-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
304 lines (239 loc) · 12.3 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<title>Istio on Kubernetes, August 13, 2017</title>
<link rel="stylesheet" href="css/reveal.css">
<link rel="stylesheet" href="css/theme/beige.css">
<!-- Theme used for syntax highlighting of code -->
<link rel="stylesheet" href="lib/css/zenburn.css">
<!-- Printing and PDF exports -->
<script>
var link = document.createElement( 'link' );
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'css/print/paper.css';
document.getElementsByTagName( 'head' )[0].appendChild( link );
</script>
</head>
<body>
<div class="reveal">
<div class="slides">
<section>
<h1>Istio On Kubernetes</h1>
<h2>August 16, 2017</h2>
<p>Chris Hiestand<br />
Software Engineer / Consultant<br />
twitter: <a href="https://twitter.com/dimmer">@dimmer</a><br />
github: <a href="https://github.com/chrishiestand">https://github.com/chrishiestand</a>
</p>
<aside class="notes">
<ul>
<li>Has anyone used istio?</li>
<li>How many people more or less know what kubernetes is?</li>
<li>How many people more or less know what istio is?</li>
<li>How many people use kubernetes at all?</li>
<li>How many people use kubernetes in production?</li>
<li>Of those how many on GCP?</li>
<li>Of those how many on AWS?</li>
</ul>
</aside>
</section>
<section style="padding: 0; margin: 0;">
<h2>What is Istio</h2>
<div><img src="media/istio-logo.png" title="istio" style="max-width: 5em; border: none;" /></div>
<ul>
<li>Open source, Golang</li>
<li>Released by Google, IBM, and Lyft</li>
<li>It's a Service mesh</li>
<aside class="notes">
<p>service mesh = layer of infrastructure between a service and the network. So it's like a common middleware that is outside of your codebase.</p>
</aside>
</ul>
</section>
<section style="padding: 0; margin: 0;">
<h2>Features</h2>
<ul>
<li>Automatic load balancing for HTTP, gRPC, and TCP traffic</li>
<li>Fine-grained control of traffic behavior with rich routing rules</li>
<li>Traffic encryption, service-to-service authentication and strong identity assertions</li>
<li>Fleet-wide policy enforcement</li>
<li>In-depth telemetry and reporting</li>
</ul>
</section>
<section style="padding: 0; margin: 0;">
<h2>But wait, there's more!</h2>
<div style="display: flex">
<div style="margin-right: 1em;">
<h3>Egress Features</h3>
<ul>
<li>Service Authentication</li>
<li>Load Balancing</li>
<li>Retry and Circuit Breaker</li>
<li>Fine-grained routing</li>
<li>Telemetry</li>
<li>Request Tracing</li>
<li>Fault Injection</li>
</ul>
</div>
<div>
<h3>Ingress Features</h3>
<ul>
<li>Service Authentication</li>
<li>Authorization</li>
<li>Rate Limits</li>
<li>Load Shedding</li>
<li>Telemetry</li>
<li>Request Tracing</li>
<li>Fault Injection</li>
</ul>
</div>
</div>
<p style="font-size: .33em">source: <a href="https://istio.io/talks/istio_talk_gluecon_2017.pdf">https://istio.io/talks/istio_talk_gluecon_2017.pdf</a></p>
<aside class="notes">
<p>Next I'm going to describe kubernetes for the uninitiated. Can anyone define what a kubernetes pod is?</p>
</aside>
</section>
<section style="padding: 0; margin: 0;">
<figure>
<figcaption>Example K8s Pod</figcaption>
<img src="media/pod.svg" title="kubernetes pod" alt="kubernetes pod" style="margin: 0; border: none;"/>
</figure>
<aside class="notes">
<p>Can anyone define what a kubernetes node is?</p>
</aside>
</section>
<section style="padding: 0; margin: 0;">
<figure>
<figcaption>Example K8s Node</figcaption>
<img src="media/node.svg" title="kubernetes pod" alt="kubernetes pod" style="margin: 0; width: 70%;"/>
</figure>
</section>
<section style="padding: 0; margin: 0;">
<figure>
<figcaption>Example K8s Cluster</figcaption>
<img src="media/cluster.svg" title="kubernetes cluster topology" alt="kubernetes cluster topology" style="margin: 0;"/>
</figure>
<aside class="notes">By default, any pod can communicate with any other pod. In practice, a pod usually only talks to a single pod for any given service.</aside>
</section>
<section style="padding: 0; margin: 0;">
<figure>
<figcaption>Sidecar Pattern (in a pod)</figcaption>
<img src="media/sidecar.png" title="sidecar" alt="sidecar" style="margin: 0; border: none;"/>
</figure>
<p style="font-size: .33em;">source: <a href="http://blog.kubernetes.io/2015/06/the-distributed-system-toolkit-patterns.html">http://blog.kubernetes.io/2015/06/the-distributed-system-toolkit-patterns.html</a></p>
</section>
<section style="padding: 0; margin: 0;">
<figure>
<figcaption>Basic Istio Routing<sup>*</sup></figcaption>
<img src="media/envoy-sidecar.svg" title="basic istio routing" alt="basic istio routing" style="margin: 0; border: none;"/>
<figcaption style="font-size: .33em"><sup>*</sup>Not always the case</figcaption>
</figure>
<aside class="notes">
<p>
implementation detail: IPTables is configured by a kubernetes init container
