e’ll explore what a service mesh is and what it can do for your microservices. Are the claims of observability, resiliency, and WAF features real? Are they useful during development, production, or both? Using pictures and demos, we’ll find out!
This session will also briefly cover how a service mesh works, giving us a mental model with which to explore and evaluate after the talk. Matt will show a simple installation and demo, giving us all the knowledge to go home and try for ourself.
3. Outline
● What are we talking about this?
● How did we get here?
● What is a Service Mesh anyway?
● Demo!
● What can a Service Mesh do?
● Common counter-arguments
● So: Do you need a Service Mesh?
28. “A service mesh provides a transparent and language-independent way to
flexibly and easily automate application network functions”
- Google (istio vendor)
29. “A service mesh provides a transparent and language-independent way to
flexibly and easily automate application network functions”
30. “A service mesh provides a transparent and language-independent way to flexibly
and easily automate application network functions”
31. “A service mesh provides a transparent and language-independent way to flexibly
and easily automate application network functions”
32. “A service mesh provides a transparent and language-independent way to flexibly
and easily automate application network functions”
33. “A service mesh provides a transparent and language-independent way to flexibly
and easily automate application network functions”
Host: users
Host: users
X-testing: true
Host: users
Pod.namespace: staging
users-v1
users-v2
users-mock
49. But I have a WAF!
✅ CORS header injection
❌ Injection attack prevention
50. But I have an APM system!
✅ Logs
✅ Metrics
✅ Tracing
✅ Multiple, arbitrary telemetry backends
❌ JVM, .Net CLR insight
51. But I have an ESB!
✅ Retries etc
✅ Flexible service discovery / late binding
✅ No client/server distinction; better than a middle proxy
❌ Broadcast / pubsub
56. Istio has wide backing
Google, IBM, Lyft, RedHat, Cisco, and more
57. Istio and Linkerd are (quite) easy to install
WIll be managed soon
Go home and try it!
58. Recap
● Why were we talking about this?
● How did we get here?
● What is a Service Mesh anyway?
● Demo!
● What can a Service Mesh do?
● Common counter-arguments
● So: Do you need a Service Mesh?
61. Objectives
Learn how a packet traverses an Istio/Envoy/Kubernetes system
See what control plane calls are made in that process
Build a useful mental model for reasoning about, and debugging Istio
79. Services
$ kubectl get service -o wide service-b
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service-b ClusterIP 10.98.84.169 <none> 80/TCP 90s app=service-b
80. Service DNS exposure
$ dig service-b.default.svc.cluster.local.
;; ANSWER SECTION:
service-b.default.svc.cluster.local. 5 IN A 10.98.84.169
92. IP Router Architecture
DATA PLANE
CONTROL PLANE
OSPF ARPBGP STP
PILOT
MIXER
ENVOYInterrupt
Kernel module
User process
Router
Information
Base
Forwarding
Information
Base
98. Envoy
SvcA
Envoy
SvcB
Pilot Mixer Citadel
Control Plane API
Service A Service B
Config to
Envoys
TLS certs
to Envoys
Policy checks,
Telemetry
Envoy
Envoy
Envoy
Envoy
Envoy
Envoy
Envoy
Envoy
Ingress Egress
101. Outline
● Context and Introduction
● Networking and Containers
● Pilot and Routing
● Mixer and Policy
● Citadel and mTLS
102. Recap
We learned:
● How a packet traverses an Istio/Envoy/Kubernetes system
● What control plane calls are made in that process
● A useful mental model for reasoning about, and debugging Istio