Kubernetes
and
Istio
demo
Service Mesh - service-to-service communication
Service Mesh's Control Plane
Istio
- Greek word for "sail"
- Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection
- Layer 7 firewall + loadbalancer, ingress, blocking outgoing traffic, tracing, monitoring, logging
- Policies and Telemetry: Prometheus, StatsD, FluentD and many others...
Istio
Istio architecture
- Envoy - is a high-performance proxy to mediate all inbound and outbound traffic for all services in the service mesh.
- Pilot - provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing.
- Mixer - enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services.
- Citadel - provides strong service-to-service and end-user authentication with built-in identity and credential management.
Istio types
- DestinationRule configures the set of policies to be applied to a request after VirtualService routing has occurred. (Circuit Breaker, Load Balancers, TLS settings, Subset defintion)
- VirtualService defines the rules that control how requests for a service are routed within an Istio service mesh.
- ServiceEntry is commonly used to enable requests to services outside of an Istio service mesh.
- Gateway configures a load balancer for HTTP/TCP traffic, most commonly operating at the edge of the mesh to enable ingress traffic for an application.
Traffic Management with Istio
Istio Security Architecture
Istio Multicluster
Multiple k8s clusters managed by single Istio instance
Demo
-
K8S OpenStack / Minikube
-
Terrafrom, Helm, kubectl, Siege or Docker
-
3 VMs (one master + 2 nodes)
-
Central loggin -> ELK Operator + rook.io Operator (as shared storage)
Kubernetes and Istio demo
By Petr Ruzicka
Kubernetes and Istio demo
- 2,618