Post on 28-May-2020
State of the Platform Services:Service Mesh and Beyond
Brian “redbeard” HarringtonWhat is your title Brian?Red Hat
Steven DakeOpen Source Leader: Cloud NativeInternational Business Machines
IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation 1
Why Istio?
2IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
POD
ENVOY
SERVICE
POD
ENVOY
SERVICE
POD
ENVOY
SERVICE
Pilot Mixer Auth
SERVICE MESH ARCHITECTURE
JaegerControl Plane
Data PlaneApplies security, route rules, policies and reports traffic telemetry at the pod level
4
ConnectServices
IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
&RQQHFW
5
Connect, SecureServices
IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
&RQQHFW6HFXUH
SECURE COMMUNICATION WITH ISTIO
POD
SERVICEA
ENVOY
POD
SERVICEB
ENVOY
POD
SERVICEC
ENVOY
mutual TLS authentication, transparent to the services
TLS TLS
POD
SERVICEA
ENVOY
POD
SERVICEB
ENVOY
POD
SERVICEC
ENVOY
CONTROL SERVICE ACCESS WITH ISTIO
control the service access flow, transparent to the services
8
Connect, Secure, ControlServices
IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
&RQQHFW6HFXUH
&RQWURO
POD
SERVICEA
ENVOY
POD
SERVICEB:v2
ENVOY
CANARY DEPLOYMENT WITH ISTIO
POD
SERVICEB:v1
ENVOY
boston employee
everyone
POD
SERVICEA
ENVOY
POD
SERVICEB:v2
ENVOY
A/B DEPLOYMENT WITH ISTIO
POD
SERVICEB:v1
ENVOY
50% traffic
50% traffic
POD
SERVICEA
ENVOY
POD
SERVICEB
ENVOY
POD
SERVICEC
ENVOY
CIRCUIT BREAKERS WITH ISTIO
transparent to the services
POD
SERVICEA
ENVOY
POD
SERVICEB
ENVOY
POD
SERVICEC
ENVOY
CIRCUIT BREAKERS WITH ISTIO
improved response time with global circuit status
POD
SERVICEA
ENVOY
POD
SERVICEB
ENVOY
POD
SERVICEC
ENVOY
TIMEOUTS AND RETRIES WITH ISTIO
configure timeouts and retries, transparent to the services
timeout: 10 secretry: 5
timeout: 15 secretry: 5
POD
SERVICEA
ENVOY
POD
SERVICEB
ENVOY
POD
SERVICEC
ENVOY
RATE LIMITING WITH ISTIO
limit invocation rates, transparent to the services
max 500 concurrent requests
max 100 connections
POD
SERVICEA
ENVOY
POD
SERVICEB
ENVOY
POD
SERVICEC
ENVOY
CHAOS ENGINEERING WITH ISTIO
inject delays, transparent to the services
10 sec delay in 10% of requests
inject protocol-specific errors, transparent to the services
POD
SERVICEA
ENVOY
POD
SERVICEB
ENVOY
POD
SERVICEC
ENVOY
CHAOS ENGINEERING WITH ISTIO
HTTP 400in 5% of requests
17
Connect, Secure, Control and ObserveServices
IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
&RQQHFW
2EVHUYH
6HFXUH
&RQWURO
POD
SERVICEA
ENVOY
POD
SERVICEB
ENVOY
POD
SERVICEC
ENVOY
DISTRIBUTED TRACING WITH ISTIO & JAEGER
discovers service relationships and process times, transparent to the services
SERVICE A SERVICE B SERVICE C210 ms 720 ms
930 ms
Why Red Hat Service Mesh?
20IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
SERVICE MESH ECOSYSTEM
Observe Observe
Secure
ControlConnect
Jaeger
Kiali Grafana
Prometheus
Istio
DISTRIBUTED SERVICES WITHRED HAT OPENSHIFT SERVICE MESH
INFRA
INFRA OPS
SERVICE OPS
SERVICE
ANYINFRASTRUCTURE
OpenShift Container Platform(Enterprise Kubernetes)
Amazon Web Services Microsoft Azure Google CloudOpenStackDatacenterLaptop
OpenShift Service Mesh(Istio + Jaeger + Kiali)
ANYAPPLICATION
Service
CONTAINER
Service
CONTAINER
Service
CONTAINER
Service
CONTAINER
Service
CONTAINER
IstioMulticluster
23IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
24
Multicluster Today: Calabi–Yau Manifold
IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
a4:
Identities and Trusts
a2:
Clusters
a3:
Control Planes
a1:
Networks
25
Modeling Istio Multicluster
a = (a1, a2, a3, a4, a5, a6)
IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
a5:
Meshes
a6:
Tenancy
a4:
Identities and Trusts
Permit a broad boundary on identities and trust.
a2:
Cluster
Multiple clusters per zones
a3:
Control Planes
Minimize Istiocontrol planes to regions if possible.
a1:
Networks
Minimize networks
26
Compactification
a = (a1, a2, a3, a4, a5, a6)
IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
a5:
Meshes
Multiple meshes are currently in design
a6:
Tenancy
Tenancy is aligned with a namespace. Any limits K8s enforces on namespaces will result in reasonable boundaries.
MulticlusterDemonstration
27IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
28
Single Cluster Hipster Shop Anatomy
IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
29
Multiple Region (Three Clusters) Hipster Shop Anatomy
IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
,QWHUQHW
)URQWHQG
3URGXFW&DWDORJ6HUYLFH
&XUUHQF\6HUYLFH
&KHFNRXW6HUYLFH
$G6HUYLFH
&DUW6HUYLFH
5HGLV6HUYLFH5HFRPPHQGDWLRQ6HUYLFH
3D\PHQW6HUYLFH
6KLSSLQJ6HUYLFH
(PDLO6HUYLFH
1$
1$
(0($
1$
(0($
(0($
$3$&
$3$&
$3$&
$3$&
$3$&
30IBM Cloud / DOC ID / Month XX, 2019 / © 2019 IBM Corporation