Kubernetes
and
Istio
demo
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
Service Mesh - service-to-service communication
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
Service Mesh's Control Plane
Istio
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
- Greek word for "sail"
- Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection
- Layer 7 firewall + loadbalancer, ingress, blocking outgoing traffic, tracing, monitoring, logging
- Policies and Telemetry: Prometheus, StatsD, FluentD and many others...
Istio
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
Istio architecture
- Envoy - is a high-performance proxy to mediate all inbound and outbound traffic for all services in the service mesh.
- Pilot - provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing.
- Mixer - enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services.
- Citadel - provides strong service-to-service and end-user authentication with built-in identity and credential management.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
Istio types
- DestinationRule configures the set of policies to be applied to a request after VirtualService routing has occurred. (Circuit Breaker, Load Balancers, TLS settings, Subset defintion)
- VirtualService defines the rules that control how requests for a service are routed within an Istio service mesh.
- ServiceEntry is commonly used to enable requests to services outside of an Istio service mesh.
- Gateway configures a load balancer for HTTP/TCP traffic, most commonly operating at the edge of the mesh to enable ingress traffic for an application.
Traffic Management with Istio
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
Istio Security Architecture
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
Istio Multicluster
Multiple k8s clusters managed by single Istio instance
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
Demo
![](https://s3.amazonaws.com/media-p.slid.es/uploads/841021/images/4978574/logo.png)
-
K8S OpenStack / Minikube
-
Terrafrom, Helm, kubectl, Siege or Docker
-
3 VMs (one master + 2 nodes)
-
Central loggin -> ELK Operator + rook.io Operator (as shared storage)
Kubernetes and Istio demo
By Petr Ruzicka
Kubernetes and Istio demo
- 2,438