CONFIDENTIAL Designator
OpenShift 4.x Architecture Workshop
Istio Service Mesh
July 2019
CONFIDENTIAL Designator
Microservices
Benefits and
Challenges
MICROSERVICES ARCHITECTURE
DISTRIBUTED
Service Service Service
HTML Javascript Web
Runtime Runtime Runtime
Service Service Service
Service Service Service Service Service Service
Data Access Runtime Runtime Runtime
Service Service Service
Application Server
Runtime Runtime Runtime
3 ISTIO WEBINAR
DISTRIBUTED COMPUTING CHALLENGES
Fallacies of Distributed Computing
● The network is reliable.
● Latency is zero.
● Bandwidth is infinite.
● The network is secure.
● Topology doesn't change.
● There is one administrator.
● Transport cost is zero.
● The network is homogeneous.
wikipedia.org/wiki/Fallacies_of_distributed_computing
4 ISTIO WEBINAR
DISTRIBUTED ARCHITECTURE
Service Service Service
Service Service Service
Service Service Service
5 ISTIO WEBINAR
MICROSERVICES ARE HARD
B D
C
H
Because applications must deal with Client A
F G
E
● Unpredictable failures
I
● End-to-end application correctness
● System degradation
● Topology changes
● Elastic/ephemeral/transient resources
● Distributed logs
● The fallacies of distributed computing
6 ISTIO WEBINAR
AN EXAMPLE
ACME Laptop 128GB $323.5 Pricing Engine
SSD, 8GB RAM 6 Reviews
Touchscreen
128GB SSD
Details/Specifications
8GB RAM
Core i3
Windows 10
Add to Cart
In-Store Pickup (15 available) Location-based availability
Raleigh, Central Ave, Store #1123
Recommendations People who purchased also...
7 ISTIO WEBINAR
CHAINING
8 ISTIO WEBINAR
CHAINING (FAILURE)
9 ISTIO WEBINAR
CHAINING (CASCADING FAILURE)
X X X X X
10 ISTIO WEBINAR
CONFIDENTIAL Designator
Traditional
Approaches
POSSIBLE SOLUTIONS
Have your developers do this:
● Circuit Breaking
● Bulkheading
● Timeouts/Retries
● Service Discovery
● Load Balancing
● Traffic Control
12 ISTIO WEBINAR
Container
Hystrix
JVM
service A Zuul
discovery
load-balancer Ribbon
resiliency
metrics Eureka
tracing
app logic Archaius
Need a library to support each
language/framework combination
13 ISTIO WEBINAR
WHAT ABOUT…?
POLYGLOT EXISTING
APPS APPS
14 ISTIO WEBINAR
Kubernetes exacerbates the problem
The trends of containerization,
microservices and hybrid/multi-cloud
deployments have created more
distributed applications than ever.
This has left enterprises unable to
connect, observe or secure or control
their services in a consistent way.
15 ISTIO WEBINAR
CONFIDENTIAL Designator
Enter the service
mesh
SERVICE MESH
A dedicated network for
service-to-service communications
Photo on Visual Hunt
A better way with a service mesh
Service
A service mesh provides a
Tracing transparent and
Circuit Breaker language-independent network for
Routing connecting, observing, securing
Svc Discovery Service
and controlling the connectivity
Config
between services.
Container Platform
Platform
(+ Service Mesh)
...2014 2018
18 ISTIO WEBINAR
19 ISTIO WEBINAR
ISTIO’S CAPABILITIES AT 10,000 FEET
Traffic Management.
Rules and traffic routing lets you control the flow of traffic and API calls between services.
Service Identity and Security.
Enforce consistently across diverse protocols and runtimes with little or no application changes.
Policy Enforcement.
Apply to the interaction between services and ensure they are enforced. Changes are made by
configuring the mesh, not by changing application code.
Observability.
Gain understanding of the dependencies between services and the nature and flow of traffic between
them, providing the ability to quickly identify and fix issues.
