The document discusses the benefits of using Istio service mesh to connect microservices. Istio provides a standard sidecar proxy that handles tasks like load balancing, failure recovery, metrics collection, and traffic management for microservices. It also provides interfaces to configure and manage policies separately from application code. This allows clear separation between application development and operations tasks like routing, monitoring, and access control configuration.
Report
Share
Report
Share
1 of 53
Download to read offline
More Related Content
Ato2019 weave-services-istio
1. Weave Your Microservices
With Istio
Lin Sun
Senior Technical Staff Member, IBM
@linsun_unc
Photo by Markos Mant on Unsplash
3. IBM Cloud
try {
HttpResponse response = httpClient.get(
“http://secretsauce.internal/recipe”);
cook(response.body);
} catch (NetworkError ne) {
fixmePleaseOMG(ne);
}
Credit to Louis Ryan for this fun example
4. IBM Cloud
try {
// Load balancing
IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne();
HttpResponse response = httpClient.open(ip).get(
“http://secretsauce.internal/recipe”);
cook(response.body);
} catch (NetworkError ne) {
fixmePleaseOMG(ne);
}
Credit to Louis Ryan for this fun example
5. IBM Cloud
for (int i = 0; i < 3; i++) { // Retry
try {
IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne();
HttpResponse response = httpClient.open(ip).get(
“http://secretsauce.internal/recipe”);
cook(response.body);
} catch (NetworkError ne) {
if (i == 2) fixmePleaseOMG(ne);
else Thread.sleep(random(5) * 1000);
}
}
Credit to Louis Ryan for this fun example
6. IBM Cloud
Secret key = new Secret(new File(“/somewhere/safe/key”);
for (int i = 0; i < 3; i++) {
try {
IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne();
HttpResponse response = httpClient.open(ip)
.setHeader(“Authorization”, key.toString())
.get(“http://secretsauce.internal/recipe”);
cook(response.body);
} catch (NetworkError ne) {
if (i == 2) fixmePleaseOMG(ne);
else Thread.sleep(random(5) * 1000);
}
}
Credit to Louis Ryan for this fun example
7. IBM Cloud
Secret key = new Secret(new File(“/somewhere/safe/key”);
for (int i = 0; i < 3; i++) {
try {
IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne();
HttpResponse response = httpClient.open(ip)
.setHeader(“Authorization”, key.toString())
.get(“http://secretsauce.internal/recipe”);
log(“Success”);
cook(response.body);
} catch (NetworkError ne) {
log(“Failed”);
if (i == 2) fixmePleaseOMG(ne);
else Thread.sleep(random(5) * 1000);
}
}
Credit to Louis Ryan for this fun example
19. IBM Cloud
What is Istio?
- An open service mesh platform
- Provides language neutral standard attachment to
your application container
- Provides user interfaces to configure policies for the
attachment, without redeploying your application
- Enables clear separation from the application (Dev)
and attachment (Ops)
24. IBM Cloud
Policy checksPolicy
checks
Policy Telemetry
Kubernetes
API server
Mesh Boundary
kubectl istioctl
Sidecar-injector
Ingress-
gateway
Egress-
gateway
data flow
management flow
25. IBM Cloud
Install Istio
• Nothing Magic… Istio is just a bunch of CRDs, services, deployments,
config maps, secrets
• Installation Profiles
• Recommend start with the demo profile
• Use default profile as starting point for production usage
26. IBM Cloud
Deploy microservices to the mesh
• istioctl kube-inject
• kubectl label namespace {namespace} istio-injection=enabled
• istioctl add-to-mesh
• istioctl describe
https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/
27. IBM Cloud
Deploy pods and services to the mesh
• Add named service port for each service port
• Declare containerPort configuration for each pod
port
• Pod must have a service associated
• Label deployments with app and version
• Don't use UID 1337
• Do you have NET_ADMIN privilege?
