2. Aspen Mesh Survey at KubeCon 2019 Europe
Multiple Independent Prod
Dev/Test/Stage
Multiple x-comm Prod
Multiple
(85%)
(10%) Other
(5%) One
3. Service Mesh
Service Mesh Control Plane
App A
Proxy
App B
Proxy
Service A Service B
ObservabilitySecurityTraffic
Management
k8s apiserver
Cluster
4. Service Mesh
Service Mesh Control Plane
App A
Proxy
App B
Proxy
Service A Service B
k8s apiserver
Cluster A
Service Mesh Control Plane
App A
Proxy
App B
Proxy
Service A Service B
k8s apiserver
Cluster B
5. Service Mesh
App A
Proxy
App B
Proxy
Service A Service B
k8s apiserver
Cluster A
App A
Proxy
App B
Proxy
Service A Service B
k8s apiserver
Cluster B
Service Mesh Control Plane
6. Service Mesh
App A
Proxy
App B
Proxy
Service A Service B
k8s apiserver
Cluster A
App A
Proxy
App B
Proxy
Service A Service B
k8s apiserver
Cluster B
Service Mesh Control Plane
7. Service Mesh
Service Mesh Control Plane
App A
Proxy
App B
Proxy
Service A Service B
k8s apiserver
Cluster A
Service Mesh Control Plane
App A
Proxy
App B
Proxy
Service A Service B
k8s apiserver
Cluster B
Higher Level
8. There are many reasons to want to run multiple clusters…
* Blast-radius (a problem in one cluster doesn't kill the whole system)
* Environment isolation (dev, test, prod)
* Reliability (a zone or region outage does not bring down the app)
* Latency (run the app as close to customers as possible)
* Scale (the app is too big to fit in a single cluster)
* Provider diversity (for regulatory, geographic, data gravity, or
other reasons)
* Jurisdiction (keep user data in-country)
* Upgrade scope (upgrade infra for some parts of your app but not all of
it)
* Avoid the need for in-place cluster upgrades
* Performance isolation (teams don't want to feel each other)
* Security isolation (sensitive data or untrusted code)
* Organizational isolation (teams have different management domains)
* Cost isolation (teams get different bills)
Tim Hockin, Re: Proposing Submariner as a sig-multicluster
10. NarrowPurpose Diversity
…what itruns on
…what runs on it
...how big it is
Any system with an IP addresscan send
packetsto any other system with anIP
address
Internet
IEEE 802.3
IEEE 802.5
IEEE 802.11
RFC1577
RFC2549
26. There are many reasons to want to run multiple clusters…
* Blast-radius (a problem in one cluster doesn't kill the whole system)
* Environment isolation (dev, test, prod)
* Reliability (a zone or region outage does not bring down the app)
* Latency (run the app as close to customers as possible)
* Scale (the app is too big to fit in a single cluster)
* Provider diversity (for regulatory, geographic, data gravity, or
other reasons)
* Jurisdiction (keep user data in-country)
* Upgrade scope (upgrade infra for some parts of your app but not all of
it)
* Avoid the need for in-place cluster upgrades
* Performance isolation (teams don't want to feel each other)
* Security isolation (sensitive data or untrusted code)
* Organizational isolation (teams have different management domains)
* Cost isolation (teams get different bills)
Tim Hockin, Re: Proposing Submariner as a sig-multicluster
28. Unified Management – Configurethem all inoneplace
Unified Trust – Crypto trusttraceable back to onecommonroot
Heterogenous Network – Clusters can have overlappingor non-routableinternal IPs
Independent Fault Domain – If Cluster A blows up,Cluster B is still OK
Inter-Cluster Mesh Traffic –Inter-cluster traffic is still Service Mesh traffic
To Multicluster, or Not to Multicluster: Inter-cluster Communication Using a Service Mesh
29. UnifiedManagement UnifiedTrust Heterogenous Network
Independent Fault
Domain
Inter-clusterMesh
Traffic
Independent ✓ ✓
Common Management ✓ ✓ ✓
Flat Network ✓ ✓ ✓
Split Horizon ✓ ✓ ✓ ✓
Cluster-AwareService
Routing
✓ ✓ ✓ ✓
To Multicluster, or Not to Multicluster: Inter-cluster Communication Using a Service Mesh
33. Aspen Mesh Survey at KubeCon 2019 Europe
Multiple Independent Prod
Dev/Test/Stage
Multiple x-comm Prod
Multiple
(85%)
(10%) Other
(5%) One
34. There are many reasons to want to run multiple clusters…
* Blast-radius (a problem in one cluster doesn't kill the whole system)
* Environment isolation (dev, test, prod)
* Reliability (a zone or region outage does not bring down the app)
* Latency (run the app as close to customers as possible)
* Scale (the app is too big to fit in a single cluster)
* Provider diversity (for regulatory, geographic, data gravity, or
other reasons)
* Jurisdiction (keep user data in-country)
* Upgrade scope (upgrade infra for some parts of your app but not all of
it)
* Avoid the need for in-place cluster upgrades
* Performance isolation (teams don't want to feel each other)
* Security isolation (sensitive data or untrusted code)
* Organizational isolation (teams have different management domains)
* Cost isolation (teams get different bills)
Tim Hockin, Re: Proposing Submariner as a sig-multicluster
35. Unified Management – Configurethem all inoneplace
Unified Trust – Crypto trusttraceable back to onecommonroot
Heterogenous Network – Clusters can have overlappingor non-routableinternal IPs
Independent Fault Domain – If Cluster A blows up,Cluster B is still OK
Inter-Cluster Mesh Traffic –Inter-cluster traffic is still Service Mesh traffic
To Multicluster, or Not to Multicluster: Inter-cluster Communication Using a Service Mesh