An Open-Source Platform to Connect, Manage, and Secure Microservices

DoIT International confidential │ Do not distribute
Istio
An open-source platform to connect, manage, and secure
microservices

DoIT International
Vadim Solovey Yoram Ben-Yaacov

DoIT International

Agenda
● Kubernetes Overview with focus on Networking
● Flannel. What. Why. How.
● What’s still missing?
● Istio Key Concepts & Architecture
● More about Istio (features, roadmap, production readiness)

Kubernetes Overview
Docker by itself is suffice when using containers in production
● What if the application is composed of multiple containers?
● What if you feel that putting all your containers on the same host sucks?
● What about deploying a new version of your application without service interruption?
● What about container failure management?

Kubernetes Overview
Cluster control plane (AKA master)
● API Server
● Cluster state store
● Controller-Manager Server
● Scheduler
The Kubernetes Node
● Kubelet
● Container runtime
● Kube Proxy
Add-ons and other dependencies
● DNS
● Ingress controller
● Heapster (resource monitoring)
● Dashboard (GUI)
Federation
Kubernetes == container cluster management tool

Kubernetes Networking
Little reminder on the Kubernetes networking concepts:
● All containers can communicate with all other containers without NAT
● All nodes can communicate with all containers (and vice-versa) without NAT
● The IP that a container sees itself as is the same IP that others see it as
You can’t just take two computers running Docker and expect Kubernetes
to work...

Kubernetes Networking
There are many different networking options that offer these capabilities for
Kubernetes:
● Contiv
● Flannel
● Nuage Networks
● OpenVSwitch
● OVN
● Project Calico
● Romana
● Weave Net

Flannel

What's the problem is dude?

What's the problem is dude?
● Well, now we have mash of services that can speak with each other without
any control…
● The way that microservices interact with each other at runtime needs to be:
○ Monitored
○ Managed
○ Controlled

Isti WHAT?
Istio is “an open platform to connect, manage, and secure microservices”
● An easy way to create a network of deployed services with:
○ Load balancing
○ Service-to-service authentication
○ Monitoring
○ and more
● No change in service code is require.

Isti WHAT?
Kubernetes → Greek for "helmsman of a ship"
Istio → Greek word for 'sail'

Istio's Key Capabilities
● Traffic Management:
○ Control the flow of traffic and API calls between services
● Observability:
○ Dependencies between services
○ Nature and flow of traffic between services

● Policy Enforcement:
○ Apply organizational policy to the interaction between services
○ Ensure access policies are enforced
○ Ensure resources are fairly distributed among consumers
○ Policy changes made by configuring the mesh, not by changing
application code
● Service Identity and Security:
○ Provide services in the mesh with a verifiable identity
○ Protect service traffic

● Platform Support:
○ Designed to run in a variety of environments
■ Ones that span Cloud
■ On-premise
■ Kubernetes
■ Mesos
■ etc.
● Integration and Customization:
○ Integrate with existing solutions for ACLs, logging, monitoring, quotas,
auditing and more

Istio’s Architecture
An Istio service mesh is logically split into a data plane and a control plane
● Data plane: Set of intelligent proxies (Envoy)
● Control plane: Managing and configuring proxies to route traffic, as well as
enforcing policies at runtime

Istio’s Architecture

Istio’s Architecture - Envoy
● Extended version of the Envoy proxy
● A high-performance proxy developed in C++
● Mediate all inbound and outbound traffic
● Deployed as a sidecar to the relevant service
● Allows to add Istio capabilities to an existing deployment with no need to re-
architect or rewrite code

Istio’s Architecture - Envoy
Istio leverages Envoy’s many built-in features such as:
● Dynamic service discovery
● Load balancing
● TLS termination
● HTTP/2
● gRPC proxying
● Circuit breakers
● Health checks
● Staged rollouts with %-based traffic split
● Fault injection
● Rich metrics

Istio’s Architecture - Mixer
● A generic intermediation layer between application code and
infrastructure backends
● Moves policy decisions out of the app layer and into configuration
● The app code does a fairly simple integration with Mixer

● Responsible for:
○ Enforcing access control and usage policies
○ Collecting telemetry data
● Extracts request level attributes
● Includes a flexible plugin model to interface with a variety of host
environments and infrastructure backends

Mixer Adapters:

Istio’s Architecture - Pilot
● The core component used for traffic management in Istio is Pilot
● Specify rules to route traffic between Envoy proxies
● Specify failure recovery features such as timeouts, retries, and circuit
breakers
● Maintains a canonical model of all the services in the mesh

● Collecting and validating configuration and propagating it to the various Istio
components
● Abstracts environment-specific implementation details from Mixer and
Envoy
● Traffic management rules (i.e. generic layer-4 rules and layer-7 HTTP/gRPC
routing rules) can be programmed at runtime via Pilot

Istio’s Architecture - Istio-Auth
● Provides strong service-to-service and end-user authentication using mutual
TLS
● Can be used to upgrade unencrypted traffic in the service mesh
● Provides the ability to enforce policy based on service identity rather than
network controls
● Future releases of Istio will add:
○ Fine-grained access control
○ Auditing to control and monitor

