This presentation gives audiences a broad viewpoint from old to modern architecture. How Kubernetes and service mesh (istio) can help developers in those missions:
- Explain from traditional to modern architecture. The role of Kubernetes in modern architecture.
- Build basic k8s components from the ground up with illustrations: Pod; Node; Service; ReplicaSet; Deployment; Namespace; Ingress ...
- Kubernetes under the developer viewpoint: write a YAML application file and deploy k8s application to the cluster.
- Kubernetes advanced concepts: master node design, how does the auto-scale for pods/nodes work, Kubernetes networking model.
- Discuss microservice challenges. The role of the service mesh in the microservice ecosystem.
- Introduce Envoy, istio and their application in the service mesh.
6. Containers are great but…
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
•Isolation.
•Immutability
•EfBicient resource utilization.
•Lightweight
•Portable
But …
•Dozens, even thousands of containers over time.
•How to manage/deploy/connected/updated ?
•Integrate and orchestrate these modular parts
•Provide communication across a cluster
•Make them fault tolerant
10. Pod
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Container
• The smallest and simplest unit in the k8s object model
11. Pod
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Container
• The smallest and simplest unit in the k8s object model
• Each pod will have a unique internal IP address.
10.1.1.1
12. Pod
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Container
• The smallest and simplest unit in the k8s object model
• Each pod will have a unique internal IP address.
• There are many containers in one single pod.
10.1.1.1
Container
13. Pod
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Container
• The smallest and simplest unit in the k8s object model
• Each pod will have a unique internal IP address.
• There are many containers in one single pod.
• Containers in pods share network namespace, volume
10.1.1.1
Container
3000
3306
10.1.1.1:3000
10.1.1.1:3306
14. Pod
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Container
• The smallest and simplest unit in the k8s object model
• Each pod will have a unique internal IP address.
• There are many containers in one single pod.
• Containers in pods share network namespace, volume
10.1.1.1
Container
3000
3000
52. Data - Volume
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Container
10.1.1.3
Container
3000
3306
/data/output
/logs Volume
• Using volume to store / share data between containers
53. Data - Volume
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Container
10.1.1.3
Container
3000
3306
/data/output
/logs Volume
• Using volume to store / share data between containers
• Volume can be built from secret / configmap
54. Data - Volume
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Container
10.1.1.3
Container
3000
3306
/data/output
/logs Volume
Persistent
Volume Claim
30GB
Persistent Volume
GCEPersistentDisk 50GB
Persistent Volume
AzureDisk 20GB
Persistent Volume
CephFS 20GB
• Using volume to store / share data between containers
• Volume can be built from secret / configmap
• Or from the persistent disk
66. Pod template
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• 1 Descriptor conforms to version v1 of Kubernetes API
• 2 You’re describing a pod.
• 3 The name of the pod
• 4 Container image to create the container from
• 5 Name of the container
• 6 The port the app is listening on
74. Init containers
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
init containers, which are run before the app containers are started.
Init containers are exactly like regular containers, except:
• Init containers always run to completion.
• Each init container must complete successfully before the next one starts.
Init containers can contain utilities or custom code for setup that are not present in an app
image. (e.g.: sed, awk, python ...)
--> The application image builder and deployer roles can work independently without
the need to jointly build a single app image.
92. Basic steps
• Dockerize.
• Write deployment/service.
• Define configmap or variable env.
• Resource usage.
• Liveness/Ready probe.
• How to structure application into pods?
Multiple container in 1 pod or multiple pod?
• How to integrate with other service?
• Does it need to communicate with outside?
• Does it need stateful?
100. The API Server
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
API server is the central component used by all other components and by clients, such
as kubectl. It provides a CRUD (Create, Read, Update, Delete) interface for querying and
modifying the cluster state over a RESTful API. It stores that state in etcd.
102. The Scheduler
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• Filtering the list of all nodes to obtain a list of acceptable nodes the pod can be scheduled to
• Prioritizing the acceptable nodes and choosing the best one.
• If multiple nodes have the highest score, round-robin is used to ensure pods are deployed
across all of them evenly.
103. The controller manager
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• ReplicaSet, DaemonSet,
and Job controllers.
• Deployment controller.
• StatefulSet controller.
• Node controller.
• Service controller.
• Others
Controllers do many different things, but they all watch the API server for changes to
resources (Deployments, Services, and so on) and perform operations for each change,
whether it’s a creation of a new object or an update or deletion of an existing object.
105. kube proxy
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• The iptables proxy mode doesn’t load balance—it selects pods randomly.
• When only a few clients use a service, they may not be spread evenly across pods.
kube-proxy makes sure connections to the service IP and port end up at one of the
pods backing that service
110. Kubernetes networking
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• all Pods can communicate with all other Pods without using network address
translation (NAT).
• all Nodes can communicate with all Pods without NAT.
