Scribd
Upload
387 views58 pages

Istio Service Mesh

The document introduces Istio, an open source service mesh. It describes what a service mesh is and how it manages microservices. A service mesh describes the network of microservices and handles service discovery, load balancing, failure recovery, and other operational tasks. Istio in particular deploys Envoy sidecars to connect, secure, control, and observe services. It also discusses Istio's control plane components like Mixer, Pilot, and Citadel and how they provide policy control, service discovery, and authentication. Finally, it mentions setting up Istio on Google Kubernetes Engine.

Uploaded by

owmciwctoaiekvgjtp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
387 views58 pages

Istio Service Mesh

The document introduces Istio, an open source service mesh. It describes what a service mesh is and how it manages microservices. A service mesh describes the network of microservices and handles service discovery, load balancing, failure recovery, and other operational tasks. Istio in particular deploys Envoy sidecars to connect, secure, control, and observe services. It also discusses Istio's control plane components like Mixer, Pilot, and Citadel and how they provide policy control, service discovery, and authentication. Finally, it mentions setting up Istio on Google Kubernetes Engine.

Uploaded by

owmciwctoaiekvgjtp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

2019/4/4 Istio Service Mesh Introduction

Istio Service Mesh


Introduction

127.0.0.1:5500/#54 1 / 58
1/58
2019/4/4 Istio Service Mesh Introduction

whoami
Kyohei Mizumoto(@kyohmizu)

C# Software Engineer

Interests

Docker/Kubernetes
Go
Security

127.0.0.1:5500/#54 2 / 58
2/58
2019/4/4 Istio Service Mesh Introduction

Required
Basic knowledge of Kubernetes

Targets
People who:

don't know Service Mesh

have never used Istio

127.0.0.1:5500/#54 3 / 58
3/58
2019/4/4 Istio Service Mesh Introduction

Contents
1. What is Service Mesh?

2. What is Istio?

3. Setup using Istio on GKE

4. Traffic Management

127.0.0.1:5500/#54 4 / 58
4/58
2019/4/4 Istio Service Mesh Introduction

What is Service Mesh?

127.0.0.1:5500/#54 5 / 58
5/58
2019/4/4 Istio Service Mesh Introduction

Microservices?
Loosely coupled

Independently deployable

Organized around business capabilities

Implemented using different programming languages

Continuous delivery/deployment of large, complex


applications

127.0.0.1:5500/#54 6 / 58
6/58
2019/4/4 Istio Service Mesh Introduction

Service Mesh?
Describe the network of microservices that make up
applications and the interactions between them

Service Discovery

Load Balancing

Failure Recovery

Metrics and Monitoring

127.0.0.1:5500/#54 7 / 58
7/58
2019/4/4 Istio Service Mesh Introduction

Service Mesh?
More complex operational requirements

A/B Testing

Canary Rollouts

Rate Limiting

Access Control

End-to-end Authentication

127.0.0.1:5500/#54 8 / 58
8/58
2019/4/4 Istio Service Mesh Introduction

What is Istio?

127.0.0.1:5500/#54 9 / 58
9/58
2019/4/4 Istio Service Mesh Introduction

Istio
Open source independent service
mesh

Deployed as sidecars in the Pods

CNCF hosted project(Envoy)

127.0.0.1:5500/#54 10 / 58
10/58
2019/4/4 Istio Service Mesh Introduction

Istio
Connect, secure, control, and observe services

127.0.0.1:5500/#54 11 / 58
11/58
2019/4/4 Istio Service Mesh Introduction

Architecture

127.0.0.1:5500/#54 12 / 58
12/58
2019/4/4 Istio Service Mesh Introduction

Architecture
Data plane

Envoy

Control plane

Mixer

Pilot

Citadel

Galley

127.0.0.1:5500/#54 13 / 58
13/58
2019/4/4 Istio Service Mesh Introduction

Envoy
A high-performance proxy developed in C++

Deployed as a sidecar in the


Kubernetes Pod

Add to an existing deployment with


no need to rearchitect or rewrite code

127.0.0.1:5500/#54 14 / 58
14/58
2019/4/4 Istio Service Mesh Introduction

Envoy
Features

Dynamic Service Discovery

Load Balancing

TLS Termination

HTTP/2 and gRPC proxies

127.0.0.1:5500/#54 15 / 58
15/58
2019/4/4 Istio Service Mesh Introduction

Envoy
Circuit Breakers

Health Checks

Staged Rollouts with %-based Traffic Split

Fault Injection

Rich Metrics

127.0.0.1:5500/#54 16 / 58
16/58
2019/4/4 Istio Service Mesh Introduction

Mixer
Responsible for providing policy controls and telemetry
collection

Enforces access control and usage policies across the


service mesh

Collects telemetry data from the Envoy proxy and other


services

Includes a flexible plugin model

127.0.0.1:5500/#54 17 / 58
17/58
2019/4/4 Istio Service Mesh Introduction

Mixer

127.0.0.1:5500/#54 18 / 58
18/58
2019/4/4 Istio Service Mesh Introduction

Pilot
Provides service discovery for:

