With microservices and containers becoming mainstream, container orchestrators provide much of what the cluster (nodes and containers) needs. With container orchestrators' core focus on scheduling, discovery, and health at an infrastructure level, microservices are left with unmet, service-level needs, such as:
- Traffic management, routing, and resilient and secure communication between services
- Policy enforcement, rate-limiting, circuit breaking
- Visibility and monitoring with metrics, logs, and traces
- Load balancing and rollout/canary deployment support
Service meshes provide for these needs. In this session, we will dive into Istio - its components, capabilities, and extensibility. Istio envelops and integrates with other open source projects to deliver a full-service mesh. We'll explore these integrations and Istio's extensibility in terms of choice of proxies and adapters, such as nginMesh.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Istio: Using nginMesh as the service proxy
1. IstioIstio
February 2018
Lee Calcote
as the service proxyas the service proxynginMeshnginMesh
calcotestudios.com/talks
the extensible service meshthe extensible service mesh
4. BenefitsBenefits
The first few services are relatively easy
Democratization of language and technology
choice
Faster delivery, service teams running
independently, rolling updates
@lcalcote
ChallengesChallenges
The next 10 or so may introduce pain
Language and framework specific libraries
Distributed environments, ephemeral
infrastructure, out-moded tooling
5. Which is why...Which is why...
I have a container I have a container
orchestrator.orchestrator.
@lcalcote
6. CoreCore
CapabilitiesCapabilities
Cluster Management
Host Discovery
Host Health Monitoring
Scheduling
Orchestrator Updates and Host
Maintenance
Service Discovery
Networking and Load-Balancing
Stateful services
Multi-tenant, multi-region
AdditionalAdditional
Key CapabilitiesKey Capabilities
Application Health & Performance
Monitoring
Application Deployments
Application Secrets
@lcalcote
7. What do we need?What do we need?
• Observability
• Logging
• Metrics
• Tracing
• Traffic Control
• Resiliency
• Efficiency
• Security
• Policy
@lcalcote
a Service Mesha Service Mesh
8. What is a Service Mesh?What is a Service Mesh?
a dedicated layer for managing service-to-service
communication
@lcalcote
so, a microservices platform?
obviously.
Orchestrators don't bring all that you need
and neither do service meshes,
but they do get you closer.
Missing: application lifecycle management, but not by much
partially.
a services-first networka services-first network
Missing: distributed debugging; provide nascent visibility (topology)
10. Why use a Service Mesh?Why use a Service Mesh?
to avoid...
Bloated service code
Duplicating work to make services production-ready
load balancing, auto scaling, rate limiting, traffic routing, ...
Inconsistency across services
retry, tls, failover, deadlines, cancellation, etc, for each language, framework
silo'ed implementations lead to fragmented, non-uniform policy application and difficult debugging
Diffusing responsibility of service management
@lcalcote
11. Help with ModernizationHelp with Modernization
@lcalcote
Can modernize your IT inventory without:
Rewriting your applications
Adopting microservices, regular services are fine
Adopting new frameworks
Moving to the cloud
Address the long-tail of IT services
Get there for free
12. What is Istio?What is Istio?
An open platform to connect, manage, and secure microservices
@lcalcote
Observability
Resiliency
Traffic Control
Security
Policy Enforcement
istio.io github.com/istio@IstioMesh
13. ObservabilityObservability
is what gets people hooked on service metrics
@lcalcote
GoalsGoals
Metrics without instrumenting apps
Consistent metrics across fleet
Trace flow of requests across services
Portable across metric backend
providers
You get a metric! You get a metric! Everyone gets a metric!
14. Traffic ControlTraffic Control
control over chaos
@lcalcote
Traffic splitting
L7 tag based routing?
Traffic steering
Look at the contents of a request and
route it to a specific set of instances.
Ingress and egress routing
ResilencyResilency
Systematic fault injection
Timeouts and Retries with timeout
budget
Circuit breakers and Health checks
Control connection pool size and
request load
content-based traffic steering
16. IstioIstio
ArchitectureArchitecture
@lcalcote
ControlPlaneDataPlane
Touches every packet/request in the system. Responsible
for service discovery, health checking, routing, load
balancing, authentication, authorization and
observability.
Provides policy and configuration for services in the mesh.
Takes a set of isolated stateless sidecar proxies and turns
them into a distributed system.
Does not touch any packets/requests in the system.
