mesh options a comparision of service...a pluggable policy layer and configuration api supporting...
TRANSCRIPT
![Page 1: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/1.jpg)
A Comparision of Service Mesh OptionsLooking at Istio, Linkerd, Consul-connect
Syed Ahmed - CloudOps Inc
![Page 2: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/2.jpg)
Introduction
![Page 3: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/3.jpg)
About Me
• Cloud Software Architect @ CloudOps• PMC for Apache CloudStack• Worked on network modules in Openstack
and CloudStack• Previously worked on the Netscaler LB• Part of the DevOps team @ Yahoo!
![Page 4: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/4.jpg)
About CloudOps
• We Design, Build and Operate Clouds• Help customer own their destiny in the Cloud• Vender/Cloud Agnostic
![Page 5: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/5.jpg)
A Case forService Mesh
![Page 6: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/6.jpg)
Monolithic Architecture
● Strong Coupling between different modules causing anti-patterns in communicating between different modules
● Difficulties in Scaling● Updating to new version requires complete
re-install● Problem in one module can cause the
whole application to crash● Difficult to move to a new framework or
technology
![Page 7: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/7.jpg)
Microservices Architecture
● API contract between different modules/service ensures that each module can be developed and maintained independently
● Each service can be scaled independently● Updating to new version requires only
updates to a specific services● Allows for easier CI/CD
![Page 8: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/8.jpg)
Evolution of the Ecosystem
![Page 9: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/9.jpg)
Challenges with the Microservices Architecture
![Page 10: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/10.jpg)
Challenges with the Microservices Architecture
![Page 11: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/11.jpg)
Challenges with the Microservices Architecture
![Page 12: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/12.jpg)
Challenges with the Microservices Architecture
![Page 13: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/13.jpg)
Challenges with the Microservices Architecture
![Page 14: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/14.jpg)
Challenges with the Microservices Architecture
![Page 15: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/15.jpg)
Service Mesh as a Solution
A Service Mesh is the substrate between different microservices that makes connectivity between different
microservices possible. In addition to providing networking, a Service Mesh can also provide other features like Service Discovery, Authentication and
Authorization, Monitoring, Tracing and Traffic Shaping.
![Page 16: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/16.jpg)
Sidecar Pattern
![Page 17: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/17.jpg)
Istio
![Page 18: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/18.jpg)
Istio
● Open Sourced by Google, IBM & Lyft in May 2017
● Service Mesh designed to connect, secure and monitor microservices
![Page 19: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/19.jpg)
Istio Features
● Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic.
● Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection.
● A pluggable policy layer and configuration API supporting access controls, rate limits and quotas.
● Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress.
● Secure service-to-service communication in a cluster with strong identity-based authentication and authorization.
![Page 20: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/20.jpg)
Istio Architecture
![Page 21: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/21.jpg)
Istio Architecture
● Envoy: high-performance proxy developed in C++ provides Dynamic service discovery, Load balancing, TLS termination, HTTP/2 and gRPC proxies, Circuit breakers, Health checks, Staged rollouts with %-based traffic split, Fault injection, Rich metrics
● Pilot: The core component used for traffic management in Istio is Pilot, which manages and configures all the Envoy proxy instances deployed in a particular Istio service mesh
● Mixer: Mixer is a platform-independent component. Mixer enforces access control and usage policies across the service mesh, and collects telemetry data from the Envoy proxy and other services. The proxy extracts request level attributes, and sends them to Mixer for evaluation
● Citadel: Citadel provides strong service-to-service and end-user authentication with built-in identity and credential management. You can use Citadel to upgrade unencrypted traffic in the service mesh. Using Citadel, operators can enforce policies based on service identity rather than on network controls
![Page 22: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/22.jpg)
Istio Gateway
apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata: name: httpbin-gatewayspec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "httpbin.example.com"
Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections.
![Page 23: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/23.jpg)
Istio VirtualService
apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: reviews-routespec: - route: - destination: host: reviews.prod.svc.cluster.local subset: v2 weight: 25
- destination: host: reviews.prod.svc.cluster.local subset: v1 weight: 75
A VirtualService defines a set of traffic routing rules to apply when a host is addressed. Each routing rule defines matching criteria for traffic of a specific protocol. If the traffic is matched, then it is sent to a named destination service (or subset/version of it) defined in the registry.
