SlideShare une entreprise Scribd logo

Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, January 2019)

M
Michael Man

This document provides an overview of Istio and how it works. It discusses the key components of Istio including Envoy, Pilot, Mixer and Citadel. It explains how these components interact to route traffic between services, enforce policies and collect telemetry. The objectives are to learn how packets flow through an Istio mesh, understand the role of the control plane and build a mental model for debugging Istio.

Technologie
1  sur  37
Télécharger pour lire hors ligne
Do you need a Service Mesh? @mt165pro Istio: An Introduction Matt Turner @mt165 mt165.co.uk DevSecOps London January 2019
Istio: an introduction @mt165 Objectives Learn how a packet traverses an Istio/Envoy/Kubernetes system See how the control plane is involved in that process Build a useful mental model for reasoning about, and debugging Istio
Istio: an introduction @mt165 Prerequisites Basic networking knowledge Intermediate Kubernetes knowledge An understanding of what Istio is and does
Istio: an introduction @mt165
Istio: an introduction @mt165 Service AIngress
Istio: an introduction @mt165 Service A
Istio: an introduction @mt165 Envoy SvcA Service A
Istio: an introduction @mt165 “Containers” nginx nginx supervisord mnt uts pid user ipc net
Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net logger fluentd mnt uts
Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net logger fluentd mnt uts 192.168.0.42 eth0 lo sockets iptables routes
Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net logger fluentd mnt uts 192.168.0.42 eth0 lo sockets iptables routes :8080/tcp
Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net proxy envoy mnt uts 192.168.0.42 eth0 lo sockets iptables routes :8080/tcp
Istio: an introduction @mt165 Sidecar Injection pid user ipc net 192.168.0.42 eth0 lo sockets iptables routes
Istio: an introduction @mt165 Sidecar Injection pid user ipc net 192.168.0.42 eth0 lo sockets iptables routes alpine sysctl -w kernel.core_pattern=...
Istio: an introduction @mt165 Sidecar Injection pid user ipc net 192.168.0.42 eth0 lo sockets iptables routes istio/proxy_init /usr/local/bin/prepare_proxy.sh -p 15001 -u 1337
Istio: an introduction @mt165 Sidecar Injection nginx nginx mnt uts pid user ipc net istio/proxy envoy mnt uts 192.168.0.42 eth0 lo sockets iptables routes :15001/tcp
Istio: an introduction @mt165 Envoy SvcA Service A
Istio: an introduction @mt165 Envoy SvcA Service A ? ? ?
Istio: an introduction @mt165 Services $ kubectl get service -o wide service-b NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service-b ClusterIP 10.98.84.169 <none> 80/TCP 90s app=service-b
Istio: an introduction @mt165 Service DNS exposure $ dig service-b.default.svc.cluster.local. ;; ANSWER SECTION: service-b.default.svc.cluster.local. 5 IN A 10.98.84.169
Istio: an introduction @mt165 Pods $ kubectl get pods -o wide | grep service-b service-b-644856485c-4rk88 1/1 Running 0 7m46s 10.32.0.4 kind-1-control-plane <none> service-b-644856485c-dc2zv 1/1 Running 0 7m46s 10.32.0.6 kind-1-control-plane <none> service-b-644856485c-gr75k 1/1 Running 0 7m46s 10.32.0.5 kind-1-control-plane <none>
Istio: an introduction @mt165 Endpoints $ kubectl get endpoints service-b NAME ENDPOINTS AGE service-b 10.32.0.4:8080,10.32.0.5:8080,10.32.0.6:8080 8m55s
Istio: an introduction @mt165 Endpoints $ kubectl get endpoints service-b -o yaml ... subsets: - addresses: - ip: 10.32.0.4 nodeName: kind-1-control-plane targetRef: kind: Pod … ports: - name: http port: 8080 protocol: TCP
Istio: an introduction @mt165 Envoy SvcA Pilot Control Plane API Service A Config to Envoys
Istio: an introduction @mt165 Envoy SvcA Pilot Control Plane API Service A Config to Envoys k8s consul zk Data plane API
Istio, the packet’s-eye view @mt165 Pilot ● Ingress Routing ● Traffic Mirroring ● Traffic Shifting ● Canary Deployments ● Circuit Breaking ● Fault Injection
Istio: an introduction @mt165 Envoy SvcA Pilot Control Plane API Service A Service B Config to Envoys
Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys Policy checks, Telemetry
Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys prom ES REPORT CHECK RBAC Rate limit Mixer fat client Mixer fat client
Istio: an introduction @mt165 Mixer ● Check ○ ACLs / Authorization ○ Rate Limiting ● Report ○ Logs ○ Metrics ○ Tracing
Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys Policy checks, Telemetry
Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry
Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry
Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry API Serveretcd kubectl
Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry Envoy Envoy Envoy Envoy Envoy Envoy Envoy Envoy Ingress Egress
Istio: an introduction @mt165 Recap We learned: ● How a packet traverses an Istio/Envoy/Kubernetes system ● What control plane calls are made in that process ● A useful mental model for reasoning about, and debugging Istio
Do you need a Service Mesh? @mt165pro Thanks! @mt165

