Service Mesh - service-to-service communication
Service Mesh's Control Plane
- Greek word for "sail"
- Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection
- Layer 7 firewall + loadbalancer, ingress, blocking outgoing traffic, tracing, monitoring, logging
- Policies and Telemetry: Prometheus, StatsD, FluentD and many others...
- Envoy - is a high-performance proxy to mediate all inbound and outbound traffic for all services in the service mesh.
- Pilot - provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing.
- Mixer - enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services.
- Citadel - provides strong service-to-service and end-user authentication with built-in identity and credential management.
- DestinationRule configures the set of policies to be applied to a request after VirtualService routing has occurred. (Circuit Breaker, Load Balancers, TLS settings, Subset defintion)
- VirtualService defines the rules that control how requests for a service are routed within an Istio service mesh.
- ServiceEntry is commonly used to enable requests to services outside of an Istio service mesh.
- Gateway configures a load balancer for HTTP/TCP traffic, most commonly operating at the edge of the mesh to enable ingress traffic for an application.
Traffic Management with Istio
Istio Security Architecture
Multiple k8s clusters managed by single Istio instance
K8S OpenStack / Minikube
Terrafrom, Helm, kubectl, Siege or Docker
3 VMs (one master + 2 nodes)
Central loggin -> ELK Operator + rook.io Operator (as shared storage)
Kubernetes and Istio demo
By Petr Ruzicka