The document discusses Istio, an open source service mesh that provides traffic management, resilience, and security for microservices applications. It begins with an overview of microservices and common challenges in managing microservices applications. It then introduces Istio and its components that address these challenges, such as intelligent routing, policy enforcement, and telemetry collection. Specific Istio features like traffic control, splitting, and mirroring are demonstrated. Finally, it provides instructions for getting started with Istio and links for additional information.
3. MICROSERVICES
▸Decomposing an application into single function modules
which are independently deployed and operated
▸Accelerate delivery by minimizing communication and
coordination between people
8. COMMON DEVOPS CHALLENGE 1
▸How do I roll out a newer version of my microservice
without down time?
▸How do I ensure traffic continue to go to the current
version before the newer version is tested and ready?
9. COMMON DEVOPS CHALLENGE 2
▸How do I do canary testing?
▸I want to leverage crowdsourced testing. How do I test the
new version with a subset of users?
▸How do I proceed to a full rollout after satisfactory testing
of the new version?
10. COMMON DEVOPS CHALLENGE 3
▸How do I do A/B testing?
• Release a new version to a subset of users in a precise
way
▸I have launched B in the dark, but how can I keep B to
myself or a small testing group?
11. OTHER COMMON DEVOPS CHALLENGES
4. Things don’t always go correctly in production... How do I
inject fault to my microservices to prepare myself?
5. My services can only handle certain rate, how can I limit
rate for some of my services?
6. I need to view and monitor what is going on with each of
my services when crisis arises.
7. How can I secure my services .
16. ISTIO
Launched in May 2017
by Google, Lyft and IBM
A service mesh designed to
connect, manage and secure micro services
17. ISTIO
Open Source
Launched in May 2017
by Google, Lyft and IBM
A service mesh designed to
connect, manage and secure micro services
18. ISTIO
Open Source
Zero Code Changes
Launched in May 2017
by Google, Lyft and IBM
A service mesh designed to
connect, manage and secure micro services
20. INTELLIGENT ROUTING AND LOAD BALANCING
‣ Conduct traffic between services
with dynamic route configuration
‣ A/B tests
‣ Canary releases
‣ Gradually upgrade versions
Red/Black deployments
21. RESILIENCE ACROSS LANGUAGES AND PLATFORMS
‣ Increase reliability by shielding
applications from flaky networks
and cascading failures in adverse
conditions
22. FLEET-WIDE POLICY ENFORCEMENT
‣ Apply organizational policy to the
interaction between services
‣ Ensure access policies are
enforced
‣ Make sure resources are fairly
distributed among consumers.
23. IN-DEPTH TELEMETRY AND REPORTING
‣ Understand the dependencies
between services, the nature and
flow of traffic between them, and
quickly identify issues with
distributed tracing.
26. COMPONENTS OF ISTIO
‣ Envoy
proxy, to mediate all inbound and outbound traffic for all
services in the service mesh.
‣ Pilot
Programming envoys and responsible for service discovery,
registration and load balancing
‣ Citadel
provides strong service-to-service and end-user authentication
using mutual TLS, with built-in identity and credential
management
‣ Mixer
Responsible for enforcing access control and usage policies and
collecting telemetry data
27. ISTIO
▸Operates at Layer 7 , which is the “service” or “RPC” layer
of your network application
▸A rich set of attributes to base policy decisions on, so
policies can be applied based on virtual host, URL, or
other HTTP headers
▸Flexibility in processing
▸Allows it to be distributed
▸Istio Proxy is implemented inside the pod, as a Envoy
sidecar container in the same network namespace
29. TRAFFIC CONTROL
CHALLENGE 1
ROLL OUT NEW VERSION WITHOUT DOWNTIME OR CHANGING CODE
version: v2.0
env: us-prod
version: v1.5
env: us-prod
100%
0%
// A simple traffic control rule
destination:
serviceB.example.cluster.local
match:
source:
serviceA.example.cluster.local
route:
- labels:
version: v1.5
env: us-prod
weight: 100
30. TRAFFIC CONTROL
CHALLENGE 1
ROLL OUT NEW VERSION WITHOUT DOWNTIME OR CHANGING CODE
version: v2.0
env: us-prod
version: v1.5
env: us-prod
0%
0%100%
// A simple traffic control rule
destination:
serviceB.example.cluster.local
match:
source:
serviceA.example.cluster.local
route:
- labels:
version: v2.0
env: us-prod
weight: 100
33. TRAFFIC MIRRORING
version: v2.0-alpha
env: us-staging
version: v1.5
env: us-prod100%
100%
•Responses to any mirrored traffic is ignored; traffic is mirrored as “fire-and-forget”
•You’ll need to have the 0-weighted route to hint to Istio to create the proper Envoy
// A simple traffic splitting rule
destination:
serviceB.example.cluster.local
match:
source:
serviceA.example.cluster.local
route:
- labels:
version: v1.5
env: us-prod
weight: 100
- labels:
version: v2.0-alpha
env: us-staging
weight: 0
mirror:
name: httpbin
labels:
version: v2.0-alpha
env: us-staging
CHALLENGE 4
THINGS DON’T ALWAYS GO CORRECTLY IN PRODUCTION...
