managing microservice applications with istio
TRANSCRIPT
1
Managing Microservice Applications with Istio
Connect, Secure, Collect metrics and Monitor
applications in a complex environment
DEV-1393
Swaminathan Vasudevan
2
Need For Microservices
3
What Is A Monolithic Application?
• Monolithic applications are built as one single unit.
• Enterprise monolithic applications mostly have a three-tier architecture (user
interface, server, and database).
• A developer must build and deploy an updated version of the monolithic application
for any changes that needs to go into any one of the layers.
4
Monolithic Application
Database
Data Interface Layer
User Interface
Business Layer
5
Disadvantages Of A Monolithic Application?
• Scaling of monolithic applications is always a challenge.
• As monolithic applications grow larger in size and complexity, the complete
picture becomes difficult to understand by the developers.
• Limited reuse is seen across monolithic applications.
• Difficult to achieve operational agility in repeated deployments.
• Monolithic applications are developed using single stack, this limits the use of
possible other available tools.
6
Database Database Database
Queue
MiddlewareBusiness Logic
Business Logic
API Gateway
Web Client IoT Mobile Client
Microservices Architecture
MiddlewareBusiness Logic
Business Logic
MiddlewareBusiness Logic
Business Logic
MiddlewareBusiness Logic
Business Logic
Business LogicData Interface
Business LogicData Interface
Business LogicData Interface
Business LogicData Interface
7
Benefits Of Microservices Architecture
• Enables an application to be broken down into multiple component services,
allowing each of these services to be deployed and maintained without
compromising the integrity of the application.
• Enables continuous delivery.
• Provides scalability and reusability with efficiency.
• Each service can be developed and deployed independently.
• Better fault isolation.
8
Benefits Of Microservices Architecture
• Simplifies security monitoring because the various parts of an app are isolated.
• Components can be distributed across multiple servers or even multiple data centers.
• Complements cloud activities and works with containers.
• Code can be organized around business capabilities.
• With microservices, interfaces are exposed with a standard protocol, such as a
REST-ful API, so they can be consumed and reused by other services and
applications without direct coupling through language bindings or shared libraries.
9
API Server
Controller-
manager
(replication,
namespace,
service-
accounts etc.,)
Scheduler
etcd
kubectl
Master node
Kubernetes Architecture And Control Flow
Worker Node
kubelet kube-proxy
Pod Pod
Container
RunTime
InternetWorker Node
kubelet kube-proxy
Pod Pod
Container
RunTime
10
Challenges With Microservices At Scale
11
Things To Consider For A Complex, Scalable, But Resilient Microservice Architecture
Kubernetes provides a framework to deploy and manage container applications that
are part of a microservice architecture.
But as the number of service increases, we need to deal with:
• Interaction between the services
• Security between the services
• System health
• Fault tolerance
12
Things To Consider For A Complex, Scalable, But Resilient Microservice Architecture
• Logging
• Telemetry
• Metrics
• Circuit breaking
• Multi-point failures and more
13
Service Mesh
14
Service Mesh Comes To The Rescue
What is a Service Mesh?
A Service Mesh addresses the challenges developers and operators face as
monolithic applications transition towards a complex distributed microservice
architecture.
A Service Mesh decouples this complexity from your application and puts it in a service
proxy -- it handles it for you.
15
Service Mesh Comes To The Rescue
Service proxies offer functionalities like:
• Traffic management
• Circuit breaking
• Service discovery
• Authentication
• Monitoring
• Security and much more
16
What Is Envoy?
• Service and Edge Proxy
• HTTP/2, gRPC, MongoDB, DynamicDB with more protocol support in future
• Advanced load-balancing
• L7, Canary, Retries, Circuit breaking, Rate limits
• Security
• Authorization, mTLS
• Observability
• Tracing & metrics
• Extendable
• Go extensions, WASM, LUA, etc.,
Service B
Service B
Service B
Service A
17
Pilot Mixer Citadel
What Is Istio?
Istio is an open source service mesh that layers transparently onto existing distributed applications.
Istio provides an easy way to create a network of deployed services with
• Load balancing
• Service-to-service authentication
• Monitoring and more
without requiring any changes in service code.
Istio support can be added to services by deploying a special sidecar proxy between microservices, configured and managed using Istio’s control plane.
Service A Service B
Proxy Proxy
Control Plane API
Config data
to proxies
TLS certs to
proxies
Policy checks,
telemetry
HTTP/1.1,HTTP/2,
gRPC or TCP
With or without
mTLS
18
Istio Control Plane
• Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic.
• Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and
fault injection.
• A pluggable policy layer and configuration API supporting access controls, rate
limits, and quotas.
• Automatic metrics, logs, and traces for all traffic within a cluster, including cluster
ingress and egress.
• Secure service-to-service communication in a cluster with strong identity-based
authentication and authorization.
19
Istio Control Plane Components
Istio control plane components are
• Pilot
• Connectivity and Communication (Traffic Management, Fault injection and Layer 7 Load
Balancing)
• Mixer
• Monitoring and observability (backend abstraction, intermediation, latency, reliability)
• Citadel
• Encryption and authentication (service authentication, role based access control, authentication
policy, TLS authentication and key management)
20
Istio Data Plane
• Istio data plane consists of Envoy proxies that are deployed as sidecars within each
container.
• These proxies are responsible for establishing connections between the services
and managing the communication between them.