Envoy sidecars

Traffic management capabilities for intelligent routing


(e.g. A/B Tests, Canary Rollouts)

Resiliency
(e.g. Timeouts, Retries, Circuit Breakers)

127.0.0.1:5500/#54 19 / 58
19/58
2019/4/4 Istio Service Mesh Introduction

Pilot

127.0.0.1:5500/#54 20 / 58
20/58
2019/4/4 Istio Service Mesh Introduction

Citadel
Strong service-to-service/end-user authentication with
built-in identity and credential management

Galley
Istio’s configuration validation, ingestion, processing and
distribution component

127.0.0.1:5500/#54 21 / 58
21/58
2019/4/4 Istio Service Mesh Introduction

Setup using Istio on GKE

127.0.0.1:5500/#54 22 / 58
22/58
2019/4/4 Istio Service Mesh Introduction

Set IAM
Set the default compute service account to include:

roles/container.admin (Kubernetes Engine Admin)

Editor (on by default)

127.0.0.1:5500/#54 23 / 58
23/58
2019/4/4 Istio Service Mesh Introduction

Set IAM

127.0.0.1:5500/#54 24 / 58
24/58
2019/4/4 Istio Service Mesh Introduction

Create a Cluster
Need 4 nodes

Check "Enable Istio (beta)" on Advanced options

127.0.0.1:5500/#54 25 / 58
25/58
2019/4/4 Istio Service Mesh Introduction

Istio Resources
$ kubectl get svc -n istio-system

or

$ kubectl get po -n istio-system

127.0.0.1:5500/#54 26 / 58
26/58
2019/4/4 Istio Service Mesh Introduction

Install Istio
1. Go to the Istio release page to download the
installation file

2. Extract the downloaded installation file

3. Change directory to the root of the Istio installation

4. Add the istioctl client to the PATH:

$ export PATH=$PWD/bin:$PATH

127.0.0.1:5500/#54 27 / 58
27/58
2019/4/4 Istio Service Mesh Introduction

Sample Application

127.0.0.1:5500/#54 28 / 58
28/58
2019/4/4 Istio Service Mesh Introduction

Bookinfo

Reviews-v1

Requests Reviews-v2

Product
page
Ratings

Reviews-v3

Ruby

Details

127.0.0.1:5500/#54 29 / 58
29/58
2019/4/4 Istio Service Mesh Introduction

Bookinfo
4 separate microservices:

Productpage

Details

Reviews

Ratings

127.0.0.1:5500/#54 30 / 58
30/58
2019/4/4 Istio Service Mesh Introduction

Bookinfo
3 versions of the Reviews microservice:

Version v1
doesn’t call the ratings service

Version v2
calls the ratings service, and displays black stars

Version v3
calls the ratings service, and displays red stars

127.0.0.1:5500/#54 31 / 58
31/58
2019/4/4 Istio Service Mesh Introduction

Deploy
Enable automatic sidecar injection:

$ kubectl label namespace default \


istio-injection=enabled

Deploy the application using kubectl:

$ kubectl apply -f \
samples/bookinfo/platform/kube/bookinfo.yaml

127.0.0.1:5500/#54 32 / 58
32/58
2019/4/4 Istio Service Mesh Introduction

Resources
Confirm all services and pods are running:

$ kubectl get po,svc

127.0.0.1:5500/#54 33 / 58
33/58
2019/4/4 Istio Service Mesh Introduction

Define Ingress Gateway


$ kubectl apply -f \
samples/bookinfo/networking/bookinfo-gateway.yaml

$ kubectl get gateway


NAME AGE
bookinfo-gateway 17s

127.0.0.1:5500/#54 34 / 58
34/58
2019/4/4 Istio Service Mesh Introduction

Control Ingress Traffic

127.0.0.1:5500/#54 35 / 58
35/58
2019/4/4 Istio Service Mesh Introduction

Httpbin
HTTP testing service that can be used for experimenting
with all kinds of Istio features

$ kubectl apply -f samples/httpbin/httpbin.yaml

127.0.0.1:5500/#54 36 / 58
36/58
2019/4/4 Istio Service Mesh Introduction

Set variables
Set the ingress IP and ports:

$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway \


-o jsonpath='{.status.loadBalancer.ingress[0].ip}')

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway \


-o jsonpath='{.spec.ports[?(@.name=="http2")].port}')

$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service \


istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

127.0.0.1:5500/#54 37 / 58
37/58
2019/4/4 Istio Service Mesh Introduction

Create an Istio Gateway


kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
EOF

127.0.0.1:5500/#54 38 / 58
38/58
2019/4/4 Istio Service Mesh Introduction

Configure routes
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "*"
gateways:
- httpbin-gateway
http:
- match:
- uri:
prefix: /headers
route:
- destination:
port:
number: 8000
host: httpbin
EOF

127.0.0.1:5500/#54 39 / 58
39/58
2019/4/4 Istio Service Mesh Introduction

Virtual Service
Contains the route rules that Allows traffic for path
/headers

All other external requests will be rejected

$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

$ $ curl -I http://$GATEWAY_URL/headers
HTTP/1.1 200 OK
...

