Lee Calcote
Clouds, containers, functions, applications and their management.
Lee Calcote
Founder, Layer5
@lcalcote
cloud native and its management
Service Mesh Patterns
slack.layer5.io
layer5.io/books/the-enterprise-path-to-service-mesh-architectures
control over chaos
content-based traffic steering
what gets people hooked on service metrics
identity and policy
Expect more from your infrastructure
in-network application logic
where Dev, Ops, Product meet
Empowered and independent teams can iterate faster
where Dev, Ops, Product meet
Empowered and independent teams can iterate faster
layer5.io/landscape
It's meshy out there.
Different tools for different use cases
a sample
Data Plane
Touches every packet/request in the system.
Responsible for service discovery, health checking, routing, load balancing, authentication, authorization, and observability.
Ingress Gateway
Egress Gateway
No control plane? Not a service mesh.
Control Plane
Provides policy, configuration, and platform integration.
Takes a set of isolated stateless sidecar proxies and turns them into a service mesh.
Does not touch any packets/requests in the data path.
Data Plane
Touches every packet/request in the system.
Responsible for service discovery, health checking, routing, load balancing, authentication, authorization, and observability.
Ingress Gateway
Egress Gateway
Control Plane
Data Plane
Touches every packet/request in the system.
Responsible for service discovery, health checking, routing, load balancing, authentication, authorization, and observability.
Provides policy, configuration, and platform integration.
Takes a set of isolated stateless sidecar proxies and turns them into a service mesh.
Does not touch any packets/requests in the data path.
You need a management plane.
Ingress Gateway
Management
Plane
Provides backend system integration, expanded policy and governance, continuous delivery integration, workflow, chaos engineering,  configuration and performance management and multi-mesh federation.
Egress Gateway
Pilot
Citadel
Mixer
Control Plane
Data Plane
istio-system namespace
policy check
Foo Pod
Proxy Sidecar
Service Foo
tls certs
discovery & config
Foo Container
Bar Pod
Proxy Sidecar
Service Bar
Bar Container
Out-of-band telemetry propagation
telemetry
Â
reports
Control flow
application traffic
Application traffic
application namespace
telemetry reports
Galley
Ingress Gateway
Egress Gateway
Leader
Agent
Control Plane
Data Plane
intentions
Foo Pod
Proxy Sidecar
Service Foo
discovery, config,
Â
tls certs
Foo Container
Bar Pod
Proxy Sidecar
Service Bar
Bar Container
Control flow
application traffic
Application traffic
application namespace
Follower
Consul Client
Consul Servers
Follower
policy
Â
check
layer5.io/service-mesh-architectures
WASM Filter
node
Control Plane
Data Plane
linkerd-system namespace
Foo Pod
Proxy Sidecar
Service Foo
Foo Container
Bar Pod
Proxy Sidecar
Service Bar
Bar Container
Out-of-band telemetry propagation
telemetry
Â
scarping
Control flow during request processing
application traffic
Application traffic
application namespace
telemetry scraping
destination
Prometheus
Grafana
tap
web
CLI
proxy-api
public-api
proxy-injector
Control Plane
Data Plane
octa-system namespace
policy check
Foo Pod
Proxy
Sidecar
Service Foo
discovery & config
Foo Container
Bar Pod
Service Bar
Bar Container
Out-of-band telemetry propagation
telemetry
Â
reports
Control flow
application traffic
Application traffic
application namespace
telemetry reports
Policy
Engine
Security Engine
Visibility
Engine
+
Proxy
Sidecar
+
Client
Edge Cache
Istio Gateway
(envoy)
Cache Generator
Collection of VMs running APIs
service mesh
Istio VirtualService
Istio VirtualService
Istio ServiceEntry
Situation:
existing services running on VMs (that have little to no service-to-service traffic).
nearly all traffic flows from client to the service and back to client.
Â
Benefits:
gain granular traffic control (e.g path rewrites).
detailed service monitoring without immediately deploying a thousand sidecars.
Out-of-band telemetry propagation
Application traffic
Control flow
Service A
Service A
Service A
maesh
Node (server)
Service A
Service A
Service B
maesh
Node (server)
Service A
Service A
Service C
maesh
Node (server)
Advantages:
Less (memory) overhead.
Simpler distribution of configuration information.
primarily physical or virtual server based; good for large monolithic applications.
Â
Disadvantages:
Coarse support for encryption of service-to-service communication, instead host-to-host encryption and authentication policies.
Blast radius of a proxy failure includes all applications on the node, which is essentially equivalent to losing the node itself.
Not a transparent entity, services must be aware of its existence.
layer5.io/books
Advantages:
Good starting point for building a brand-new microservices architecture or for migrating from a monolith.
Disadvantages:
When the number of services increase, it becomes difficult to manage.
Advantages:
Granular encryption of service-to-service communication.
Can be gradually added to an existing cluster without central coordination.
Disadvantages:
Lack of central coordination. Difficult to scale operationally.
Advantages:
Works with existing services that can be broken down over time.
Disadvantages:
Is missing the benefits of service-to-service visibility and control.
