3. IBM Cloud
try {
HttpResponse response = httpClient.get(
“http://secretsauce.internal/recipe”);
cook(response.body);
} catch (NetworkError ne) {
fixmePleaseOMG(ne);
}
Credit to Louis Ryan for this fun example
4. IBM Cloud
try {
// Load balancing
IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne();
HttpResponse response = httpClient.open(ip).get(
“http://secretsauce.internal/recipe”);
cook(response.body);
} catch (NetworkError ne) {
fixmePleaseOMG(ne);
}
Credit to Louis Ryan for this fun example
5. IBM Cloud
for (int i = 0; i < 3; i++) { // Retry
try {
IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne();
HttpResponse response = httpClient.open(ip).get(
“http://secretsauce.internal/recipe”);
cook(response.body);
} catch (NetworkError ne) {
if (i == 2) fixmePleaseOMG(ne);
else Thread.sleep(random(5) * 1000);
}
}
Credit to Louis Ryan for this fun example
6. IBM Cloud
Secret key = new Secret(new File(“/somewhere/safe/key”);
for (int i = 0; i < 3; i++) {
try {
IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne();
HttpResponse response = httpClient.open(ip)
.setHeader(“Authorization”, key.toString())
.get(“http://secretsauce.internal/recipe”);
cook(response.body);
} catch (NetworkError ne) {
if (i == 2) fixmePleaseOMG(ne);
else Thread.sleep(random(5) * 1000);
}
}
Credit to Louis Ryan for this fun example
7. IBM Cloud
Secret key = new Secret(new File(“/somewhere/safe/key”);
for (int i = 0; i < 3; i++) {
try {
IP ip = DNS.lookupSRV(“secretsauce.internal”).pickOne();
HttpResponse response = httpClient.open(ip)
.setHeader(“Authorization”, key.toString())
.get(“http://secretsauce.internal/recipe”);
log(“Success”);
cook(response.body);
} catch (NetworkError ne) {
log(“Failed”);
if (i == 2) fixmePleaseOMG(ne);
else Thread.sleep(random(5) * 1000);
}
}
Credit to Louis Ryan for this fun example
19. IBM Cloud
What is Istio?
- An open service mesh platform
- Provides language neutral standard attachment to
your application container
- Provides user interfaces to configure policies for the
attachment, without redeploying your application
- Enables clear separation from the application (Dev)
and attachment (Ops)
24. IBM Cloud
Policy checksPolicy
checks
Policy Telemetry
Kubernetes
API server
Mesh Boundary
kubectl istioctl
Sidecar-injector
Ingress-
gateway
Egress-
gateway
data flow
management flow
25. IBM Cloud
Install Istio
• Nothing Magic… Istio is just a bunch of CRDs, services, deployments,
config maps, secrets
• Installation Profiles
• Recommend start with the demo profile
• Use default profile as starting point for production usage
26. IBM Cloud
Deploy microservices to the mesh
• istioctl kube-inject
• kubectl label namespace {namespace} istio-injection=enabled
• istioctl add-to-mesh
• istioctl describe
https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/
27. IBM Cloud
Deploy pods and services to the mesh
• Add named service port for each service port
• Declare containerPort configuration for each pod
port
• Pod must have a service associated
• Label deployments with app and version
• Don't use UID 1337
• Do you have NET_ADMIN privilege?
https://istio.io/docs/setup/kubernetes/prepare/requirements/
apiVersion: v1
kind: Service
metadata:
name: productpage
labels:
app: productpage
service: productpage
spec:
ports:
- port: 9080
name: http
selector:
app: productpage
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: productpage-v1
labels:
app: productpage
version: v1
spec:
replicas: 1
template:
metadata:
labels:
app: productpage
version: v1
spec:
containers:
- name: productpage
image: istio/examples-bookinfo-
productpage-v1:1.10.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
bookinfo.yaml
28. IBM Cloud
initContainers:
- args:
- -p
- "15001"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- "*"
- -d
- "15020"
image: docker.io/istio/proxy_init:1.1.0
imagePullPolicy: IfNotPresent
name: istio-init
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
securityContext:
capabilities:
add:
- NET_ADMIN
volumes:
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-certs
secret:
optional: true
secretName: istio.default
FROM ubuntu:xenial
RUN apt-get update && apt-get upgrade -y &&
apt-get install -y
iproute2
iptables
&& rm -rf /var/lib/apt/lists/*
ADD istio-iptables.sh /usr/local/bin/
ENTRYPOINT ["/usr/local/bin/istio-iptables.sh"]
echo ' -p: Specify the envoy port to which redirect all TCP traffic (default $ENVOY_PORT =
15001)'
echo ' -u: Specify the UID of the user for which the redirection is not'
echo ' applied. Typically, this is the UID of the proxy container'
# shellcheck disable=SC2016
echo ' (default to uid of $ENVOY_USER, uid of istio_proxy, or 1337)'
echo ' -g: Specify the GID of the user for which the redirection is not'
echo ' applied. (same default value as -u param)'
echo ' -m: The mode used to redirect inbound connections to Envoy, either "REDIRECT" or
"TPROXY"'
# shellcheck disable=SC2016
echo ' (default to $ISTIO_INBOUND_INTERCEPTION_MODE)'
echo ' -b: Comma separated list of inbound ports for which traffic is to be redirected to
Envoy (optional). The'
echo ' wildcard character "*" can be used to configure redirection for all ports. An
empty list will disable'
# shellcheck disable=SC2016
echo ' all inbound redirection (default to $ISTIO_INBOUND_PORTS)'
echo ' -d: Comma separated list of inbound ports to be excluded from redirection to Envoy
(optional). Only applies'
# shellcheck disable=SC2016
echo ' when all inbound traffic (i.e. "*") is being redirected (default to
$ISTIO_LOCAL_EXCLUDE_PORTS)'
echo ' -i: Comma separated list of IP ranges in CIDR form to redirect to envoy (optional).
The wildcard'
echo ' character "*" can be used to redirect all outbound traffic. An empty list will
disable all outbound'
# shellcheck disable=SC2016
echo ' redirection (default to $ISTIO_SERVICE_CIDR)'
echo ' -x: Comma separated list of IP ranges in CIDR form to be excluded from redirection.
Only applies when all '
Dockerfile.proxy_init
Istio-iptables.sh
44. IBM Cloud
More Sidecar Debug
$ istioctl dashboard envoy $(kubectl get pod -l
app=productpage -o
jsonpath='{.items[0].metadata.name}')
http://localhost:56740
49. IBM Cloud
2019 Istio Themes
• Project Sustainability
• Layering and Extensibility
• Improved Experience
• Performance and Scalability
50. IBM Cloud
Istio 2019 Predictable Releases
Istio
1.0
Launch
-July
2018
2018 2019
Istio
1.1
February
Istio
1.2
June
Istio
1.3
Septem
ber
2020
Istio
1.4
Unreleased
51. IBM Cloud
2019 Istio Key Updates
• All outbound traffic is allowed by default
• Mixer-policy is not enabled by default
• Multicluster Istio for non flat networks
• Introduce Sidecar resource
• Intelligent Protocol Sniffing
• Various istioctl UX improvements
52. IBM Cloud
How to contribute
• Contribute via discuss or slack
• Gain membership Status
• Consult existing maintainers
• Gain maintainer status
• Attend WG Meetings
53. IBM Cloud
• Preview available around
KubeCon US 2019
• Final book available by
end of 2019