https://istio.io/docs/setup/kubernetes/prepare/requirements/
apiVersion: v1
kind: Service
metadata:
name: productpage
labels:
app: productpage
service: productpage
spec:
ports:
- port: 9080
name: http
selector:
app: productpage
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: productpage-v1
labels:
app: productpage
version: v1
spec:
replicas: 1
template:
metadata:
labels:
app: productpage
version: v1
spec:
containers:
- name: productpage
image: istio/examples-bookinfo-
productpage-v1:1.10.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
bookinfo.yaml
28. IBM Cloud
initContainers:
- args:
- -p
- "15001"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- "*"
- -d
- "15020"
image: docker.io/istio/proxy_init:1.1.0
imagePullPolicy: IfNotPresent
name: istio-init
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
securityContext:
capabilities:
add:
- NET_ADMIN
volumes:
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-certs
secret:
optional: true
secretName: istio.default
FROM ubuntu:xenial
RUN apt-get update && apt-get upgrade -y &&
apt-get install -y
iproute2
iptables
&& rm -rf /var/lib/apt/lists/*
ADD istio-iptables.sh /usr/local/bin/
ENTRYPOINT ["/usr/local/bin/istio-iptables.sh"]
echo ' -p: Specify the envoy port to which redirect all TCP traffic (default $ENVOY_PORT =
15001)'
echo ' -u: Specify the UID of the user for which the redirection is not'
echo ' applied. Typically, this is the UID of the proxy container'
# shellcheck disable=SC2016
echo ' (default to uid of $ENVOY_USER, uid of istio_proxy, or 1337)'
echo ' -g: Specify the GID of the user for which the redirection is not'
echo ' applied. (same default value as -u param)'
echo ' -m: The mode used to redirect inbound connections to Envoy, either "REDIRECT" or
"TPROXY"'
# shellcheck disable=SC2016
echo ' (default to $ISTIO_INBOUND_INTERCEPTION_MODE)'
echo ' -b: Comma separated list of inbound ports for which traffic is to be redirected to
Envoy (optional). The'
echo ' wildcard character "*" can be used to configure redirection for all ports. An
empty list will disable'
# shellcheck disable=SC2016
echo ' all inbound redirection (default to $ISTIO_INBOUND_PORTS)'
echo ' -d: Comma separated list of inbound ports to be excluded from redirection to Envoy
(optional). Only applies'
# shellcheck disable=SC2016
echo ' when all inbound traffic (i.e. "*") is being redirected (default to
$ISTIO_LOCAL_EXCLUDE_PORTS)'
echo ' -i: Comma separated list of IP ranges in CIDR form to redirect to envoy (optional).
The wildcard'
echo ' character "*" can be used to redirect all outbound traffic. An empty list will
disable all outbound'
# shellcheck disable=SC2016
echo ' redirection (default to $ISTIO_SERVICE_CIDR)'
echo ' -x: Comma separated list of IP ranges in CIDR form to be excluded from redirection.
Only applies when all '
Dockerfile.proxy_init
Istio-iptables.sh
44. IBM Cloud
More Sidecar Debug
$ istioctl dashboard envoy $(kubectl get pod -l
app=productpage -o
jsonpath='{.items[0].metadata.name}')
http://localhost:56740
49. IBM Cloud
2019 Istio Themes
• Project Sustainability
• Layering and Extensibility
• Improved Experience
• Performance and Scalability
50. IBM Cloud
Istio 2019 Predictable Releases
Istio
1.0
Launch
-July
2018
2018 2019
Istio
1.1
February
Istio
1.2
June
Istio
1.3
Septem
ber
2020
Istio
1.4
Unreleased
51. IBM Cloud
2019 Istio Key Updates
• All outbound traffic is allowed by default
• Mixer-policy is not enabled by default
• Multicluster Istio for non flat networks
• Introduce Sidecar resource
• Intelligent Protocol Sniffing
• Various istioctl UX improvements
52. IBM Cloud
How to contribute
• Contribute via discuss or slack
• Gain membership Status
• Consult existing maintainers
• Gain maintainer status
• Attend WG Meetings
53. IBM Cloud
• Preview available around
KubeCon US 2019
• Final book available by
end of 2019