Benefits of Istio
Fleet-wide Visibility:
● Produces detailed monitoring data about application and network behaviors
● Rendered using Prometheus & Grafana
● Can be easily extended to send metrics and logs to any collection,
aggregation and querying system
● Enables analysis of performance hotspots and diagnosis of distributed
failure modes with Zipkin tracing

Benefits of Istio
Resiliency and efficiency:
● Operators need to assume that the network will be unreliable
● Operators can use retries, load balancing, flow-control (HTTP/2), and circuit-
breaking to compensate
● Istio provides a uniform approach to configuring these features, making it
easier to operate a highly resilient service mesh

Benefits of Istio
Developer productivity:
● Developer can focus on building service features in their language of choice,
while Istio handles resiliency and networking challenges
● Developers are freed from having to bake solutions to distributed systems
problems into their code
● Improves productivity by providing common functionality supporting A/B
testing, canarying, and fault injection

Benefits of Istio
Policy Driven Ops:
● Decouples cluster operators from the feature development cycle
● Allowing improvements to security, monitoring, scaling, and service topology
to be rolled out without code changes
● Operators can route a precise subset of production traffic to qualify a new
service release

Benefits of Istio
Policy Driven Ops:
● Can inject failures or delays into traffic to test the resilience of the service
mesh
● Set up rate limits to prevent services from being overloaded
● Can be used to enforce compliance rules, defining ACLs between services

Benefits of Istio
Secure by default:
It is a common fallacy of distributed computing that the network is secure
● Enables operators to authenticate and secure all communication between
services using a mutual TLS connection
● Aligned with the emerging SPIFFE specification
● Based on similar systems that have been tested extensively inside Google

Benefits of Istio
Incremental Adoption:
● Designed to be completely transparent to the services running in the mesh
● Allowing teams to incrementally adopt features of Istio over time

Key Concepts in Istio - Traffic Management
Each Envoy instance maintains:
● Load balancing information based on the information it gets from Pilot
● Periodic health-checks of other instances

Key Concepts in Istio - Traffic Management Benefits

Communication between services:
● Clients of a service have no knowledge of
different versions of the service
● Envoy determines its actual choice of
service version dynamically based on the
routing rules specified by the operator
using Pilot

Ingress and Egress Envoys:
● Istio assumes that all traffic entering and leaving the service mesh transits
through Envoy proxies.
● For user-facing services operators can:
○ conduct A/B testing
○ Deploy canary services
○ Etc...
● By routing traffic to external web services via Envoy, operators can add
failure recovery features such as circuit breakers, impose rate limits via
Mixer, and provide authentication using Istio-Auth

Handling Failures:
Provides a set of out-of-the-box opt-in failure recovery features
Features include:
● Timeouts
● Retries with timeout budgets and variable jitter between retries
● Limits on number of concurrent connections and requests to upstream services
● Active health checks on each member of the load balancing pool
● Fine-grained circuit breakers (passive health checks) – applied per instance in the load balancing
pool

Fault Injection:
● Protocol-specific fault injection into the network
● Faults can be injected into requests that match specific criteria
● Restriction of the % of requests that should be subjected to faults
● Two types of faults can be injected:
○ Delays: Timing failures, mimicking increased network latency, or an overloaded upstream
service
○ Aborts: Crash failures that mimic failures in upstream services. Usually manifest in the form
of HTTP error codes, or TCP connection failures.

Rules Configuration:
● Simple Domain-specific language (DSL)
● The DSL allows the operator to configure service-level properties such as:
● Routes
● Circuit breakers
● Timeouts
● Retries
● Injecting faults in the request path
● Set up common continuous deployment tasks such as:
○ Canary rollouts
○ A/B testing
○ Staged rollouts with %-based traffic splits
○ Etc.

DoIT International confidential │ Do not distributeDoIT International confidential │ Do not distribute
Demo Time!
Vadim Solovey

Meet the Bookshelf App

Istio’ized Bookshelf

Thank you!
Vadim Solovey Yoram Ben
Yaacov

Istio vs Linkerd
Istio linkerd
Maturity < 1y >2y
Deployment Transparent proxy sidecar Standalone RPC routing proxy
Programming languages C++ Scala/JVM
Memory and CPU Low Significantly higher than Envoy’s
Configuration language Extensive Minimalist
Host-to-Host authentication using Kubernetes Supported Not supported
API-driven routing Supported Not supported
Hot reloads Supported Not supported explicitly
External registries (E.g. Consul) Not supported Supported
Tracing sprinkles Not supported Supported

Thank you (again…)!
Vadim Solovey Yoram Ben
Yaacov

An Open-Source Platform to Connect, Manage, and Secure Microservices

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to An Open-Source Platform to Connect, Manage, and Secure Microservices

Similar to An Open-Source Platform to Connect, Manage, and Secure Microservices (20)

More from DoiT International

More from DoiT International (19)

Recently uploaded

Recently uploaded (20)

An Open-Source Platform to Connect, Manage, and Secure Microservices

Editor's Notes