21
Service Service
eth0
TCP/IP
eth0
K8s Node
TCP/IP
Loopback
IPtables
TCP/IP TCP/IP
Loopback
Transparent Sidecar Injection Without Cilium
Network
K8s Pod K8s Pod
Socket Socket Socket SocketSocket
TCP/IP
Ethernet
IPtables
Socket
EthernetEthernet
IPtables
TCP/IP
Ethernet
IPtables
Ethernet Ethernet
22
Cilium With Istio
23
How Cilium Enhances Istio with Socket-aware eBPF Programs
Cilium and eBPF Programs enhances Istio:
• Increase Istio security• Least privilege security for multi-container pods using socket-aware BPF programs
• Protect from compromised sidecar proxies and protocols that bypass the sidecar
• Use of BPF to force all application traffic through the sidecar proxy
• Enable Istio for external service• Using socket-aware BPF programs and kTLS to provide visibility and control into TLS
encrypted connections
• Performance• Efficient networking and socket redirection to accelerate Istio
24
What Is Cilium?
Cilium is open source software for transparently securing network connectivity between application services deployed using
Linux container management platforms like Docker and Kubernetes.
• Highly efficient BPF datapath
• Fully distributed
• Service Mesh datapath
• Networking
• Cilium-CNI or chaining on top of most other CNIs
• Kubernetes services implementation
• Network policies on both packet and API level
• Identity-based, IP/CIDR as fallback, DNS aware, API aware
• Multi-cluster, encryption
• Available for Linux Kernel 4.9 and above.
• Distributed and scalable load balancing.
• Native Envoy and Istio integration
• Transparent Envoy injection (per-node or sidecar)
• Accelerated proxy redirection, transparent SSL visibility
25
Kubernetes API Server
Kubelet
CRI-Containerd
CNI-Plugin (Cilium)
Cilium Agent
eth0
BPF Maps
Linux Kernel
Network Stack000 c1 FE 0A
001 54 45 31
002 A1 B1C1
004 32 66 AA
cni-add()..
Kubectl
K8s Pod
Userspace
Kernel
Kubernetes, Cilium CNI Control Flow
Container 2Container 1
bpf_syscall()
BPF
Hook
26
container A container B container C
Cilium Networking CNI
K8s node
eth0 eth0 eth0
lxc0 lxc0 lxc1
eth0 eth0
Kubernetes Cluster With Cilium CNI Plugin
K8s cluster
K8s node K8s node
K8s pod K8s pod K8s pod
27
Transparent Sidecar Injection With Cilium
Service Service
eth0 eth0
K8s Node
Network
K8s Pod K8s Pod
Socket Socket Socket SocketSocket
TCP/IP
Ethernet
Socket
Ethernet
Cilium CNI TCP/IP Cilium CNI
28
Service Proxy Performance Improvements
500,000
0
1,500,000
1,000,000
2,500,000
2,000,000
3,500,000
3,000,000
5 10 25 50 100 500 750 1000
# Persistent connections
Req
uests
/s
Iptables redirect loopback Cilium + Sockmap
29
Cilium Protects Unsupported Protocols and Compromised Sidecars
Networking (CNI)
container container container
K8s node
K8s cluster
K8s node K8s node
pod pod pod
Istio
Pilot / Mixer / Citadel
deny deny
Compromised
deny
Security Security Security
30
Cilium Secures Multi-Container Pods
Networking (CNI)
container container
K8s node
K8s cluster
K8s node K8s node
pod pod pod
Istio
Pilot / Mixer / Citadel
deny
Security
Security deny
Security
Security
container
Security
Security
container
Security
deny
31
Istio – Service-to-Service With Mutual TLS
K8s cluster
K8s node K8s node
Istio
Pilot / Mixer / Citadel
Cilium Networking CNI
Service A
K8s pod
Service B
K8s pod
Mutual TLS
32
K8s pod
Istio – Service-To-External Entity With Deferred Ktls
K8s cluster
K8s node K8s node
Istio
Pilot / Mixer / Citadel
Cilium Networking CNI
Service B
K8s pod
Deferred kTLS
encryptionExternal
Github
Service
External
Cloud Network
Service A
33
Why Istio Matters?
Istio is stable, has valuable features, and allows for a more granular level security.
It helps to connect
• Control various API calls between services & the traffic flow between them
• Connect microservices
• Secure microservices
• Provides security by default – no modifications required in app code & infrastructure
• Ultra defense: provides multiple layers of security by integrating with another security system
• Allows traffic encryption, helps against MITM attacks
• Control microservices
• Applies enforcement policies
• Observe services microservices
• Provides auto-tracing, logging, and monitoring of all microservices, visualizes what’s happening under the hood
And with Cilium we get added performance and security features.
34
Conclusion
Service mesh is an excellent infrastructure addition for a microservices architecture.
Service Mesh-like Istio enables client-side load balancing and performs all the functions at
the application layer.
Istio detects when services fail, slow down, or only partially succeed. And it passes all
telemetry info to dashboards such as Grafana, simplifying the troubleshooting and tracking
down of root problem causes.
Istio enhances the security layer for all communications happening in the service mesh.
Istio provides the tools needed to run microservices architectures.
Istio provides resilience, routing, and observability.
35
Q&APlease Submit Your Questions
36
General Disclaimer
This document is not to be construed as a promise by any participating company to
develop, deliver, or market a product. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing decisions. SUSE
makes no representations or warranties with respect to the contents of this document, and
specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality
described for SUSE products remains at the sole discretion of SUSE. Further, SUSE
reserves the right to revise this document and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes. All SUSE
marks referenced in this presentation are trademarks or registered trademarks of SUSE,
LLC, Inc. in the United States and other countries. All third-party trademarks are the
property of their respective owners.