20 ISTIO WEBINAR
MICROSERVICES WITH ISTIO
connect, manage, and secure microservices transparently
Pod
Sidecar Container
Pod Istio Logic Pod
Sidecar Container Sidecar Container
Microservice Container
Istio Logic Istio Logic
App/Service B
Microservice Container Microservice Container
App/Service A App/Service C
21 ISTIO WEBINAR
WHAT IS A SIDECAR?
A proxy instance that abstracts common logic away from individual services
SIDECAR PATTERN
POD
● A utility container in the same pod to SIDECAR
enhance the main container’s functionality
● Share the same network and lifecycle
● Istio uses an Istio Proxy (L7 Proxy) sidecar APP
to proxy all network traffic between apps
22 ISTIO WEBINAR
ISTIO PROVIDES BOTH CONTROL AND DATA PLANES
The data plane is composed of a set of
intelligent proxies (Envoy) deployed as
Data
sidecars that mediate and control all Plane App App App
App
network communication between
microservices. Pod
Envoy
Pod
Envoy
Pod
Envoy
Pod
Envoy
The control plane is responsible for Control
managing and configuring proxies to Plane
route traffic, as well as enforcing
policies at runtime.
23 ISTIO WEBINAR
COMPONENTS OF ISTIO
Envoy, originally from Lyft - it’s an intelligent
It’s the
proxy. Highly parallel non-blocking, network sidecar
filtering, service discovery, health checking, Envoy Envoy Envoy Envoy
dynamically configurable.
Data
Plane
Pilot, the component responsible for App App App App
managing a distributed deployment of Envoy Pod Pod Pod Pod
proxies in the service mesh. Intelligent routing,
traffic mgmt, resiliency
Mixer, which provides the policy and access Control Pilot Mixer Citadel
control mechanisms within the service mesh. Plane
Monitoring, reporting, quotas - plugin-based.
Citadel, control service-service traffic based
on origin and user. Key mgmt certificate
authority.
24 ISTIO WEBINAR
WHAT DOES CONNECT MEAN?
.2.3
io n=1
Vers
Ve
rs
io
n
=
1.2
.4
Discovery and Routing: Decoupled from infrastructure, load balancing modes, dynamic routing...
Advanced Deployments: A/B testing, gradual rollouts, canary releases, mirroring...
Failure, Health, and Testing: timeouts, retries, circuit breakers, fault injection, active health checks...
25 ISTIO WEBINAR
HOW DO YOU SECURE SERVICES?
Security by default Defense in depth Zero-trust network
no changes needed for integrate with existing security build security solutions on
application code and systems to provide multiple layers untrusted networks
infrastructure of defense
26 ISTIO WEBINAR
WHAT CAN YOU CONTROL?
Restrict to 2 requests per second per IP :
quotas:
- name: requestcount.quota.istio-system
overrides:
- dimensions:
destination: someservice
maxAmount: 2
Exempt if:
match(request.headers["cookie"], "user=*") == false
Set and Check Policy: Open-ended, connection limits, rate limits, simple denials, lists
27 ISTIO WEBINAR
HOW CAN YOU OBSERVE?
Understand how your services are operating: Metrics, tracing, network visibility
28 ISTIO WEBINAR
ISTIO AVAILABILITY
Istio 1.0!
● After over a year of work,
● ~200 developers
● Google, IBM, VMWare, Cisco, Red Hat, others...
● Adaptors for many monitoring systems
Istio on OpenShift
● Available in Dev Preview today (3.10)
● GA coming soon (4.1)
29 ISTIO WEBINAR
ISTIO ON OPENSHIFT
Istio on OpenShift
● Available in Dev Preview today (3.10)
● GA coming soon (4.1)
● Istio is an “operator first product” (using Operator Framework)
○ https://github.com/Maistra/istio-operator
○ The operator manages the install (eventually updates)
○ Istio is delivered as containers, not RPMs
30 ISTIO WEBINAR
TRY IT YOURSELF
https://learn.openshift.com/servicemesh/
31