Adopting a service mesh

@layer5

layer5.io/landscape

Adopter’s Dilemma

Which service mesh to use?

What's the catch? Nothing's for free.

Playground

WHICH SERVICE MESH SHOULD I USE AND HOW DO I GET STARTED?

 

Learn about the functionality of different service meshes and visually manipulate mesh configuration.

Performance Benchmark

WHAT OVERHEAD DOES BEING ON THE SERVICE MESH INCUR?

 

Benchmark the performance of your application across different service meshes and compare their overhead.

layer5.io/meshery

@lcalcote

Service Mesh Architectures

Service Mesh Architecture

@lcalcote

Data Plane

  • Touches every packet/request in the system.
  • Responsible for service discovery, health checking, routing, load balancing, authentication, authorization, and observability.

Ingress Gateway

Egress Gateway

Service Mesh Architecture

@lcalcote

No control plane? Not a service mesh.

Egress Gateway

Control Plane

Data Plane

  • Touches every packet/request in the system.
  • Responsible for service discovery, health checking, routing, load balancing, authentication, authorization, and observability.
  • Provides policy, configuration, and platform integration.
  • Takes a set of isolated stateless sidecar proxies and turns them into a service mesh.
  • Does not touch any packets/requests in the data path.

Ingress Gateway

Service Mesh Architecture

@lcalcote

Control Plane

Data Plane

  • Touches every packet/request in the system.
  • Responsible for service discovery, health checking, routing, load balancing, authentication, authorization, and observability.
  • Provides policy, configuration, and platform integration.
  • Takes a set of isolated stateless sidecar proxies and turns them into a service mesh.
  • Does not touch any packets/requests in the data path.

You need a management plane.

Ingress Gateway

Egress Gateway

Management
Plane

  • Provides monitoring, backend system integration, expanded policy and application configuration.

Pilot

Citadel

Mixer

Control Plane

Data Plane

istio-system namespace

policy check

Foo Pod

Proxy Sidecar

Service Foo

tls certs

discovery & config

Foo Container

Bar Pod

Proxy Sidecar

Service Bar

Bar Container

Out-of-band telemetry propagation

telemetry

 

reports

Control flow

application traffic

Application traffic

application namespace

telemetry reports

Istio Architecture

@lcalcote

Galley

Ingress Gateway

Egress Gateway

Control Plane

Data Plane

linkerd-system namespace

Foo Pod

Proxy Sidecar

Service Foo

Foo Container

Bar Pod

Proxy Sidecar

Service Bar

Bar Container

Out-of-band telemetry propagation

telemetry

 

scarping

Control flow during request processing

application traffic

Application traffic

application namespace

telemetry scraping

@lcalcote

Architecture

destination

Prometheus

Grafana

tap

web

CLI

proxy-api

public-api

Linkerd

proxy-injector

Service Mesh Deployment Models

Client

Edge Cache

Istio Gateway

(envoy)

Cache Generator

Collection of VMs running APIs

service mesh

Istio VirtualService

Istio VirtualService

Istio ServiceEntry

Situation:

  • existing services running on VMs (that have little to no service-to-service traffic).
  • nearly all traffic flows from client to the service and back to client.

 

Benefits:

  • gain granular traffic control (e.g path rewrites).
  • detailed service monitoring without immediately deploying a thousand sidecars.

Ingress

Istio - The Weather Company's Journey

Out-of-band telemetry propagation

Application traffic

@lcalcote

Control flow

Proxy per Node

Service A

Service A

Service A

linkerd

Node (server)

Service A

Service A

Service B

linkerd

Node (server)

Service A

Service A

Service C

linkerd

Node (server)

Advantages:

  • Less (memory) overhead.

  • Simpler distribution of configuration information.

  • primarily physical or virtual server based; good for large monolithic applications.
     

Disadvantages:

  • Coarse support for encryption of service-to-service communication, instead host-to-host encryption and authentication policies.

  • Blast radius of a proxy failure includes all applications on the node, which is essentially equivalent to losing the node itself.

  • Not a transparent entity, services must be aware of its existence.

layer5.io/books

Advantages:

  • Good starting point for building a brand-new microservices architecture or for migrating from a monolith.

Disadvantages:

  • When the number of services increase, it becomes difficult to manage.

Router "Mesh"

Fabric Model

Advantages:

  • Granular encryption of service-to-service communication.

  • Can be gradually added to an existing cluster without central coordination.

Disadvantages:

  • Lack of central coordination. Difficult to scale operationally.

Ingress or Edge Proxy

Advantages:

  • Works with existing services that can be broken down over time.

Disadvantages:

  • Is missing the benefits of service-to-service visibility and control.

Meshery

a multi-service mesh performance benchmark and playground

Configuration

Security

Telemetry

Control Plane

Data
Plane

service mesh ns

Foo Pod

Proxy Sidecar

Service Foo

Foo Container

Bar Pod

Proxy Sidecar

Service Bar

Bar Container

Out-of-band telemetry propagation

Control flow

application traffic

http / gRPC

Application traffic

application namespace

Meshery Architecture

@lcalcote

Ingress Gateway

Egress Gateway

Management
Plane

meshery

adapter

gRPC

kube-api

kube-system

Service Mesh Interface (SMI)

layer5.io/blog/a-standard-interface-for-service-meshes

+

@lcalcote

layer5.io/meshery

Pod Memory Usage

Application resource consumption

@lcalcote

layer5.io/meshery

Pod CPU Usage

Application resource consumption

@lcalcote

layer5.io/meshery

Control Plane Memory

Istio

Linkerd

Consul

@lcalcote

layer5.io/meshery

Control Plane CPU

Istio

Linkerd

Consul

Relative

Showdown!
Slowdown

@lcalcote

layer5.io/meshery

Cores Threads Istio (2) Linkerd
8 8 1 1
8 16 1.7 1.8
8 32 3.2 3.4
8 100 9.3 9.6

(2) mTLS on, tracing off

Relative

Showdown!Slowdown

@lcalcote

layer5.io/meshery

Cores Threads Istio (1) Istio (2) Linkerd
8 8 1 1 1
8 16 1.4 1.7 1.8
8 32 18.4 3.2 3.4
8 100 52.2 9.3 9.6

(1) mTLS on, tracing on

(2) mTLS on, tracing off

Service Mesh Benchmark Specification

A project and vendor-neutral specification for capturing details of:

  1. Environment / Infrastructure

    • Number and size of nodes, orchestrator

  2. Service mesh and its configuration

  3. Service / application details

Bundled with test results.

 

github.com/layer5io/service-mesh-benchmark-spec

@lcalcote

layer5.io/meshery

@lcalcote

layer5.io/meshery

a Service Mesh Community

Layer5.io

Meshery

@layer5

layer5.io/subscribe

KubeCon EU 2019: Service Meshes: At What Cost?

By Lee Calcote

Made with Slides.com

KubeCon EU 2019: Service Meshes: At What Cost?

Presented at KubeCon EU 2019.

  • 845

More from Lee Calcote

  • O'Reilly Online Live Training - December 2020: Advanced Istio
    Lee Calcote
    1277
  • O'Reilly Online Live Training - December 2020: Introduction to Istio
    Lee Calcote
    1320
  • All Day DevOps 2020: Solving the Service Mesh Adopter's Dilemma
    Lee Calcote
    639