SlideShare une entreprise Scribd logo

How to Make Istio Work with Your App

S
StackRox

This document discusses how to make Istio work with applications and provides best practices for long-term success. It introduces service mesh concepts and Istio, discusses when to adopt Istio, describes common issues and solutions when using Istio, and recommends strategies like version controlling Istio configs and providing feedback to the Istio community.

Technologie
1  sur  12
Télécharger pour lire hors ligne
How to Make IstioWork withYour App Karen Bruner
2©2019 StackRox. All rights reserved. Overview 1. Quick intro to Istio and Service Mesh concepts 2. Deciding to adopt Istio 3. Debugging issues with Istio routing 4. Common problems (and solutions) with Istio 5. Strategies and practices for long-term success
3©2019 StackRox. All rights reserved. Overview of the Istio Service Mesh • What is a service mesh? • Infrastructure layer dedicated to managing service-to-service communications • Istio • Background • Built on Lyft’s Envoy proxy • Joint project by Google, IBM, and Lyft • Features and capabilities • Security: zero-trust model, mTLS, authentication, authorization • Service routing: load balancing, HTTP request routing, A/B testing, throttling, deployment canaries, traffic shifting, traffic mirroring, fault injection • Visibility: detailed connection and request logging, request tracing • Multi-cluster mesh
4©2019 StackRox. All rights reserved. Istio Architecture
5©2019 StackRox. All rights reserved. Do you need Istio? • Driving factors • Security • Microservice visibility • Intelligent request routing • Counterarguments • Steep learning curve • Operational complexity • Other considerations • Istio’s tools and performance keep improving with each release • Adoption of most individual features and security restrictions can be turned on later
6©2019 StackRox. All rights reserved. Istio Debugging andTroubleshooting • Network connection logging • istio-proxy sidecar container logs • Log-level can be set globally or on-the-fly per pod • curl -s -XPOST http://localhost:15000/logging?level=debug • Mixer telemetry container logs (may change with Istio v1.4+) • kubectl logs -l app=telemetry -n istio-system -c mixer • Configuration propagation • Pilot logs • kubectl logs -l app=pilot -n istio-system -c discovery • istioctl • CLI • Interface for various Istio Control Plane services • Growing set of troubleshooting tools
7©2019 StackRox. All rights reserved. istioctl
8©2019 StackRox. All rights reserved. Common Application Issues Use case / Issue Best Solution Workarounds Proxy start-up latency Application should retry network connections Wrap your container command: ... spec: template: spec: containers: - name: my-app args: - 'while ! wget -q -O - http://localhost:15000/server_info | grep ''"state": "LIVE"''; do echo Waiting for proxy; done; echo Istio-proxy ready; exec /entrypoint' command: - /bin/sh - -c
9©2019 StackRox. All rights reserved. Use case / Issue Best Solution Workarounds Kubernetes liveness/readiness probes and mTLS ● Use a separate port on the application container for health checks ● Exec check ● Global (for all Istio-managed services): Pass the --set values.sidecarInjectorWebhook.rewriteAppHTTP Probe=true option to helm ● Per deployment: add sidecar.istio.io/rewriteAppHTTPProbers: "true" annotation to the pod spec Mixed-protocol ports Use a different application container port for each protocol type Add a small proxy to the pod to handle one protocol Non-TCP protocols Use Kubernetes Network Policies to control service ingress and egress for UDP and SCTP
10©2019 StackRox. All rights reserved. Use case / Issue Best Solution Workarounds Pod Security Policies or Contexts breaking istio-init container Use istio CNI to handle iptables rules outside application pods Services with their ownTLS certs ● Use your own CA in Citadel ● Convert application to use Istio auth Set mTLS mode to PERMISSIVE (could be security issue) Headless services ● Internal traffic: Add an Istio ServiceEntry resource per pod in the StatefulSet (cassandra-0, cassandra-1, etc) ● Traffic from outside mesh: Add Istio VirtualService entry per pod
11©2019 StackRox. All rights reserved. Long-term Strategies for Success with Istio • Keep Istio resource manifests with all other Kubernetes manifests for an application • Version controlled • Apply identical configs in pre-production environments as production • Create internal “library” of Istio resource manifest templates for different application types • Leverage the metrics and details Istio collects to show value and drive stack improvements • Suggest improvements to Istio • Open a feature request on GitHub • Join the Istio Slack channel
12©2019 StackRox. All rights reserved. Me + More • More Istio information at https://www.stackrox.com/post/ • Me: Karen Bruner • Personal tech blog: https://nightmare-before-devops.xyz/ • LinkedIn: https://www.linkedin.com/in/kmbruner • My cats:

Recommandé

Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introductionKyohei Mizumoto
 
Introduction to Istio on Kubernetes
Introduction to Istio on KubernetesIntroduction to Istio on Kubernetes
Introduction to Istio on KubernetesJonh Wendell
 