• the IP that a Pod sees itself as is the same IP that others see it as.
1. Container-to-Container networking
2. Pod-to-Pod networking
3. Pod-to-Service networking
4. Internet-to-Service networking
https://sookocheff.com/post/kubernetes/understanding-kubernetes-networking-model/
Problems
115. Microservices
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
The network should be transparent to applications. When network and application
problems do occur it should be easy to determine the source of the problem.
This sounds great! But it turns out it’s really, really hard.
116. But the network is hard
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• Communication between services
• Load Balance
• Discovery Service
• Observability
• Distributed tracing
• Logs
• Monitoring
• Fault Tolerance
• Circuit breaker
• Retry mechanism
117. Communication between services
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Client side load balancer Server side load balancer
yet another highly available system component
that you need to set up and manage
couples the client with the service
registry.
make application speciBic load balancing
decisions (e.g.hashing consistently)
eliminates the need to implement discovery logic
118. Client Libraries: The First Service Meshes?
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• The restriction use of
multiple language-
specific frameworks
and/or application
servers to run them.
• Complexity when
upgrade version
library.
• Forward compatibility
and Backward
compatibility
119. Observability
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• Logging
• Metrics
• Tracing
https://www.slideshare.net/hqt/observability-and-its-application
How well do you really understand what’s going on in these environments?
120. Network failure
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
With our services communicating with numerous external resources,
failures can be caused by:
• Networking issues
• System overload
• Resource starvation (e.g. out of memory)
• Bad deployment/conBiguration
•
122. Service Mesh
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
In software architecture, a service mesh is a dedicated infrastructure layer for facilitating
service-to-service communications between microservices, often using a sidecar proxy.
(Wikipedia)
123. Service Mesh
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
In software architecture, a service mesh is a dedicated infrastructure layer for facilitating
service-to-service communications between microservices, often using a sidecar proxy.
(Wikipedia)
• Service engineer focus only on service business.
• Don’t restrict to any language/framework.
124. Control plane vs Data plane
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Data Plane:
• Touches every packet/request in the system.
Control Plane:
• Does not touch any packet/request
in the system.
125. Control plane vs Data plane
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Data Plane:
• Touches every packet/request in the system.
• Service discovery
• Health checking
• Routing.
• Observability.
• Authentication/authorization.
• Load balancing
Control Plane:
• Does not touch any packet/request
in the system.
• Provide policy.
• Provide configuration.
• Unifies telemetry collection.
128. Envoy Proxy
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Out of process architecture: Let’s do a lot of really hard stuff in one place
• Modern C++11 code base: Fast and productive.
• L3/L4 Bilter architecture: A TCP proxy at its core. HTTP; MongoDB; Redis; TCP rate limiter
• HTTP L7 Bilter architecture.
• HTTP/2 and GRPC proxy.
• Service discovery and active health checking.
• Advanced load balancing: Retry, timeouts, circuit breaking, rate limiting, shadowing, etc
• Observability: stats, logging, and tracing.
• Edge proxy: routing and TLS.
• ...
132. Envoy - Observability
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Having all SoA trafBic transit through Envoy gives us a single place where we can:
• Produce consistent statistics for every hop
• Create and propagate a stable request ID
• Consistent logging
• Distributed tracing
133. Envoy - Advanced load balancer
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• Different service discovery types
• Zone aware least request load balancing.
• Dynamic stats: Per zone, canary speciBic stats, etc.
• Circuit breaking: Max connections, requests, and retries.
• Rate limiting: Integration with global rate limit service.
• Shadowing: Fork trafBic to a test cluster.
• Retries: HTTP router has built in retry capability with different policies.
• Timeouts: Both “outer” (including all retries) and “inner” (per try) timeouts.
• Outlier detection: Consecutive 5xx
• Deploy control: Blue/green, canary, etc
134. istio
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• Data plane: Envoy proxy as Sidecar
• Control plane:
• Pilot
• Galley
• Citadel
• Mixer
135. istio
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• Data plane: Envoy proxy as Sidecar
• Control plane:
• Pilot
• Galley
• Citadel
• Mixer
Functionality:
• Fine-grained control traffic
• A pluggable policy layer like
rate limits, access control,
quotas.
• Automatic metrics, logs, traces.
• Secure service-to-service
147. Traces
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
• Envoy proxy is responsible for generating the initial trace headers and doing so in an
OpenTelemetry–compatible way
• Your application requires a thin-client library to collect and propagate a small set of HTTP
headers:
• x-request-id
• x-b3-traceid
• x-b3-spanid
• x-b3-parentspanid
• x-b3-sampled
• x-b3-flags
• x-ot-span-context
148. Traces
• Isolation.
• Immutability
• Efficient resource
utilization.
• Lightweight
• Portable
Life is not always easy ...
Need the cooperation from the application