SERVICE MESH

ISTIO

Julien Bisconti

SRE / Data Engineer

Google Cloud Platform icon

contact

g.dev/julien

slides: bisconti.cloud

How long

from monolith to microservices ?

8 fallacies of distributed computing

  1. The network is reliable.
  2. Latency is zero.
  3. Bandwidth is infinite.
  4. The network is secure.
  1. Topology doesn't change.
  2. There is one administrator.
  3. Transport cost is zero.
  4. The network is homogeneous.

source (wikipedia)
RFC 1925 ( 12 Networking Truths )

Deployment

Containers: lightweight VMs

  • 12 factor app
  • easier deploy
  • reproducible build


but ...

Deployment concerns

  • Scaling up and down
  • Redundancy
  • Scheduling / Orchestration
  • Service Discovery
  • Resiliency
  • Rolling out and back
  • Health checks
  • Secret and config

➡️ kubernetes

but ...

Kubernetes concerns

  • Logging
  • Tracing
  • Metrics
  • Dependency visualisation
  • Service identity and Auth
  • Circuit breaking
  • Traffic flow and policies
  • Failover
  • Fault injection
  • ...


➡️ ️ use code?

drawbacks

  • combination language/framework/version/feature
  • maintain, upgrade, migrate, retire
  • code pollution and complexity (+ testing)
  • deployment / rolling update
  • language/framework/version lock-in
  • debugging


➡️ ️ move it to the infrastructure

Data plane

envoy proxy
The network should be transparent to applications.
When network and application problems do occur it should be easy to determine the source of the problem.

DEMO

ENVOY

The overall architecture of an Istio-based application.

How to manage a fleet of envoy proxy?

Service Mesh

CONNECT

SECURE

CONTROL

OBSERVE


VIDEO: Istio a la carte by Dan Ciruli

What is a service mesh

What problems does it solve


Communication between services


A network for services, not bytes

How does it solve inter service communication

The overall architecture of an Istio-based application.
source

What's in the code


details = {
    "name" : "http://details:9080",
    "endpoint" : "details",
    "children" : []
}
ratings = {
    "name" : "http://ratings:9080",
    "endpoint" : "ratings",
    "children" : []
}
source code

Traffic Management


apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: reviews
  ...
spec:
  hosts:
  - reviews
  http:
  - match:
    - headers:
        end-user:
          exact: jason
    route:
    - destination:
        host: reviews
        subset: v2
  - route:
    - destination:
        host: reviews
        subset: v1

Resiliency


apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
  - reviews
  http:
  - route:
    - destination:
        host: reviews
        subset: v2
      retries:
        attempts: 3
        perTryTimeout: 2s

Security

  • namespace-level and service-level policies
  • mutual TLS Authentication
  • role-based access control (RBAC)

Observability

  • Metrics (prometheus)
  • Logs (fluentd)
  • Tracing (jaeger)
  • Cluster traffic (kiali)

DEMO

Bookinfo Application without Istio

QUESTIONS about service mesh

List of service meshes

Comparison: Consult vs Istio

Resources

THANK YOU

and I'm sorry 🙏
If you had to maintain my code
I hope you learned more by maintaining it
than me by writing it

contact

https://bisconti.cloud/

@julienBisconti

Slides made with Reveal.js and hugo-reveal