Recommandé

Istio - The life of a packet
Istio - The life of a packetIstio - The life of a packet
Istio - The life of a packet
Matt Turner
 
The Life of a Packet through Istio - DevExperience Romania, April 2019
The Life of a Packet through Istio - DevExperience Romania, April 2019The Life of a Packet through Istio - DevExperience Romania, April 2019
The Life of a Packet through Istio - DevExperience Romania, April 2019
Matt Turner
 
Software Networking and Interfaces on Linux
Software Networking and Interfaces on LinuxSoftware Networking and Interfaces on Linux
Software Networking and Interfaces on Linux
Matt Turner
 
Networks, Linux, Containers, Pods
Networks, Linux, Containers, PodsNetworks, Linux, Containers, Pods
Networks, Linux, Containers, Pods
Matt Turner
 
The life of a packet through Istio - QCon London 2019
The life of a packet through Istio - QCon London 2019The life of a packet through Istio - QCon London 2019
The life of a packet through Istio - QCon London 2019
Matt Turner
 
Istio, The Packet's-Eye View - KubeCon NA 2018
Istio, The Packet's-Eye View - KubeCon NA 2018Istio, The Packet's-Eye View - KubeCon NA 2018
Istio, The Packet's-Eye View - KubeCon NA 2018
Matt Turner
 
What is a Service Mesh and what can it do for your Microservices
What is a Service Mesh and what can it do for your MicroservicesWhat is a Service Mesh and what can it do for your Microservices
What is a Service Mesh and what can it do for your Microservices
Matt Turner
 
Webrtc puzzle
Webrtc puzzleWebrtc puzzle
Webrtc puzzle
Mihály Mészáros
 

Recommandé

Istio - The life of a packet
Istio - The life of a packetIstio - The life of a packet
Istio - The life of a packet
Matt Turner
 
The Life of a Packet through Istio - DevExperience Romania, April 2019
The Life of a Packet through Istio - DevExperience Romania, April 2019The Life of a Packet through Istio - DevExperience Romania, April 2019
The Life of a Packet through Istio - DevExperience Romania, April 2019
Matt Turner
 
Software Networking and Interfaces on Linux
Software Networking and Interfaces on LinuxSoftware Networking and Interfaces on Linux
Software Networking and Interfaces on Linux
Matt Turner
 
Networks, Linux, Containers, Pods
Networks, Linux, Containers, PodsNetworks, Linux, Containers, Pods
Networks, Linux, Containers, Pods
Matt Turner
 
The life of a packet through Istio - QCon London 2019
The life of a packet through Istio - QCon London 2019The life of a packet through Istio - QCon London 2019
The life of a packet through Istio - QCon London 2019
Matt Turner
 
Istio, The Packet's-Eye View - KubeCon NA 2018
Istio, The Packet's-Eye View - KubeCon NA 2018Istio, The Packet's-Eye View - KubeCon NA 2018
Istio, The Packet's-Eye View - KubeCon NA 2018
Matt Turner
 