$ $ curl -I http://$GATEWAY_URL/status
HTTP/1.1 404 Not Found
...

127.0.0.1:5500/#54 40 / 58
40/58
2019/4/4 Istio Service Mesh Introduction

Bookinfo Web Page


http://$GATEWAY_URL/productpage

127.0.0.1:5500/#54 41 / 58
41/58
2019/4/4 Istio Service Mesh Introduction

Bookinfo Web Page


If you refresh the page several times, you should see
different versions of reviews shown in productpage,
presented in a round robin style

red stars
black stars
no stars

since we haven’t yet used Istio to control the version


routing.

127.0.0.1:5500/#54 42 / 58
42/58
2019/4/4 Istio Service Mesh Introduction

Apply default destination rules


Create default destination rules for the Bookinfo services:

$ kubectl apply -f \
samples/bookinfo/networking/destination-rule-all.yaml

Display the destination rules:

$ kubectl get destinationrules -o yaml

127.0.0.1:5500/#54 43 / 58
43/58
2019/4/4 Istio Service Mesh Introduction

Traffic Management

127.0.0.1:5500/#54 44 / 58
44/58
2019/4/4 Istio Service Mesh Introduction

Request routing
Introduces the concept of a service version:

Versions (v1, v2)

Environment (staging, prod)

Choose service version dynamically based on the


routing rules that specified by using Pilot

127.0.0.1:5500/#54 45 / 58
45/58
2019/4/4 Istio Service Mesh Introduction

Request routing

127.0.0.1:5500/#54 46 / 58
46/58
2019/4/4 Istio Service Mesh Introduction

Request routing
Route to v1:

$ kubectl apply -f \
samples/bookinfo/networking/virtual-service-all-v1.yaml

Display the defined routes:

$ kubectl get virtualservices -o yaml

127.0.0.1:5500/#54 47 / 58
47/58
2019/4/4 Istio Service Mesh Introduction

Discovery and load balancing


HTTP traffic is automatically re-routed through Envoy

3 load balancing modes:

Round robin

Random

Weighted least request

Checks the health of each instance

127.0.0.1:5500/#54 48 / 58
48/58
2019/4/4 Istio Service Mesh Introduction

Discovery and load balancing

127.0.0.1:5500/#54 49 / 58
49/58
2019/4/4 Istio Service Mesh Introduction

Discovery and load balancing


Apply weight-based routing:
Transfer 50% of the traffic from reviews:v1 to reviews:v3

$ kubectl apply -f \
samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml

Route based on user identity:

$ kubectl apply -f \
samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml

127.0.0.1:5500/#54 50 / 58
50/58
2019/4/4 Istio Service Mesh Introduction

Handling failures
Timeouts

Bounded retries with timeout budgets and variable jitter


between retries

Limits on number of concurrent connections and


requests to upstream services

Active (periodic) health checks on each member of the


load balancing pool

Fine-grained circuit breakers (passive health checks)


127.0.0.1:5500/#54 51 / 58
51/58
2019/4/4 Istio Service Mesh Introduction

Fault injection
Test the end-to-end failure recovery capability

Protocol-specific fault injection into the network


instead of deleting pods/ delaying/ corrupting packets

2 types of faults

Delays: Timing failures (Increased network latency/


Overloaded upstream service)

Aborts: Crash failures (HTTP error codes/ TCP


connection failures)
127.0.0.1:5500/#54 52 / 58
52/58
2019/4/4 Istio Service Mesh Introduction

Canary rollout
Introduce a new version of a service by first testing it
using a small percentage of user traffic.

Kubernetes provides features that support canary rollout:

Uses instance scaling to manage the traffic distribution

Only supports a simple (random percentage) canary


rollout

127.0.0.1:5500/#54 53 / 58
53/58
2019/4/4 Istio Service Mesh Introduction

Canary rollout
With Istio:

The number of pods are orthogonal to the control of


version traffic routing

Control fine grain traffic percentages


(e.g. route 1% of traffic without requiring 100 pods)

Control traffic using other criteria


(e.g. route traffic for specific users)

127.0.0.1:5500/#54 54 / 58
54/58
2019/4/4 Istio Service Mesh Introduction

Books

127.0.0.1:5500/#54 55 / 58
55/58
2019/4/4 Istio Service Mesh Introduction

Links
Microservice Architecture
https://microservices.io/index.html

Istio.io
https://istio.io/

Istio Solutions | Google Cloud


https://cloud.google.com/istio/

Istioサービスメッシュ⼊⾨
https://www.slideshare.net/yokawasa/istio-114360124

127.0.0.1:5500/#54 56 / 58
56/58
2019/4/4 Istio Service Mesh Introduction

Links
Installing Istio on GKE
https://cloud.google.com/istio/docs/istio-on-gke/installing

Install Istio on the Google Kubernetes Engine


https://istio.io/docs/setup/kubernetes/install/platform/gke/

Bookinfo Application
https://istio.io/docs/examples/bookinfo/

127.0.0.1:5500/#54 57 / 58
57/58
2019/4/4 Istio Service Mesh Introduction

Thank You!

127.0.0.1:5500/#54 58 / 58
58/58

You might also like