O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Multi-Tenant Ingress with Istio

997 visualizações

Publicada em

This session we want to focus on the use case of multi-tenancy on your Kubernetes cluster with Istio service mesh.

We will explain how API Gateways, Ingress Controllers, and Service Mesh are different and also work together to achieve this use case.

In this session we'll:
Discuss the core concept
Challenges for application developers and cluster operators
Walk through how that problem has been solved historically
Review how implementing a service mesh can help solve that problem differently
Demos, demos, demos
Recap of the latest release of Istio

Video here
https://https://www.youtube.com/watch?v=HO7pqNUbUFk&list=PLBOtlFtGznBim4rBEXMl87Pt9qJT_3G1Y

Learn More
https://solo.io and https://gloo.solo.io
https://istio.io
https://cloud.google.com

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Multi-Tenant Ingress with Istio

  1. 1. Multi-Tenant Ingress using Istio Christian Posta | @christianposta | Solo.io Sandeep Parikh | @crcsmnky | Google Cloud
  2. 2. Challenge Examples Solutions What’s new Questions What we’ll cover
  3. 3. Challenge
  4. 4. Running multi- tenant-ingress deployments
  5. 5. What is multi-ingress? When running large multi- tenant deployments, teams or workloads may need their own dedicated ingress, or apps may need different ingress setups.
  6. 6. Isolation for individual teams and logical workloads Why multi-ingress? Multiple ingress types like APIs vs user-facing services Serving multiple applications out of different domains Require unique SSL certificates for each domain being served
  7. 7. Example deployment
  8. 8. What we have
  9. 9. What we want
  10. 10. Isolate teams and logical workloads Support for different ingress types Each ingress needs HTTPS support Top-level requirements
  11. 11. Critical features Platform load balancer support SSL certificate support Kubernetes-native service Traffic management mechanisms API gateway support Auth support for in- cluster services
  12. 12. Ecosystem solutions
  13. 13. Kubernetes Ingress ● More capable than Service LoadBalancer ● SSL certificate support ● Multiple ingress resources can be deployed ● Can integrate with L7 platform load balancers ● Supports single-service, simple fanout, or name-based virtual hosts
  14. 14. Kubernetes Ingress Controllers!
  15. 15. Traefik Features! Tiny, fast, Go! IngressRoute CRD! Ingress-only? traefik.io
  16. 16. nginx Features! Tried and true Many examples Ingress-only? nginx.com/products/nginx/ kubernetes-ingress-controller
  17. 17. Is there an Istio- native option?
  18. 18. Istio Ingress Gateway ● Supports workloads across different namespaces ● Native Kubernetes Service, integrates with platform load balancers ● Support for SSL certificates ● Encrypted traffic to downstream services
  19. 19. Istio Ingress Gateway Out of the box, you get one. What if you want more?
  20. 20. Generate a new ingressgateway Use helm to generate the required components to run your own ingress gateway. cd istio-1.3.2/install/kubernetes/helm helm template istio --name istio --namespace istio-system -x charts/gateways/templates/serviceaccount.yaml >> my-ingressgateway.yaml helm template istio --name istio --namespace istio-system -x charts/gateways/templates/deployment.yaml >> my-ingressgateway.yaml helm template istio --name istio --namespace istio-system -x charts/gateways/templates/service.yaml >> my-ingressgateway.yaml
  21. 21. Update metadata Update the generated ServiceAccount, Deployment, and Service ServiceAccount: - metadata.name - metadata.labels Deployment: - metadata.name - metadata.labels - spec.selector.matchLabels - spec.template.metadata.labels - spec.containers[].name - spec.containers[].volumeMounts[] - spec.serviceAccountName - spec.volumes[] Service: - metadata.name - metadata.labels - spec.ports[].http2.nodePort - spec.ports[].https.nodePort - spec.ports[].tcp.nodePort - spec.selector
  22. 22. Wiring up Istio objects When creating Gateway objects, configure spec.selector for your new ingressgateway apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: gateway-example spec: selector: istio: example-ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"