Getting the Most Value from Your Aviatrix Controller & Gateways
Getting the Most Value from Your Aviatrix Controller & GatewaysGetting the Most Value from Your Aviatrix Controller & Gateways
Getting the Most Value from Your Aviatrix Controller & GatewaysKhash Nakhostin
 
MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup
MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup
MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup Stephanie Swart
 
Securing Microservices with Istio
Securing Microservices with IstioSecuring Microservices with Istio
Securing Microservices with IstioDaniel Berg
 
Istio
IstioIstio
IstioMichael Frembs
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsKhash Nakhostin
 
Network Troubleshooting in the Cloud: Tools, Techniques and Gotchas
Network Troubleshooting in the Cloud: Tools, Techniques and GotchasNetwork Troubleshooting in the Cloud: Tools, Techniques and Gotchas
Network Troubleshooting in the Cloud: Tools, Techniques and GotchasKhash Nakhostin
 

Recommandé

Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introductionKyohei Mizumoto
 
Introduction to Istio on Kubernetes
Introduction to Istio on KubernetesIntroduction to Istio on Kubernetes
Introduction to Istio on KubernetesJonh Wendell
 
Getting the Most Value from Your Aviatrix Controller & Gateways
Getting the Most Value from Your Aviatrix Controller & GatewaysGetting the Most Value from Your Aviatrix Controller & Gateways
Getting the Most Value from Your Aviatrix Controller & GatewaysKhash Nakhostin
 
MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup
MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup
MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup Stephanie Swart
 
Securing Microservices with Istio
Securing Microservices with IstioSecuring Microservices with Istio
Securing Microservices with IstioDaniel Berg
 
Istio
IstioIstio
IstioMichael Frembs
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsKhash Nakhostin
 
Network Troubleshooting in the Cloud: Tools, Techniques and Gotchas
Network Troubleshooting in the Cloud: Tools, Techniques and GotchasNetwork Troubleshooting in the Cloud: Tools, Techniques and Gotchas
Network Troubleshooting in the Cloud: Tools, Techniques and GotchasKhash Nakhostin
 
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...Khash Nakhostin
 
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In MinutesSecurely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In MinutesKhash Nakhostin
 
Three Innovations that Define a “Next-Generation Global Transit Hub”
Three Innovations that Define a “Next-Generation Global Transit Hub”Three Innovations that Define a “Next-Generation Global Transit Hub”
Three Innovations that Define a “Next-Generation Global Transit Hub”Khash Nakhostin
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service MeshGeorgios Andrianakis
 
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?Khash Nakhostin
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesAlcide
 
What You Need to Know About Operationalizing Your AWS Transit Hub
What You Need to Know About Operationalizing Your AWS Transit HubWhat You Need to Know About Operationalizing Your AWS Transit Hub
What You Need to Know About Operationalizing Your AWS Transit HubKhash Nakhostin
 
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t EnoughSecure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t EnoughKhash Nakhostin
 
Istio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleIstio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleRam Vennam
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
 
Microservice API Gateways with NGINX
Microservice API Gateways with NGINXMicroservice API Gateways with NGINX
Microservice API Gateways with NGINXGeoffrey Filippi
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXNGINX, Inc.
 
API Gateway Use Cases​ for Kubernetes​
API Gateway Use Cases​ for Kubernetes​API Gateway Use Cases​ for Kubernetes​
API Gateway Use Cases​ for Kubernetes​NGINX, Inc.
 
Fundamentals of microservices
Fundamentals of microservicesFundamentals of microservices
Fundamentals of microservicesNGINX, Inc.
 
Production-Grade Kubernetes With NGINX Ingress Controller
Production-Grade Kubernetes With NGINX Ingress ControllerProduction-Grade Kubernetes With NGINX Ingress Controller
Production-Grade Kubernetes With NGINX Ingress ControllerNGINX, Inc.
 
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hopeMicroservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hopeSergii Bishyr
 
D3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery RulesD3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery RulesImperva Incapsula
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Canada
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale NGINX, Inc.
 
Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Ram Vennam
 
Do You Need A Service Mesh?
Do You Need A Service Mesh?Do You Need A Service Mesh?
Do You Need A Service Mesh?NGINX, Inc.
 