Meshery is interoperable with these abstractions.
Service Mesh Interface
(SMI)
Multi-Vendor Service Mesh Interoperation (Hamlet)
Service Mesh Performance Specification (SMPS)
A standard interface for service meshes on Kubernetes.
A set of API standards for enabling service mesh federation.
A format for describing and capturing service mesh performance.
to the rescue
benchmarking of service mesh performance
Â
exchange of performance information from system-to-system / mesh-to-mesh
Â
apples-to-apples performance comparisons of service mesh deployments.
Â
MeshMark - a universal performance index to gauge a service mesh’s efficiency against deployments in other organizations’ environments
Â
https://smp-spec.io
Directly provides:
Indirectly facilitates:
Latency, throughput, and the proxies’ CPU and memory consumption affected by these factors
Data Plane
Proxy sidecar
App Container
Pod
Â
with many variables
Data plane performance depends on many factors, for example:
Understanding the trade-off between power and speed
Data Plane
Proxy sidecar
App Container
Pod
Speed
Data Plane
Proxy sidecar
App Container
Pod
Data Plane
Proxy sidecar
App Container
Pod
Power
Speed
Data Plane
Pod
Proxy sidecar
App Container
Comparing approaches to data plane filtering
Data Plane
App Container
Pod
Client Library Â
Proxy sidecar
Rate limiting with Go client library
Rate limiting with WASM module (Rust filter)
Power
Speed
Data Plane
Proxy sidecar
App Container
Pod
for the web, malware and beyond
webassembly.org
Image Access Container
Image Access Pod
Image Access Service
Envoy sidecar
github.com/layer5io/image-hub
WASM Filter
with a Rust-based WASM filter
apiVersion: apps/v1
kind: Deployment
spec:
template:
metadata:
labels:
app: api-v1
annotations:
"consul.hashicorp.com/connect-inject": "true"
"consul.hashicorp.com/service-meta-version": "1"
"consul.hashicorp.com/service-tags": "v1"
"consul.hashicorp.com/connect-service-protocol": "http"
"consul.hashicorp.com/connect-wasm-filter-add_header": "/filters/optimized.wasm"
spec:
containers:
- name: api
image: layer5/image-hub-api:latest
Leader
Follower
Consul Servers
Follower
agent
node
Service Mesh Performance (SMP)
Understand value vs overhead
Meshery analyzes your service mesh and workload configuration
operate with confidence
Assess your service mesh configuration against deployment and operational best practices with Meshery's configuration validator.
Operate and upgrade with confirmation of SMI compatibility
✔︎ Learn Layer5 sample application used for validating test assertions.
Â
 ✔︎ Defines compliant behavior.
 ✔︎ Produces compatibility matrix.
 ✔︎ Ensures provenance of results.
 ✔︎ Runs a set of conformance tests.
 ✔︎ Built into participating service mesh’s release pipeline.
Configuration
Security
Telemetry
Control Plane
Data
Plane
service mesh ns
Foo Pod
Proxy Sidecar
Service Foo
Foo Container
Bar Pod
Proxy Sidecar
Service Bar
Bar Container
Out-of-band telemetry propagation
Control flow
application
traffic
Application traffic
application namespace
Ingress Gateway
Egress Gateway
Management
Plane
meshery
adapter
gRPC
kube-api
kube-system
generated load
http / gRPC traffic
fortio
wrk2
nighthawk
UI
server
workloads
Meshery WASM Filter
CLI
perf analysis
Join the discussion
identifying your optimal configuration for most requests
In the presence of Bucket 1...
...take your largest segment by count and divide by your number of cores
Bucket 2
Bucket 1
Bucket 3
Bucket 4
meshery.io
Use Meshery's powerful performance management features
- easily reproduce tests
- persist test results
- use different load generators
- baseline and compare over time
- test your workloads on and off the mesh
- tweak configurations and try again
- compare 6 different service meshes and counting...
github.com/layer5io/image-hub
Functionality | In the app | In the filter |
---|---|---|
User / Token | ||
Subscription Plans | ||
Plan Enforcement |
a sample app
TwoÂ
application containers
Hub UI Pod
Image Storage Container
Image Storage Pod
Hub UI
Container
Image Storage Service
Hub UI Service
github.com/layer5io/image-hub
Hub UI Pod
Image Access Container
Image Access Pod
Hub UI
Container
Image Access Service
Hub UI Service
Envoy sidecar
Envoy sidecar
github.com/layer5io/image-hub
with Consul
Leader
Follower
Consul Servers
Follower
agent
Consul Client
node
layer5.io/books/the-enterprise-path-to-service-mesh-architectures
Container
Orchestrator
Mesh
5.5 years
(Jun 2014)
4.5 years
(Jul 2015)
3 years
(Apr 2017)
5.5 years ago
(Jun 2014)
7 years ago
(Mar 2013)
4 years ago
(Feb 2016)
By Lee Calcote
Presented at Open Infrastructure Summit 2020 in October 2020.
Clouds, containers, functions, applications and their management.