What is a Service Mesh and what can it do for your Microservices
What is a Service Mesh and what can it do for your MicroservicesWhat is a Service Mesh and what can it do for your Microservices
What is a Service Mesh and what can it do for your Microservices
Matt Turner
 
Webrtc puzzle
Webrtc puzzleWebrtc puzzle
Webrtc puzzle
Mihály Mészáros
 
5th tf webrtc-welcome
5th tf webrtc-welcome5th tf webrtc-welcome
5th tf webrtc-welcome
Mihály Mészáros
 
OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635
Mihály Mészáros
 
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Alessandro Polidori
 
Understanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeUnderstanding kube proxy in ipvs mode
Understanding kube proxy in ipvs mode
Victor Morales
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
Aqua Security
 
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuardCentral Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Andrew Denner
 
Quic Tools Presentation
Quic Tools PresentationQuic Tools Presentation
Quic Tools Presentation
kmunro1973
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)
Andrew Denner
 
Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast Track
Novizul Evendi
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
Shuya Osaki
 
Docker-OVS
Docker-OVSDocker-OVS
Docker-OVS
snrism
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
Tutorial on using CoreOS Flannel for Docker networking
Tutorial on using CoreOS Flannel for Docker networkingTutorial on using CoreOS Flannel for Docker networking
Tutorial on using CoreOS Flannel for Docker networking
LorisPack Project
 
KubeCon EU 2016: What is OpenStack's role in a Kubernetes world?
KubeCon EU 2016: What is OpenStack's role in a Kubernetes world?KubeCon EU 2016: What is OpenStack's role in a Kubernetes world?
KubeCon EU 2016: What is OpenStack's role in a Kubernetes world?
KubeAcademy
 
[213] ethereum
[213] ethereum[213] ethereum
[213] ethereum
NAVER D2
 
Practical CNI
Practical CNIPractical CNI
Practical CNI
LinuxCon ContainerCon CloudOpen China
 
Designing scalable Docker networks
Designing scalable Docker networksDesigning scalable Docker networks
Designing scalable Docker networks
Murat Mukhtarov
 
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
Shuichi Ohkubo
 
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco NexusРазвитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Cisco Russia
 
The Life of a Packet III - Service Mesh London
The Life of a Packet III - Service Mesh LondonThe Life of a Packet III - Service Mesh London
The Life of a Packet III - Service Mesh London
Matt Turner
 
The Life of a Packet through Istio III
The Life of a Packet through Istio IIIThe Life of a Packet through Istio III
The Life of a Packet through Istio III
Matt Turner
 

Contenu connexe

Tendances

OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635
Mihály Mészáros
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 

Tendances (20)

5th tf webrtc-welcome
5th tf webrtc-welcome5th tf webrtc-welcome
5th tf webrtc-welcome
 
OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635
 
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
 
Understanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeUnderstanding kube proxy in ipvs mode
Understanding kube proxy in ipvs mode
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
 
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuardCentral Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
 
Quic Tools Presentation
Quic Tools PresentationQuic Tools Presentation
Quic Tools Presentation
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)
 
Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast Track
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
Docker-OVS
Docker-OVSDocker-OVS
Docker-OVS
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
Tutorial on using CoreOS Flannel for Docker networking
Tutorial on using CoreOS Flannel for Docker networkingTutorial on using CoreOS Flannel for Docker networking
Tutorial on using CoreOS Flannel for Docker networking
 
KubeCon EU 2016: What is OpenStack's role in a Kubernetes world?
KubeCon EU 2016: What is OpenStack's role in a Kubernetes world?KubeCon EU 2016: What is OpenStack's role in a Kubernetes world?
KubeCon EU 2016: What is OpenStack's role in a Kubernetes world?
 
