Kubernetes

and

Istio

Webinar

Service Mesh - service-to-service communication

Service Mesh's Control Plane

Istio

  • Greek word for "sail"
  • Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection
  • Layer 7 firewall + loadbalancer, ingress, blocking outgoing traffic, tracing, monitoring, logging
  • Policies and Telemetry: Prometheus, StatsD, FluentD and many others...

Istio overview

Istio architecture

  • Envoy - is a high-performance proxy to mediate all inbound and outbound traffic for all services in the service mesh.

 

  • Pilot - provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing.

 

  • Mixer - enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services.

 

  • Citadel - provides strong service-to-service and end-user authentication with built-in identity and credential/certificate management.

 

  • Galley - is Istio's configuration validation, ingestion, processing and distribution component

Istio components

  • DestinationRule - defines policies that apply to traffic intended for a service after routing has occurred.  

 

  • VirtualService - defines a set of traffic routing rules to apply when a host is addressed.

 

  • ServiceEntry is commonly used to enable requests to services outside of an Istio service mesh.

 

  • Gateway configures a load balancer for HTTP traffic, most commonly operating at the edge of the mesh to enable ingress traffic for an application.

Traffic Management with Istio

Istio security overview

Istio Security Architecture

Istio Multicluster

Multiple k8s clusters managed by single Istio instance

Istio multicluster service mesh - Gateway

Istio mesh spanning multiple Kubernetes clusters using Istio Gateway to reach remote pods

Istio multicluster service mesh - VPN

Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN

Demo

  • Amazon EKS Cluster

  • awscli, eksctl, helm, kubectl, siege or docker

  • 2 Worker instances

  • Install Helm
  • Install Istio
  • Generate + Use SSL certificates
  • Install Bookinfo demo application consist of multiple microservices
  • Configure Istio Request Routing based on user identity
  • Configure Istio Injecting an HTTP delay fault
  • Configure Istio Injecting an HTTP abort fault
  • Configure Istio - Weight-based routing (Canary Deployments)

Istio in AWS

Istio Webinar

By Petr Ruzicka

Istio Webinar

Istio Webinar presentation

  • 4,119