17. IstioIstio
ArchitectureArchitecture
@lcalcote
Pilot Auth Mixer
ControlPlaneDataPlane
istio-system namespace
policycheck
Foo Pod
Proxy sidecar
Service Foo
tlscerts
discovery&config
Foo Container
Bar Pod
Proxy sidecar
Service Bar
Bar Container
Out-of-band
telemetry
propagation
telemetry
reports
Control flow
during request
processing
application traffic
application
traffic
application namespace
telem
etry
reports
18. What's Pilot for?What's Pilot for?
@lcalcote
provides service discovery to sidecars
manages sidecar configuration
Pilot Auth
Control Plane
the head of the ship
Mixer
istio-system namespace
system of record for service mesh
}provides abstraction from underlying platforms
19. What's Mixer for?What's Mixer for?
Point of integration with infrastructure backends
Intermediates between Istio and backends, under operator control
Enables platform & environment mobility
Responsible for policy evaluation and telemetry reporting
Provides granular control over operational policies and telemetry
Has a rich configuration model
Intent-based config abstracts most infrastructure concerns
@lcalcote
Pilot Auth Mixer
Control Plane istio-system namespace
an attribute-processing and routing machine
operator-focused
1. Precondition checking
2. Quota management
3. Telemetry reporting
20. What's Auth for?What's Auth for?
@lcalcote
Verifiable identity
Issues certs
Certs distributed to service proxies
Mounted as a Kubernetes secret
Secure naming / addressing
Traffic encryption
Pilot Auth
Control Plane
security at scale
Mixer
istio-system namespace
security by default
Orchestrate Key & Certificate:
Generation
Deployment
Rotation
Revocation
21. Service Proxy SidecarService Proxy Sidecar
A C++ based L4/L7 proxy
Low memory footprint
In production at Lyft
@lcalcote
Capabilities:
API driven config updates no reloads
Zone-aware load balancing w/ failover
Traffic routing and splitting
Health checks, circuit breakers, timeouts,
retry budgets, fault injection…
HTTP/2 & gRPC
Transparent proxying
Designed for observability
the included battery
DataPlane
Pod
Proxy sidecar App Container
23. AppOptics
@lcalcote
Uses pluggable adapters to extend its functionality
Adapters run within the Mixer process
Adapters are modules that interface to
infrastructure backends
(logging, metrics, quotas, etc.)
Multi-interface adapters are possible
(e.g. AppOptics adapter exposing logs & metrics)
Mixer AdaptersMixer Adapters
sending telemetry
Papertrail
Prometheus
Grafana
Fluentd
Statsd
24. Swapping Proxies - Envoy, Linkerd, Nginx, Conduit
@lcalcote
Forms of ExtensionsForms of Extensions
25. Why use another service proxy?Why use another service proxy?
Based on your operational expertise and need for battle-tested
proxy. You may be looking for caching, WAF or other
functionality available in NGINX Plus.
If you're already running Linkerd and want to start
adopting Istio control APIs like CheckRequest.
@lcalcote
Conduit not currently designed a general-purpose proxy, but
lightweight and focused with extensibility via gRPC plugin.
26. nginMeshnginMesh
https://github.com/nginmesh
Currently
Support for rules, policies, mtls
encryption, monitoring & tracing
Compatible with Mixer adaptors
Transparent sidecar injection
Compatible with Istio 0.3.0
@lcalcote
Roadmap
Support for gRPC traffic
Support for ingress proxy
Support for Quota Checks
Expanding the mesh beyond
Kubernetes
See sidecar-related limitations as well as supported traffic management rules --> .here
Considered beta quality
Soliciting feedback and participation from community
27. Istio &Istio &
nginMeshnginMesh
Architecture
@lcalcote
Pilot Auth Mixer
ControlPlane
agent
Translator agent Istio to Nginx (in go)
Loadable module Nginx to Mixer (in rust)
config file
DataPlane "istio-proxy"
container
routerules
istio-system
namespace
check
report
Mixer
Module
dest
module
listener
tcp
http
tcp server
Out-of-band
telemetry
propagation
Control flow
during request
processing
application
traffic
application traffic
http servers
32. DemoDemo
running nginMesh
@lcalcote
echo "http://$(kubectl get nodes -o template --template='{{range.items}}{{range.status.addresses}}{{if eq .
See "reviews" v1, v2 and v3
# From Docker's perspective
docker ps | grep nginmesh
# From Kubernetes' perspective
kubectl get po
kubectl describe
Verify nginMesh deployment
# exec into 'istio-proxy'
kubectl exec -it pod -c istio-proxy /bin/bash
Connect to Nginx sidecar
33. @lcalcote
#takes every request/response and sends to Mixer control plane
See load_module /etc/nginx/modules/ngx_http_istio_mixer_module.so;
# Mixer adapters for telemetry
docker run --rm istio/fortio load -c 1 -t 10m
`echo "http://$(kubectl get nodes -o template --template='{{range.items}}{{range.status.addresses}}{{if eq .type
Verify mesh configuration
DemoDemo
running nginMesh
#Deploy new configuration to Nginx
istioctl create -f route-rule-all-v1.yaml
istioctl delete -f route-rule-all-v1.yaml
#A/B testing for a user
kubectl apply -f route-rule-reviews-test-v2.yaml
#More for user 'lee'
kubectl exec -it pod -c istio-proxy /bin/bash
more /etc/istio/proxy/conf.d/http_0.0.0.0_9080.conf
Apply traffic routing policySee Mixer telemetry
34. Lee CalcoteLee Calcote
Thank you. Questions?Thank you. Questions?
clouds, containers, functions,
applications and their management
linkedin.com/in/leecalcote
@lcalcote
gingergeek.com
calcotestudios.com/talks
github.com/leecalcote
lee@calcotestudios.com