[213] ethereum
[213] ethereum[213] ethereum
[213] ethereum
 
Practical CNI
Practical CNIPractical CNI
Practical CNI
 
Designing scalable Docker networks
Designing scalable Docker networksDesigning scalable Docker networks
Designing scalable Docker networks
 
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
 
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco NexusРазвитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
 

Similaire à Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, January 2019)

Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxy
Lee Calcote
 
Kernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with CiliumKernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with Cilium
Cynthia Thomas
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service Mesh
Rafik HARABI
 
Monitoring at scale: Migrating to Prometheus at Fastly
Monitoring at scale: Migrating to Prometheus at FastlyMonitoring at scale: Migrating to Prometheus at Fastly
Monitoring at scale: Migrating to Prometheus at Fastly
Marcus Barczak
 
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
Icinga
 

Similaire à Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, January 2019) (20)

The Life of a Packet III - Service Mesh London
The Life of a Packet III - Service Mesh LondonThe Life of a Packet III - Service Mesh London
The Life of a Packet III - Service Mesh London
 
The Life of a Packet through Istio III
The Life of a Packet through Istio IIIThe Life of a Packet through Istio III
The Life of a Packet through Istio III
 
MQTT and SensorThings API MQTT Extension
MQTT and SensorThings API MQTT ExtensionMQTT and SensorThings API MQTT Extension
MQTT and SensorThings API MQTT Extension
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxy
 
Kernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with CiliumKernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with Cilium
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
 
Cloud Native API Management : Microservices to APIs in Kubernetes
Cloud Native API Management : Microservices to APIs in KubernetesCloud Native API Management : Microservices to APIs in Kubernetes
Cloud Native API Management : Microservices to APIs in Kubernetes
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service Mesh
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
 
The life of a packet through Istio
The life of a packet through IstioThe life of a packet through Istio
The life of a packet through Istio
 
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
ОЛЕКСАНДР ЛИПКО «Graceful Shutdown Node.js + k8s» Online WDDay 2021
 
2019 devoxx - apis, microservices, et le service mesh
2019 devoxx - apis, microservices, et le service mesh2019 devoxx - apis, microservices, et le service mesh
2019 devoxx - apis, microservices, et le service mesh
 
Monitoring at scale: Migrating to Prometheus at Fastly
Monitoring at scale: Migrating to Prometheus at FastlyMonitoring at scale: Migrating to Prometheus at Fastly
Monitoring at scale: Migrating to Prometheus at Fastly
 
Gateway APIs, Envoy Gateway, and API Gateways
Gateway APIs, Envoy Gateway, and API GatewaysGateway APIs, Envoy Gateway, and API Gateways
Gateway APIs, Envoy Gateway, and API Gateways
 
How to Make Istio Work with Your App
How to Make Istio Work with Your AppHow to Make Istio Work with Your App
How to Make Istio Work with Your App
 
How to Make Istio Work with Your App
How to Make Istio Work with Your AppHow to Make Istio Work with Your App
How to Make Istio Work with Your App
 
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
 
Why Is Istio That Shape?
Why Is Istio That Shape?Why Is Istio That Shape?
Why Is Istio That Shape?
 
Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019
 

Plus de Michael Man

DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
Michael Man
 

Plus de Michael Man (20)

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam Cram
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling Slides
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling Examples
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - Extract
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOps
 

Dernier

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, January 2019)