  23. 23. 23 | Copyright © 2019 Gloo Edge Proxy EAST-WEST TRAFFIC NORTH-SOUTH TRAFFIC SERVIC E I SERVIC E II SERVIC E III SERVIC E IV SERVIC E V
  24. 24. 24 | Copyright © 2019 GLOO FEATURES Gloo is a fully-featured edge Gateway and Ingress Controller built on Envoy Proxy. Gloo was built to extend the capabilities of the service mesh. Gloo runs on any platform bare-metal, VM, Kubernetes, and Cloud.
  25. 25. 25 | Copyright © 2019 Gloo Gateway Complements Service Mesh • Extend with powerful edge capabilities (as seen previously) • Integrate with mTLS (SDS) • Integrate with telemetry collection • Integrate with distributed tracing • Provide full North-South & East-West networking abstraction
  26. 26. 26 | Copyright © 2019 ENVIRONMENT SECRET CONFIGURATION Data Plane Upstream gRPC-JSON transcoder Rate limiting External AUTH … Control Plane Configure and manage envoy’s plugins Router
  27. 27. Demo
  28. 28. What we just deployed
  29. 29. What’s New
  30. 30. Istio 1.3 52 improvements 662 commits 400+ contributors 300 companies Full release notes Released 2019-09-12
  31. 31. Istio 1.3 Improve the UX for new users adopting Istio Key Improve the UX for debugging problems Themes Support more apps w/o addt’l config
  32. 32. Istio 1.3 highlights containerPort no longer required Customizable generated Envoy config Mixer-less telemetry (experimental) Intelligent protocol detection (experimental) Operator-based install (experimental) New commands in istioctl experimental for debugging
  33. 33. $ istioctl x --help Experimental commands that may be modified or deprecated Usage: istioctl experimental [command] Aliases: experimental, x, exp Available Commands: add-to-mesh Add workloads into Istio service mesh analyze Analyze Istio configuration and print validation messages auth Inspect and interact with authn/authz policies in the mesh describe Describe resource and related Istio configuration kube-uninject Uninject Envoy sidecar from Kubernetes pod resources manifest Commands related to Istio manifests metrics Prints metrics for specified workload(s) when running in K8S profile Commands related to Istio configuration profiles remove-from-mesh Remove workloads from Istio service mesh
  34. 34. $ istioctl x --help Experimental commands that may be modified or deprecated Usage: istioctl experimental [command] Aliases: experimental, x, exp Available Commands: add-to-mesh Add workloads into Istio service mesh analyze Analyze Istio configuration and print validation messages auth Inspect and interact with authn/authz policies in the mesh describe Describe resource and related Istio configuration kube-uninject Uninject Envoy sidecar from Kubernetes pod resources manifest Commands related to Istio manifests metrics Prints metrics for specified workload(s) when running in K8S profile Commands related to Istio configuration profiles remove-from-mesh Remove workloads from Istio service mesh Analyze YAML files Analyze live cluster Simulate effect of applying YAML
  35. 35. $ istioctl x --help Experimental commands that may be modified or deprecated Usage: istioctl experimental [command] Aliases: experimental, x, exp Available Commands: add-to-mesh Add workloads into Istio service mesh analyze Analyze Istio configuration and print validation messages auth Inspect and interact with authn/authz policies in the mesh describe Describe resource and related Istio configuration kube-uninject Uninject Envoy sidecar from Kubernetes pod resources manifest Commands related to Istio manifests metrics Prints metrics for specified workload(s) when running in K8S profile Commands related to Istio configuration profiles remove-from-mesh Remove workloads from Istio service mesh Operator-based install! Generate and/or apply manifests Diff against multiple manifests Migrate from Helm config to Operator
  36. 36. What’s Next Security Around 3 weeks after the next Istio release, we’ll dig into security-centric use cases, and how Istio can help. Istio 1.4 → Late Q4 2019
  37. 37. Thank You! Questions or Comments? Find us @christianposta and @crcsmnky Learn More ● Istio istio.io ● Google Cloud cloud.google.com ● Solo.io www.solo.io ● Gloo gloo.solo.io ● Service Mesh Hub servicemeshhub.io Demo ● github.com/crcsmnky/istio-multi-ingress

×