In 0.1 egress is only supported for the HTTP protocol
A service is still available directly from (non-istio) containers in the cluster
</p>
</aside>
</section>
<section style="padding: 0; margin: 0;">
<figure>
<figcaption>Istio Architecture</figcaption>
<img src="media/istio-arch.svg" title="Istio topology" alt="Istio topology" style="margin: 0;"/>
</figure>
<p style="font-size: .33em;">source: <a href="https://istio.io/docs/concepts/what-is-istio/overview.html">https://istio.io/docs/concepts/what-is-istio/overview.html</a></p>
<aside class="notes">
<p>two planes: data and control</p>
<p>The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars that mediate and control all network communication between microservices.</p>
<p>The control plane is responsible for managing and configuring proxies to route traffic, as well as enforcing policies at runtime.</p>
<p>Mixer is responsible for enforcing access control and usage policies across the service mesh and collecting telemetry data from the Envoy proxy and other services.</p>
<p>Pilot is responsible for collecting and validating configuration and propagating it to the various Istio components.</p>
<p>Istio-Auth provides strong service-to-service and end-user authentication using mutual TLS, with built-in identity and credential management</p>
</aside>
</section>
<section style="padding: 0; margin: 0;">
<figure>
<figcaption>Demo Architecture</figcaption>
<img src="media/istio-demo-architecture.svg" title="Istio demo arch" alt="Istio demo arch" style="margin: 0;"/>
</figure>
<aside class="notes">
<h3>benefits of sidecar</h3>
<ul>
<li>Programming language independent</li>
<li>DRY</li>
</ul>
</aside>
<p style="font-size: .33em;">source: <a href="https://istio.io/docs/samples/bookinfo.html">https://istio.io/docs/samples/bookinfo.html</a>
</section>
<section style="padding: 0; margin: 0;">
<h1><span style="text-decoration: line-through;">Peanut Butter Jelly</span>Demo time!</h1>
</section>
<section style="padding: 0; margin: 0;">
<h3>Some Early Adoption (0.1) Limitations<sup>*</sup></h3>
<ul>
<li>Egress service only supports HTTP(S) requests</li>
<li>Istio-Auth (mTLS) only supports HTTP requests</li>
<li>Request Tracing only supports HTTP requests?</li>
</ul>
<p style="font-size: .33em"><sup>*</sup>Not a complete list</figcaption>
<aside class="notes">
</aside>
</section>
<section style="padding: 0; margin: 0;">
<h3>0.2 Roadmap</h3>
<ul style="font-size: .75em;">
<li>TCP telemetry collection and policy enforcement.</li>
<li>Support for VMs joining an Istio Mesh.</li>
<li>Fully-automated injection of Envoy proxies into Kubernetes pods.</li>
<li>Standard extension points for addons and plugins.</li>
<li>Expanded authorization with callouts to external services.</li>
<li>Mixer request tracing with Zipkin.</li>
<li>Additional logging and analysis plugins.</li>
<li>Cluster-wide rate limiting.</li>
<li>Basic API management features.</li>
<li>Configuration rollout and management.</li>
<li>Configuration and policy enforcement APIs.</li>
<li>Improved system stability and performance.</li>
</ul>
<p style="font-size: .33em;">source: <a href="https://istio.io/docs/reference/release-roadmap.html">https://istio.io/docs/reference/release-roadmap.html</a>
</p>
<aside class="notes">"Fully-automated injection of Envoy proxies into Kubernetes pods" via admission controller
</aside>
</section>
<section style="padding: 0; margin: 0;">
<h1>Thank you!</h1>
</section>
<!-- <section style="padding: 0; margin: 0;">
<h3>TODO</h3>
<aside class="notes">
tcpdump dst port 6379 -vvvvvv |grep RESP
kcm exec -it $(kcm get pod |grep --color=none redis-master | cut -d' ' -f1) -c snooper -- /bin/sh -c "tcpdump port 6379 -vvvvvv |grep RESP"
kcm apply -f <(istioctl kube-inject -f redis-client-deployment.yaml --includeIPRanges=10.0.0.0/8)
kcm exec -it $(kcm get pod |grep --color=none redis-client | cut -d' ' -f1) -- /bin/sh -c "redis-cli -h redis-master get foo"
kcm exec -it $(kcm get pod |grep --color=none snooper | tail -n1 | cut -d' ' -f1) -c snooper -- /bin/sh -c "tcpdump -i any -vvvvvv dst port 6379 |grep ' RESP '"
kcm exec -it $(kcm get pod |grep --color=none snooper | tail -n1 | cut -d' ' -f1) -c snooper -- /bin/sh -c "tcpdump -i docker0 -vvvvvv dst port 6379 |grep ' RESP '"
</aside>
</section> -->
</div>
</div>
<script src="lib/js/head.min.js"></script>
<script src="js/reveal.js"></script>
<script>
// More info about config & dependencies:
// - https://github.com/hakimel/reveal.js#configuration
// - https://github.com/hakimel/reveal.js#dependencies
Reveal.initialize({
history: true,
center: false,
dependencies: [
{ src: 'plugin/markdown/marked.js' },
{ src: 'plugin/markdown/markdown.js' },
{ src: 'plugin/notes/notes.js', async: true },
{ src: 'plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } }
]
});
</script>
</body>
</html>