/getLatestIstio | sh -
cd istio-1.0.1
export PATH=$PWD/bin:$PATH
istioctl version
# deploy Istio
# (demo setting, default deployment is via Helm)
kubectl apply -f install/kubernetes/istio-demo.yaml
kubectl get pods -n istio-system
# label default namespace to be auto-sidecarred
kubectl label namespace default istio-injection=enabled
kubectl get namespace -L istio-injection

Deploy Sample Application (BookInfo)
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
kubectl get pods
istioctl create -f samples/bookinfo/networking/bookinfo-gateway.yaml
istioctl get gateways
open http://localhost/productpage

Se!ing the Sails with Istio 1.0.1

Sample Application: BookInfo1
1
Istio BookInfo Sample (https://istio.io/docs/examples/bookinfo)

Bookinfo: Gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

Bookinfo: VirtualService
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080

Bookinfo: DestinationRule
kind: DestinationRule
metadata:
name: productpage
spec:
host: productpage
subsets:
- name: v1
labels:
version: v1

Hands-on: Have a look around
the YAMLs and Dashboard

Expose Istio Observability Tools
#Metrics: Prometheus
kubectl expose deployment prometheus --name=prometheus-expose
--port=9090 --target-port=9090 --type=LoadBalancer -n=istio-system
#Metrics: Grafana
kubectl expose deployment grafana --name=grafana-expose
open http://localhost:3000/d/1/istio-dashboard
#Tracing: Jaeger
kubectl expose deployment istio-tracing --name=tracing-expose
open http://localhost:16686
#Tracing: ServiceGraph
kubectl expose service servicegraph --name=servicegraph-expose
open http://localhost:8088/force/forcegraph.html
open http://localhost:8088/dotviz

Deploy Missing Observability Feature: Log Analysis
(EFK)
cd .. #go to istio-playground/code
kubectl apply -f logging-stack.yaml
kubectl get pods -n=logging
kubectl expose deployment kibana --name=kibana-expose
--port=5601 --target-port=5601 --type=LoadBalancer -n=logging
istioctl create -f fluentd-istio.yaml

Deploy Missing Observability Feature: Log Analysis
(EFK)
open http://localhost:5601/app/kibana
— Perform some requests to the BookInfo application
— Use * as the index pattern
— Select @timestamp as the time ﬁlter ﬁeld name

ﬂuentd-istio.yaml (1/3)
# Configuration for logentry instances
apiVersion: "config.istio.io/v1alpha2"
kind: logentry
metadata:
name: newlog
namespace: istio-system
spec:
severity: '"info"'
timestamp: request.time
variables:
source: source.labels["app"] | source.service | "unknown"
user: source.user | "unknown"
destination: destination.labels["app"] | destination.service | "unknown"
responseCode: response.code | 0
responseSize: response.size | 0
latency: response.duration | "0ms"
monitored_resource_type: '"UNSPECIFIED"'

# Configuration for a fluentd handler
kind: fluentd
metadata:
name: handler
spec:
address: "fluentd-es.logging:24224"

# Rule to send logentry instances to the fluentd handler
kind: rule
metadata:
name: newlogtofluentd
spec:
match: "true" # match for all requests
actions:
- handler: handler.fluentd
instances:
- newlog.logentry

Stimulate!
slapper -rate 4 -targets ./target -workers 2 -maxY 15s
Download from: https://github.com/adersberger/slapper/
releases/tag/0.1

Slapper2
in action
2
Key bindings:
q, ctrl-c - quit
r - reset stats
k - increase rate by 100 RPS
j - decrease rate by 100 RPS

Observability Outlook: Kiali (macOS setup)
brew install gettext
brew link --force gettext
# follow k8s setup guide: https://www.kiali.io/gettingstarted
kubectl expose deployment kiali --name=kiali-expose
open http://localhost:20001
# login with admin/admin

Sample Desination Rule
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3

Canary Releases: A/B Testing
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1

Canary Releases: A/B Testing
cd istio-1.0.1
istioctl create -f samples/bookinfo/networking/virtual-service-all-v1.yaml
istioctl create -f samples/bookinfo/networking/destination-rule-all.yaml
istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml
#open BookInfo application and login as user jason (password jason)
open http://localhost/productpage
— login as "jason" / "jason" leads to v2 (black stars)
— anonymous user leads to v1 (no stars)

Canary Releases: Rolling Upgrade
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
weight: 50
- destination:
host: reviews
subset: v3
weight: 50
istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml

Canary Releases: Blue/Green
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v3
istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-v3.yaml
istioctl get routerules

Time to Play!
Traffic Management Resiliency Security Observability
Request Routing Timeouts mTLS Metrics
Load Balancing Circuit Breaker Role-Based Access Control Logs
Traffic Shifting Health Checks (active,
passive)
Workload Identity Traces
Traffic Mirroring Retries Authentication Policies
Service Discovery Rate Limiting CORS Handling
Ingress, Egress Delay & Fault Injection TLS Termination, SNI
API Specification Connection Pooling
Multicluster Mesh
https://istio.io/docs/tasks
https://istio.io/about/feature-stages

FAQ
Q: How does the Envoy proxy intercept requests?
A: With IPtable rules (alls rules pointing to envoy)
Q: How does the auto-sidecar magic work?
A: With an Istio admission controller enhancing the
deployments
Q: How can I list all Istio custom resource deﬁnitions
and commands?
A: kubectl api-resources
Q: I can't see any metrics, logs, traces. What should I do?
A: Restart istio-telemetry Deploment or kubectl replace
-f fluentd-istio.yaml

Istio Playground

Related slideshows

More Related Content

Istio Playground