Contenu connexe

Tendances

Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...Khash Nakhostin
 
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In MinutesSecurely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In MinutesKhash Nakhostin
 
Three Innovations that Define a “Next-Generation Global Transit Hub”
Three Innovations that Define a “Next-Generation Global Transit Hub”Three Innovations that Define a “Next-Generation Global Transit Hub”
Three Innovations that Define a “Next-Generation Global Transit Hub”Khash Nakhostin
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service MeshGeorgios Andrianakis
 
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?Khash Nakhostin
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesAlcide
 
What You Need to Know About Operationalizing Your AWS Transit Hub
What You Need to Know About Operationalizing Your AWS Transit HubWhat You Need to Know About Operationalizing Your AWS Transit Hub
What You Need to Know About Operationalizing Your AWS Transit HubKhash Nakhostin
 
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t EnoughSecure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t EnoughKhash Nakhostin
 
Istio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleIstio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleRam Vennam
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
 
Microservice API Gateways with NGINX
Microservice API Gateways with NGINXMicroservice API Gateways with NGINX
Microservice API Gateways with NGINXGeoffrey Filippi
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXNGINX, Inc.
 
API Gateway Use Cases​ for Kubernetes​
API Gateway Use Cases​ for Kubernetes​API Gateway Use Cases​ for Kubernetes​
API Gateway Use Cases​ for Kubernetes​NGINX, Inc.
 
Fundamentals of microservices
Fundamentals of microservicesFundamentals of microservices
Fundamentals of microservicesNGINX, Inc.
 
Production-Grade Kubernetes With NGINX Ingress Controller
Production-Grade Kubernetes With NGINX Ingress ControllerProduction-Grade Kubernetes With NGINX Ingress Controller
Production-Grade Kubernetes With NGINX Ingress ControllerNGINX, Inc.
 
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hopeMicroservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hopeSergii Bishyr
 
D3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery RulesD3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery RulesImperva Incapsula
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Canada
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale NGINX, Inc.
 

Tendances (20)

Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
 
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In MinutesSecurely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
 
Three Innovations that Define a “Next-Generation Global Transit Hub”
Three Innovations that Define a “Next-Generation Global Transit Hub”Three Innovations that Define a “Next-Generation Global Transit Hub”
Three Innovations that Define a “Next-Generation Global Transit Hub”
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service Mesh
 
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your Services
 
What You Need to Know About Operationalizing Your AWS Transit Hub
What You Need to Know About Operationalizing Your AWS Transit HubWhat You Need to Know About Operationalizing Your AWS Transit Hub
What You Need to Know About Operationalizing Your AWS Transit Hub
 
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t EnoughSecure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
 
Istio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleIstio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as Scale
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
 
Microservice API Gateways with NGINX
Microservice API Gateways with NGINXMicroservice API Gateways with NGINX
Microservice API Gateways with NGINX
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
 
API Gateway Use Cases​ for Kubernetes​
API Gateway Use Cases​ for Kubernetes​API Gateway Use Cases​ for Kubernetes​
API Gateway Use Cases​ for Kubernetes​
 
Fundamentals of microservices
Fundamentals of microservicesFundamentals of microservices
Fundamentals of microservices
 
Production-Grade Kubernetes With NGINX Ingress Controller
Production-Grade Kubernetes With NGINX Ingress ControllerProduction-Grade Kubernetes With NGINX Ingress Controller
Production-Grade Kubernetes With NGINX Ingress Controller
 
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hopeMicroservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
Microservices:
 The phantom menace
. Istio Service Mesh: 
the new hope
 
D3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery RulesD3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery Rules
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
 

Similaire à How to Make Istio Work with Your App

Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Ram Vennam
 
Do You Need A Service Mesh?
Do You Need A Service Mesh?Do You Need A Service Mesh?
Do You Need A Service Mesh?NGINX, Inc.
 
Unmeshing the service mesh
Unmeshing the service meshUnmeshing the service mesh
Unmeshing the service meshCodeValue
 
Service Mesh For Beginner
Service Mesh For BeginnerService Mesh For Beginner
Service Mesh For BeginnerMien Dinh
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Weaveworks
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyLee Calcote
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18CodeOps Technologies LLP
 
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...WSO2
 
Microservices and APIs
Microservices and APIsMicroservices and APIs
Microservices and APIsPuneet Sachdev
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioMichelle Holley
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep DiveYong Feng
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service MeshRam Vennam
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Codemotion
 
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWAREFIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWAREFIWARE
 
Micro profile and istio
Micro profile and istioMicro profile and istio
Micro profile and istioEmily Jiang
 
21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIONiklaus Hirt
 
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudPSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudRohit Agarwalla
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service MeshRafik HARABI
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Christian Posta
 

Similaire à How to Make Istio Work with Your App (20)

Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019
 
Do You Need A Service Mesh?
Do You Need A Service Mesh?Do You Need A Service Mesh?
Do You Need A Service Mesh?
 