  • 1. Do you need a Service Mesh? @mt165pro Istio: An Introduction Matt Turner @mt165 mt165.co.uk DevSecOps London January 2019
  • 2. Istio: an introduction @mt165 Objectives Learn how a packet traverses an Istio/Envoy/Kubernetes system See how the control plane is involved in that process Build a useful mental model for reasoning about, and debugging Istio
  • 3. Istio: an introduction @mt165 Prerequisites Basic networking knowledge Intermediate Kubernetes knowledge An understanding of what Istio is and does
  • 5. Istio: an introduction @mt165 Service AIngress
  • 6. Istio: an introduction @mt165 Service A
  • 7. Istio: an introduction @mt165 Envoy SvcA Service A
  • 8. Istio: an introduction @mt165 “Containers” nginx nginx supervisord mnt uts pid user ipc net
  • 9. Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net logger fluentd mnt uts
  • 10. Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net logger fluentd mnt uts 192.168.0.42 eth0 lo sockets iptables routes
  • 11. Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net logger fluentd mnt uts 192.168.0.42 eth0 lo sockets iptables routes :8080/tcp
  • 12. Istio: an introduction @mt165 Kubernetes Pods nginx nginx supervisord mnt uts pid user ipc net proxy envoy mnt uts 192.168.0.42 eth0 lo sockets iptables routes :8080/tcp
  • 13. Istio: an introduction @mt165 Sidecar Injection pid user ipc net 192.168.0.42 eth0 lo sockets iptables routes
  • 14. Istio: an introduction @mt165 Sidecar Injection pid user ipc net 192.168.0.42 eth0 lo sockets iptables routes alpine sysctl -w kernel.core_pattern=...
  • 15. Istio: an introduction @mt165 Sidecar Injection pid user ipc net 192.168.0.42 eth0 lo sockets iptables routes istio/proxy_init /usr/local/bin/prepare_proxy.sh -p 15001 -u 1337
  • 16. Istio: an introduction @mt165 Sidecar Injection nginx nginx mnt uts pid user ipc net istio/proxy envoy mnt uts 192.168.0.42 eth0 lo sockets iptables routes :15001/tcp
  • 17. Istio: an introduction @mt165 Envoy SvcA Service A
  • 18. Istio: an introduction @mt165 Envoy SvcA Service A ? ? ?
  • 19. Istio: an introduction @mt165 Services $ kubectl get service -o wide service-b NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service-b ClusterIP 10.98.84.169 <none> 80/TCP 90s app=service-b
  • 20. Istio: an introduction @mt165 Service DNS exposure $ dig service-b.default.svc.cluster.local. ;; ANSWER SECTION: service-b.default.svc.cluster.local. 5 IN A 10.98.84.169
  • 21. Istio: an introduction @mt165 Pods $ kubectl get pods -o wide | grep service-b service-b-644856485c-4rk88 1/1 Running 0 7m46s 10.32.0.4 kind-1-control-plane <none> service-b-644856485c-dc2zv 1/1 Running 0 7m46s 10.32.0.6 kind-1-control-plane <none> service-b-644856485c-gr75k 1/1 Running 0 7m46s 10.32.0.5 kind-1-control-plane <none>
  • 22. Istio: an introduction @mt165 Endpoints $ kubectl get endpoints service-b NAME ENDPOINTS AGE service-b 10.32.0.4:8080,10.32.0.5:8080,10.32.0.6:8080 8m55s
  • 23. Istio: an introduction @mt165 Endpoints $ kubectl get endpoints service-b -o yaml ... subsets: - addresses: - ip: 10.32.0.4 nodeName: kind-1-control-plane targetRef: kind: Pod … ports: - name: http port: 8080 protocol: TCP
  • 24. Istio: an introduction @mt165 Envoy SvcA Pilot Control Plane API Service A Config to Envoys
  • 25. Istio: an introduction @mt165 Envoy SvcA Pilot Control Plane API Service A Config to Envoys k8s consul zk Data plane API
  • 26. Istio, the packet’s-eye view @mt165 Pilot ● Ingress Routing ● Traffic Mirroring ● Traffic Shifting ● Canary Deployments ● Circuit Breaking ● Fault Injection
  • 27. Istio: an introduction @mt165 Envoy SvcA Pilot Control Plane API Service A Service B Config to Envoys
  • 28. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys Policy checks, Telemetry
  • 29. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys prom ES REPORT CHECK RBAC Rate limit Mixer fat client Mixer fat client
  • 30. Istio: an introduction @mt165 Mixer ● Check ○ ACLs / Authorization ○ Rate Limiting ● Report ○ Logs ○ Metrics ○ Tracing
  • 31. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API Service A Service B Config to Envoys Policy checks, Telemetry
  • 32. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry
  • 33. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry
  • 34. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry API Serveretcd kubectl
  • 35. Istio: an introduction @mt165 Envoy SvcA Envoy SvcB Pilot Mixer Citadel Control Plane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry Envoy Envoy Envoy Envoy Envoy Envoy Envoy Envoy Ingress Egress
  • 36. Istio: an introduction @mt165 Recap We learned: ● How a packet traverses an Istio/Envoy/Kubernetes system ● What control plane calls are made in that process ● A useful mental model for reasoning about, and debugging Istio
  • 37. Do you need a Service Mesh? @mt165pro Thanks! @mt165