![Page 24: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/24.jpg)
Istio DestinationRule
apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata: name: bookinfo-ratingsspec: host: ratings.prod.svc.cluster.local trafficPolicy: loadBalancer: simple: LEAST_CONN
DestinationRule defines policies that apply to traffic intended for a service after routing has occurred. These rules specify configuration for load balancing, connection pool size from the sidecar, and outlier detection settings to detect and evict unhealthy hosts from the load balancing pool.
![Page 25: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/25.jpg)
Linkerd
![Page 26: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/26.jpg)
Linkerd
● Initially started as a network proxy (v1.0) for enabling service mesh
● Merged with Conduit to form Linkerd 2.0 in Sept 2018
![Page 27: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/27.jpg)
Linkerd Architecture
![Page 28: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/28.jpg)
● Controller: The controller consists of multiple containers (public-api, proxy-api, destination, tap) that provide the bulk of the control plane’s functionality
● Web: The web deployment provides the Linkerd dashboard
● Prometheus: All of the metrics exposed by Linkerd are scraped via Prometheus and stored. An instance of Prometheus that has been configured to work specifically with the data that Linkerd generates is deployed
● Grafana: Linkerd comes with many dashboards out of the box. The Grafana component is used to render and display these dashboards. You can reach these dashboards via links in the Linkerd dashboard itself.
Linkerd Architecture
![Page 29: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/29.jpg)
● Linkerd’s philosophy is to be a very lightweight addition on top of existing platform
● No need to be a Platform admin to use linkerd● Simple installation and CLI tools to get started● Small sidecar proxy written in Rust● Can do end-to-end encryption and automatic proxy
injection● Lacks complex routing and tracing capabilities
Linkerd Capabilities
![Page 30: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/30.jpg)
Linkerd Commands
Install:linkerd check --prelinkerd install | kubectl apply -f -
Inject:kubectl get -n emojivoto deploy -o yaml \ | linkerd inject - \ | kubectl apply -f -
Inspect:linkerd -n emojivoto stat deploylinkerd -n emojivoto top deploylinkerd -n emojivoto tap deploy/web
![Page 31: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/31.jpg)
Consul Connect
![Page 32: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/32.jpg)
Consul Connect
● Consul is a highly available and distributed service discovery and KV store
● Consul Connect augments Consul and adds Service Mesh Capabilities and was added in July 2018
![Page 33: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/33.jpg)
Consul Connect Features
● Provides secure service-to-service communication with automatic TLS encryption and identity-based authorization.
● Uses envoy proxy sidecar as the dataplane● Integration with Vault for certificate and secret management● Service discovery already provided by Consul● Useful if you want to use services outside Kubernetes as
Consul can do a 2 way sync between k8s services and Consul services
● No routing features. Main focus on service discovery and Service Identity management
![Page 34: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/34.jpg)
Conclusion
![Page 35: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/35.jpg)
Conclusion
Feature Istio Linkerd Consul Connect
Traffic Redirection(Blue/Green deployment) Yes No No
Traffic Splitting(Canary deployment) Yes No No
Attribute based routing Yes No No
Service Identification Yes No Yes
Auto Proxy Injection Yes Yes Yes
Non-Admin installation No Yes No
Built-in Dashboard Yes Yes No
Certificate Management Yes No Yes
![Page 36: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/36.jpg)
Conclusion
Feature Istio Linkerd Consul Connect
Metrics Collection Yes Yes No
Built-In Dashboard Yes Yes No
TLS Yes Yes Yes
External Service Support Yes No Yes
Rate Limiting Yes No No
Tracing Yes No No
![Page 37: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/37.jpg)
Appendix (BookInfo App)
![Page 38: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/38.jpg)
Appendix (Emojivoto App)
![Page 39: Mesh Options A Comparision of Service...A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. Automatic metrics, logs, and traces for all](https://reader033.vdocument.in/reader033/viewer/2022041921/5e6bcfeb3d93851d9955de41/html5/thumbnails/39.jpg)