Unmeshing the service mesh
Unmeshing the service meshUnmeshing the service mesh
Unmeshing the service mesh
 
Service Mesh For Beginner
Service Mesh For BeginnerService Mesh For Beginner
Service Mesh For Beginner
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxy
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
 
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
 
Microservices and APIs
Microservices and APIsMicroservices and APIs
Microservices and APIs
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with Istio
 
Istio
IstioIstio
Istio
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep Dive
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service Mesh
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)
 
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWAREFIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
 
Micro profile and istio
Micro profile and istioMicro profile and istio
Micro profile and istio
 
21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO
 
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudPSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service Mesh
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)
 

Dernier

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Dernier (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

How to Make Istio Work with Your App

  • 1. How to Make IstioWork withYour App Karen Bruner
  • 2. 2©2019 StackRox. All rights reserved. Overview 1. Quick intro to Istio and Service Mesh concepts 2. Deciding to adopt Istio 3. Debugging issues with Istio routing 4. Common problems (and solutions) with Istio 5. Strategies and practices for long-term success
  • 3. 3©2019 StackRox. All rights reserved. Overview of the Istio Service Mesh • What is a service mesh? • Infrastructure layer dedicated to managing service-to-service communications • Istio • Background • Built on Lyft’s Envoy proxy • Joint project by Google, IBM, and Lyft • Features and capabilities • Security: zero-trust model, mTLS, authentication, authorization • Service routing: load balancing, HTTP request routing, A/B testing, throttling, deployment canaries, traffic shifting, traffic mirroring, fault injection • Visibility: detailed connection and request logging, request tracing • Multi-cluster mesh
  • 4. 4©2019 StackRox. All rights reserved. Istio Architecture
  • 5. 5©2019 StackRox. All rights reserved. Do you need Istio? • Driving factors • Security • Microservice visibility • Intelligent request routing • Counterarguments • Steep learning curve • Operational complexity • Other considerations • Istio’s tools and performance keep improving with each release • Adoption of most individual features and security restrictions can be turned on later
  • 6. 6©2019 StackRox. All rights reserved. Istio Debugging andTroubleshooting • Network connection logging • istio-proxy sidecar container logs • Log-level can be set globally or on-the-fly per pod • curl -s -XPOST http://localhost:15000/logging?level=debug • Mixer telemetry container logs (may change with Istio v1.4+) • kubectl logs -l app=telemetry -n istio-system -c mixer • Configuration propagation • Pilot logs • kubectl logs -l app=pilot -n istio-system -c discovery • istioctl • CLI • Interface for various Istio Control Plane services • Growing set of troubleshooting tools
  • 7. 7©2019 StackRox. All rights reserved. istioctl
  • 8. 8©2019 StackRox. All rights reserved. Common Application Issues Use case / Issue Best Solution Workarounds Proxy start-up latency Application should retry network connections Wrap your container command: ... spec: template: spec: containers: - name: my-app args: - 'while ! wget -q -O - http://localhost:15000/server_info | grep ''"state": "LIVE"''; do echo Waiting for proxy; done; echo Istio-proxy ready; exec /entrypoint' command: - /bin/sh - -c
  • 9. 9©2019 StackRox. All rights reserved. Use case / Issue Best Solution Workarounds Kubernetes liveness/readiness probes and mTLS ● Use a separate port on the application container for health checks ● Exec check ● Global (for all Istio-managed services): Pass the --set values.sidecarInjectorWebhook.rewriteAppHTTP Probe=true option to helm ● Per deployment: add sidecar.istio.io/rewriteAppHTTPProbers: "true" annotation to the pod spec Mixed-protocol ports Use a different application container port for each protocol type Add a small proxy to the pod to handle one protocol Non-TCP protocols Use Kubernetes Network Policies to control service ingress and egress for UDP and SCTP
  • 10. 10©2019 StackRox. All rights reserved. Use case / Issue Best Solution Workarounds Pod Security Policies or Contexts breaking istio-init container Use istio CNI to handle iptables rules outside application pods Services with their ownTLS certs ● Use your own CA in Citadel ● Convert application to use Istio auth Set mTLS mode to PERMISSIVE (could be security issue) Headless services ● Internal traffic: Add an Istio ServiceEntry resource per pod in the StatefulSet (cassandra-0, cassandra-1, etc) ● Traffic from outside mesh: Add Istio VirtualService entry per pod
  • 11. 11©2019 StackRox. All rights reserved. Long-term Strategies for Success with Istio • Keep Istio resource manifests with all other Kubernetes manifests for an application • Version controlled • Apply identical configs in pre-production environments as production • Create internal “library” of Istio resource manifest templates for different application types • Leverage the metrics and details Istio collects to show value and drive stack improvements • Suggest improvements to Istio • Open a feature request on GitHub • Join the Istio Slack channel
  • 12. 12©2019 StackRox. All rights reserved. Me + More • More Istio information at https://www.stackrox.com/post/ • Me: Karen Bruner • Personal tech blog: https://nightmare-before-devops.xyz/ • LinkedIn: https://www.linkedin.com/in/kmbruner • My cats: