Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / - - PowerPoint PPT Presentation

kubernetes networking and istio
SMART_READER_LITE
LIVE PREVIEW

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / - - PowerPoint PPT Presentation

Jul 06, 2023 1.81k likes •2.17k views

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker & Kubernetes Enthusiast Speaker at Meetups Email: apurvbhandari@gmail.com LinkedIn: https://www.linkedin.com/in/apurvabhandari-linux GitHub:

slide-1
SLIDE 1

Apurva Bhandari

Kubernetes Networking and Istio

slide-2
SLIDE 2

$whoami

Apurva Bhandari

SRE / DevOps Docker & Kubernetes Enthusiast Speaker at Meetups Email: apurvbhandari@gmail.com LinkedIn: https://www.linkedin.com/in/apurvabhandari-linux GitHub: https://github.com/apurvabhandari/Kubernetes

slide-3
SLIDE 3

Apurva Bhandari

Agenda

1. Kubernetes Networking Basic 2. Advance routing 3. Introduction to Service Mesh Istio 4. Traffic Routing by Istio 5. Networking with and without Istio

slide-4
SLIDE 4

Types of Services 1. ClusterIP (Default) 2. NodePort 3. LoadBalancer 4. ExternalName

Services

Apurva Bhandari

slide-5
SLIDE 5

apiVersion: v1 kind: Service metadata: name: example-prod spec: selector: app: nginx env: prod ports:

  • protocol: TCP

port: 80 targetPort: 80 type: ClusterIP

  • a. ClusterIP

Apurva Bhandari

Host A

Pod Labels:

env: prod app: nginx

kube-proxy

Host B

Pod Labels:

env: prod app: nginx

kube-proxy

P O D N E T W O R K

slide-6
SLIDE 6

apiVersion: v1 kind: Service metadata: name: nginx namespace: default spec: ports:

  • port: 80

protocol: TCP targetPort: 80 nodePort: 30001 selector: run: nginx type: NodePort

  • b. NodePort

Apurva Bhandari

Host A

Pod Labels:

env: prod app: nginx

kube-proxy

Host B

Pod Labels:

env: prod app: nginx

kube-proxy

Access

port 30001

slide-7
SLIDE 7

apiVersion: v1 kind: Service metadata: name: tomcat namespace: default spec: ports:

  • name: healthz

nodePort: 31768 port: 8080 protocol: TCP targetPort: 8080 selector: run: tomcat type: LoadBalancer

  • c. LoadBalancer

Apurva Bhandari

Host A

Pod Labels:

env: prod app: nginx

kube-proxy

Host B

Pod Labels:

env: prod app: nginx

kube-proxy Load Balancer

port 30001

Access

slide-8
SLIDE 8

apiVersion: v1 kind: Service metadata: name: my-service namespace: prod spec: type: ExternalName externalName: my.database.example.com

  • d. ExternalName

Apurva Bhandari

slide-9
SLIDE 9

User space proxy mode iptables proxy mode IPVS proxy mode

slide-10
SLIDE 10
slide-11
SLIDE 11
slide-12
SLIDE 12

Introduction to Service Mesh - Istio

slide-13
SLIDE 13

Understand the dependencies between services, the nature and fmow of traffjc between them, and quickly identify issues with distributed tracing Transparently inject mutual TLS on each call, securing and encrypting traffjc. Apply organizational policy to the interaction between services, ensure access policies are enforced and resources are fairly distributed among consumers. Increase reliability by shielding applications from fmaky networks and cascading failures in adverse conditions. Timeouts, retries, health checks and circuit breakers -- all applied regardless of language, across the fmeet.

Intelligent routing Resilience Security & policy

Control traffjc between services with dynamic route confjguration, conduct A/B tests, release canaries, and gradually upgrade versions using red/black deployments.

Secure, monitor and manage services

Telemetry

slide-14
SLIDE 14

Securing service communications Uniform service-level

  • bservability

Traffjc management and operational agility

Monitor the “golden signals” (traffjc, error rates and latency) for all services, and collect logs on all calls. Use distributed tracing for in-depth pergormance analysis. Service dependency graphs make it easy to debug and to understand latency and hotspots. Strongly authenticate services (not hosts) across heterogeneous deployment environments. Limit access of sensitive data to authorized services without relying

  • n L3 controls. Understand security

posture of production environment through service dependency graphs. Send inter-cluster and inter- environment without manually provisioning ingress, egress, edge layers or hardware LBs. Change service behavior and traffjc fmow without redeploying or change of

  • code. Control which services can talk

to whom via policy and routing rules.

Istio Value Proposition

slide-15
SLIDE 15

Uniform

  • bservability

Collect the golden signals for every service and logs for every call. Understand services and their dependencies. Set, monitor and enforce SLOs on services Bird’s eye view of service behavior for issue triage, reduce time to detect, triage

slide-16
SLIDE 16

Operational agility

Scale by directing traffic to multiple versions Roll out new versions without worrying about

  • ps challenges

Apply access control, rate limiting policies to protect services from bad behavior

Service A Service B’ Service B Service B Service B

Canary 95% 5%

Service A Service B’ Service B Service B Service B

Canary User-agent Android User-agent Apple

slide-17
SLIDE 17

Policy driven security

Enable mTLS for authentication and encryption. Authorize access based on service identity or any channel aturibute. Confjgure fjner grained RPC-level access control for REST and gRPC. Defence in depth - security does not stop at the edge.

slide-18
SLIDE 18

Networking proxy types

  • Middle Proxy
  • Edge Proxy
  • Embedded Client Library
  • Client Side / Sidecar Proxy
  • Client Side Load Balancing, no SPoF
  • Traditional Load Balancer is Layer 4
  • Lightweight sidecars to manage traffjc

between services

  • Scaling capabilities + polyglot aspect
  • Sidecars can do much more than just load

balancing!

slide-19
SLIDE 19

The magic of the sidecar!

  • Deployed with every

workload

  • Proxies all traffjc into

and out of a service

  • Directs traffjc (including

routing rules)

  • Enforces policy
  • Reporus telemetry
  • All with no embedded

client library Listeners Routes Clusters Endpoints what Envoy listens for where traffic can be sent how to send traffic hosts able to receive traffic

slide-20
SLIDE 20
  • A C++ based L4/L7 proxy
  • Lightweight, low memory footprint
  • Batule-tested @ Lyfu

○ 100+ services ○ 10,000+ VMs ○ 2M req/s Goodies:

  • HTTP/2 & gRPC
  • Zone-aware load balancing w/ failover
  • Health checks, circuit breakers, timeouts, retry

budgets

  • No hot reloads - API driven confjg updates

Istio’s contributions:

  • Transparent proxying w/ SO_ORIGINAL_DST
  • Traffjc routing and splituing
  • Request tracing using Zipkin
  • Fault injection

Envoy

slide-21
SLIDE 21

Architectural components

  • Envoy: Network proxy to intercept

communication and apply policies.

  • Pilot: Control plane to confjgure and push

service communication policies

  • Mixer: Policy enforcement with a fmexible

plugin model for providers for a policy.

  • Istio Auth: Service-to-service auth[n,z] using

mutual TLS, with built-in identity and credential management.

Control Plane API Mixer

Service A Service B proxy proxy

Pilot Citadel

Config data to Envoys TLS certs to Envoys Policy checks, telemetry

slide-22
SLIDE 22
slide-23
SLIDE 23

Mesh Boundary Service A Service B

Mesh proxy Mesh proxy

Ingress gateway Egress gateway Public Internet External Service

Via egress gateway Directly via sidecar

slide-24
SLIDE 24

Public Internet Ingress Gateway Host www.myapp.com Poru 80 TLS Cerus Gateway Host www.myapp.com Rewrite URL Goto service B, subset v1 ViruualService Host service B Subset v1 (prod), v2 (canary) TLS setuings Circuit breaker LoadBalancer setuings DestinationRule Service B Deployment version: production Service B Deployment version: canary Service A

slide-25
SLIDE 25
slide-26
SLIDE 26
slide-27
SLIDE 27

Traffic Management

  • Application rollout (in percentage distribution)
  • Traffic steering (content based)
  • Resiliency
  • Efficiency
slide-28
SLIDE 28

Thank You