Kubernetes

and

Istio

Webinar

Service Mesh - service-to-service communication

Service Mesh's Control Plane

Istio

  • Greek word for "sail"
  • Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection
  • Layer 7 firewall + loadbalancer, ingress, blocking outgoing traffic, tracing, monitoring, logging
  • Policies and Telemetry: Prometheus, StatsD, FluentD and many others...

Istio overview

Istio architecture

  • Envoy - is a high-performance proxy to mediate all inbound and outbound traffic for all services in the service mesh.

 

  • Pilot - provides service discovery for the Envoy sidecars, traffic management capabilities for intelligent routing.

 

  • Mixer - enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services.

 

  • Citadel - provides strong service-to-service and end-user authentication with built-in identity and credential/certificate management.

 

  • Galley - is Istio's configuration validation, ingestion, processing and distribution component

Istio components

  • DestinationRule - defines policies that apply to traffic intended for a service after routing has occurred.  

 

  • VirtualService - defines a set of traffic routing rules to apply when a host is addressed.

 

  • ServiceEntry is commonly used to enable requests to services outside of an Istio service mesh.

 

  • Gateway configures a load balancer for HTTP traffic, most commonly operating at the edge of the mesh to enable ingress traffic for an application.

https://istio.io/docs/reference/config/networking/

Traffic Management with Istio

Istio security overview

Istio Security Architecture

Istio Multicluster

Multiple k8s clusters managed by single Istio instance

Istio multicluster service mesh - Gateway

Istio mesh spanning multiple Kubernetes clusters using Istio Gateway to reach remote pods

Istio multicluster service mesh - VPN

Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN

Demo

  • Amazon EKS Cluster

  • awscli, eksctl, helm, kubectl, siege or docker

  • 2 Worker instances

https://github.com/ruzickap/k8s-istio-webinar

https://ruzickap.github.com/k8s-istio-webinar

  • Install Helm
  • Install Istio
  • Generate + Use SSL certificates
  • Install Bookinfo demo application consist of multiple microservices
  • Configure Istio Request Routing based on user identity
  • Configure Istio Injecting an HTTP delay fault
  • Configure Istio Injecting an HTTP abort fault
  • Configure Istio - Weight-based routing (Canary Deployments)

Istio in AWS

Istio Webinar

By Petr Ruzicka

Made with Slides.com

Istio Webinar

Istio Webinar presentation

  • 4,159

More from Petr Ruzicka