38. TELEMETRY
‣ Monitoring & tracing should
not be an afterthought in the
infrastructure
‣ Goals
‣ Metrics without instrumenting apps
‣ Consistent metrics across fleet
‣ Trace flow of requests across
services
‣ Portable across metric backend
providers
CHALLENGE 6
I NEED TO VIEW WHAT IS GOING ON WHEN CRISIS ARISES
39. SECURITY
CHALLENGE 7
HOW CAN I SECURE MY SERVICES?
‣ Authentication
‣ Transport authentication, also
known as service-to-service
authentication
‣ Origin authentication, also
known as end-user
authentication
‣ Authorization
‣ Based on RBAC
‣ Namespace-level, service-level
and method-level access control
for services
40. USING ISTIO IN CONCERT WITH CALICO
▸ Policy operates at Layer 7 , which is the
“service” or “RPC” layer of your network
application.
▸ A rich set of attributes to base policy
decisions on, so policies can be applied
based on virtual host, URL, or other HTTP
headers.
▸ Flexibility in processing.
▸ Allows it to be distributed
▸ Istio Proxy is implemented inside the pod, as
a Envoy sidecar container in the same
network namespace.
▸ Operates at Layer 3, which is the network
layer
▸ Has the advantage of being universal (DNS,
SQL, real-time streaming, …)
▸ Can extend beyond the service mesh
(including to bare metal or VM endpoints not
under the control of Kubernetes).
▸ Calico’s policy is enforced at the host node,
outside the network namespace of the guest
pods.
▸ Based on iptables, which are packet filters
implemented in the standard Linux kernel, it
is extremely fast.
41. USING ISTIO IN CONCERT WITH CALICO
“RPC” — L7 Layer “Network” — L3-4
Userspace Implementation Kernel
Pod Enforcement Point Node
Ideal for applying policy in support of
operational goals, like service routing,
retries, circuit-breaking, etc
Strengths
Universal, highly efficient, and
isolated from the pods, making it ideal
for applying policy in support of
security goals
42. ADDRESSING DEVOPS CHALLENGES
# CHALLENGE ISTIO SOLUTION
CHALLENGE 1 ROLL OUT NEW VERSION WITHOUT DOWNTIME
OR CHANGING CODE TRAFFIC CONTROL
CHALLENGE 2 HOW TO DO CANARY TESTING TRAFFIC SPLITTING
CHALLENGE 3 HOW TO DO A/B TESTING TRAFFIC STEERNIG
CHALLENGE 4 THINGS DON’T ALWAYS GO CORRECTLY IN
PRODUCTION...
TRAFFIC MIRRORING
RESILIENCY
RESILIENCY TESTING
CHALLENGE5 HOW CAN I LIMIT RATE FOR SOME OF MY
SERVICES? RATE LIMITING
CHALLENGE 6 I NEED TO VIEW AND MONITOR WHAT IS GOING ON
WHEN CRISIS ARISES
TELEMETRY
CHALLENGE 7 HOW CAN I SECURE MY SERVICES? AUTHENTICATION
AUTHORIZATION
CALICO
45. COMMUNITY PARTNERS
‣ Vmware
‣ RedHat
‣ Microsoft
‣ Tigera
‣ Cisco
‣ Pivotal
‣ Weave works
‣ Datawire
‣ Scytale (SPIFEE)
‣ And more…
46. USEFUL LINKS
‣ Web istio.io
‣ Twitter: @Istiomesh
‣ Istio 101: https://github.com/IBM/istio101
‣ Traffic management using Istio: https://ibm.co/2F7xSnf
‣ Resiliency and fault-tolerance using Istio: https://bit.ly/2qStF2B
‣ Reliable application roll out and operations using Istio:
https://bit.ly/2K9IRQX
47. SOME DOCS
IBM Cloud Private
for Dummies
http://ibm.biz/BdZedY
Cloud Adoption and
Transformation Consultancy
http://ibm.biz/BdYFCx
The de facto guide to improving your
enterprise with the cloud, created
by distinguished members of our
Solution Engineering team
http://ibm.biz/playbook
Deploying and Operating Production
Applications on Kubernetes in Hybrid
Cloud Environments
http://ibm.biz/k8sintheenterprise
50. DEMO – BOOKINFO APP
The Bookinfo application is broken into four separate microservices:
• productpage. The productpage microservice calls the details and reviews microservices to populate the page.
• details. The details microservice contains book information.
• reviews. The reviews microservice contains book reviews. It also calls the ratings microservice.
• ratings. The ratings microservice contains book ranking information that accompanies a book review.
There are 3 versions of the reviews microservice:
• Version v1 doesn’t call the ratings service.
• Version v2 calls the ratings service, and displays each rating as 1 to 5 black stars.
• Version v3 calls the ratings service, and displays each rating as 1 to 5 red stars.