ive Microservices at Scale Next Steps in Kubernetes with Service Mesh Jesse Butler Cloud Native Advocate, Oracle Cloud Infrastructure. cloudnative.oracle.com @jlb13
A presentation at Chicago Kubernetes Meetup in March 2019 in Chicago, IL, USA by Jesse Butler
ive Microservices at Scale Next Steps in Kubernetes with Service Mesh Jesse Butler Cloud Native Advocate, Oracle Cloud Infrastructure. cloudnative.oracle.com @jlb13
Level Set • Microservices • Kubernetes • Service Mesh Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 2
Let’s Talk About Service Mesh A service mesh that allows us to connect, secure, control and observe services at scale, often requiring no service code modification Though other options exist, Linkerd and Istio are the two contenders to choose from Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 3
Docker • Docker changed the way we build and ship software • Application and host are decoupled, making application services portable • Containers are an implementation detail, but a critical one Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 4
Docker Is a Start But, once we abstract the host away by using containers, we no longer have our hands on an organized platform. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 5
Kubernetes Kubernetes to the rescue. It provides the abstractions and organization we need for deploying containers at scale Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 6
Migration from the Old World… Users Application Database Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 7
…to Cloud Native Kubernetes Hotness • Microservices running in orchestrated containers • Everybody’s happy • What happens now? Load balancer Service Service Service Database Queue Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 8
Day Two Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 9
Table Stakes for Services at Cloud Scale • We require a method to simply and repeatably deploy software, and simply and recoverably modify deployments • We require telemetry, observability, and diagnosability for our software if we hope to run at cloud scale Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 10
Day 2 Solutions • Ingress and Traffic Management • Tracing and Observability • Metrics and Analytics • Identity and Security Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 11
Abstract Requirements • Traffic Management • Observability • Security • Policy Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 12
Hard Things are Hard These are Hard Problems™, and some software may address one of them well. Service mesh attempts to address them all. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 13
What Is a Service Mesh? • Infrastructure layer for controlling and monitoring service-to-service traffic • Greatly simplifies service implementation via service discovery, automated retries, timeouts and more • A data plane deployed alongside application services, and a control plane used to manage the mesh Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 14
Service Mesh is Not an API Gateway API Gateways deal with north-south traffic, inbound to your cluster Service Mesh is concerned with east-west traffic, between your services within your cluster Though Istio does have an ingress gateway… Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 15
Service Mesh Architecture • Both Istio and Linkerd use a proxy on the data plane to create the mesh • Each service you add to the mesh has a proxy injected into its pod • This vantagepoint is what gives a service mesh its power – it sees and knows all Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 16
Sidecar Proxy Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 17
Sidecar Proxy Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 18
Sidecar Proxy HTTP/1.1, HTTP/2 gRPC or TPC With or without mTLS Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 19
Let’s Look at Linkerd Linkerd is an ultralight service mesh for Kubernetes and other orchestration platforms Linkerd2 has a wholly reimplemented proxy and is built for low latency and massive scaling Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 20
Linkerd Features • Deep runtime diagnostics – Comprehensive suite of diagnostic tools, including automatic service dependency maps and live traffic samples • Actionable service metrics – Allows you to monitor golden metrics—success rate, request volume, and latency— for every service and define response Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 21
Linkerd Features • Simple, minimalist design – No complex APIs or configuration. For most applications, Linkerd will “just work” out of the box • Ultralight and ultra fast – Built in Rust, Linkerd’s data plane proxies are incredibly small (<10 mb) and blazing fast (p99 < 1ms) Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 22
Linkerd Components Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 23
Using Linkerd • Linkerd CLI utilities – Routes, stats, tap, profiles • Unified dashboard • Configure services with typical Kubernetes workflows - CRDs • Automated sidecar injection is possible Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 24
Let’s Look at Istio Istio a service mesh for Kubernetes that allows us to connect, secure, control and observe services at scale, often requiring no service code modification. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 25
Istio Features • Traffic Management – Fine-grained control with rich routing rules, retries, failovers, and fault injection • Observability – Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 26
Istio Features • Security – Strong identity-based AuthN and AuthZ layer, secure by default for ingress, egress and service-to-service traffic • Policy – Extensible policy engine supporting access controls, rate limits and quotas Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 27
Using Istio • istioctl, cli for mesh admin • Kiali – dashboard BUI • Configure services with typical Kubernetes workflows - CRDs • Sidecare auto-injection is optional on a per-namespace basis Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 28
Istio Components • Envoy – Sidecar proxy • Pilot – Propagates rules to sidecars • Mixer – Enforces access control, collects telemetry data • Citadel – Service-to-service and end-user AuthN and AuthZ Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 29
Envoy High performance proxy which mediates inbound and outbound traffic. • Dynamic service discovery • Load balancing • TLS termination • HTTP/2 and gRPC proxies • Circuit breakers • Health checks • Split traffic • Fault injection • Rich metrics Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 30
Istio Architecture Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 31
Linkerd or Istio • Superficially speaking… – Istio for depth and features – Linkerd for simplicity and ease-of-use • Your mileage may vary J Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 32
Thanks! Twitter: @jlb13 cloudnative.oracle.com $500 OCI trial: bit.ly/ChiK8sOC
