KubeCon + CloudNativeCon North America 2018

Istio, the packet's eye view kubecon NA 2018

1. Do you need a Service Mesh? @mt165 mt165.co.uk @mt165pro Kubecon Seattle December 2018
2. Istio: the packet’s-eye view Objectives Learn how a packet traverses an Istio/Envoy/Kubernetes system See what control plane calls are made in that process Build a useful mental model for reasoning about, and debugging Istio @mt165
3. Istio: the packet’s-eye view Prerequisites Basic networking knowledge Intermediate Kubernetes knowledge An understanding of what Istio is and does @mt165
4. Istio: the packet’s-eye view Environment Istio 1.0.3 GKE Kubernetes 1.11 @mt165
5. Istio: the packet’s-eye view @mt165 Background
6. Istio: the packet’s-eye view Why? @mt165
7. Istio: the packet’s-eye view @mt165
8. Istio: the packet’s-eye view @mt165
9. Istio: the packet’s-eye view Networking and Containers @mt165
10. Istio: the packet’s-eye view @mt165 Cluster IP Cluster IP Node port Envoy Envoy *.example.com Envoy Envoy Load Balancer Ingress Service A
11. Istio: the packet’s-eye view Service A @mt165
12. Istio: the packet’s-eye view @mt165 Envoy SvcA Service A
13. Istio: the packet’s-eye view @mt165 “Containers” nginx nginx supervisord mnt uts pid user ipc net
14. Istio: the packet’s-eye view @mt165 Kubernetes Pods nginx logger nginx fluentd supervisord mnt uts mnt uts pid user ipc net
15. Istio: the packet’s-eye view @mt165 Kubernetes Pods 192.168.0.42 iptables nginx logger nginx fluentd fluentd routes eth0 lo sockets supervisord mnt uts mnt uts pid user ipc net
16. Istio: the packet’s-eye view @mt165 Kubernetes Pods 192.168.0.42 iptables nginx logger nginx fluentd fluentd routes eth0 :8080/tcp lo sockets supervisord mnt uts mnt uts pid user ipc net
17. Istio: the packet’s-eye view @mt165 Kubernetes Pods iptables 192.168.0.42 nginx routes eth0 :8080/tcp nginx envoy lo sockets mnt uts mnt uts pid user ipc net
18. Istio: the packet’s-eye view @mt165 Sidecar Injection 192.168.0.42 iptables routes eth0 lo sockets user ipc net
19. Istio: the packet’s-eye view @mt165 Sidecar Injection 192.168.0.42 iptables routes alpine eth0 sysctl -w kernel.core_pattern=... lo sockets user ipc net
20. Istio: the packet’s-eye view @mt165 Sidecar Injection 192.168.0.42 iptables routes istio/proxy_init eth0 /usr/local/bin/prepare_proxy.sh -p 15001 -u 1337 lo sockets user ipc net
21. Istio: the packet’s-eye view @mt165 Sidecar Injection 192.168.0.42 iptables nginx istio/proxy nginx envoy routes eth0 lo :15001/tcp sockets mnt uts mnt uts pid pid user ipc net
22. Istio: the packet’s-eye view @mt165 Envoy SvcA Service A
23. Istio: the packet’s-eye view @mt165 Pilot and Routing
24. Istio: the packet’s-eye view @mt165 ? ? Envoy SvcA ? Service A
25. Istio: the packet’s-eye view @mt165 Services $ kubectl get services -o wide grep httpbin httpbin NodePort 10.0.0.244 <none> 80:30082/TCP 16m app=httpbin
26. Istio: the packet’s-eye view Service DNS exposure # dig httpbin.default.svc.cluster.local httpbin.default.svc.cluster.local. 23 IN A 10.0.0.244 @mt165
27. Istio: the packet’s-eye view @mt165 Pods $ kubectl get pods -o wide grep httpbin httpbin-76ddd74666-2m6ds 1/1 Running 0 16m 172.17.0.13 minikube httpbin-76ddd74666-ls66n 1/1 Running 0 16m 172.17.0.12 minikube httpbin-76ddd74666-x5ql2 1/1 Running 0 16m 172.17.0.5 minikube
28. Istio: the packet’s-eye view Endpoints $ kubectl get endpoints grep httpbin httpbin 172.17.0.12:8000,172.17.0.13:8000,172.17.0.5:8000 21m @mt165
29. Istio: the packet’s-eye view Endpoints $ kubectl get endpoints httpbin -o yaml apiVersion: v1 kind: Endpoints … subsets: - addresses: - ip: 172.17.0.12 nodeName: minikube targetRef: kind: Pod … ports: - name: http port: 8000 protocol: TCP @mt165
30. Istio: the packet’s-eye view @mt165 Control Plane API Pilot Config to Envoys Envoy SvcA Service A
31. Istio: the packet’s-eye view @mt165 k8s consul Pilot Config to Envoys Data plane API Envoy SvcA Service A zk Control Plane API
32. Istio, the packet’s-eye view @mt165 Demo: set up
33. Istio, the packet’s-eye view @mt165 Demo: proxy-config
34. Istio, the packet’s-eye view Envoy @mt165
35. Istio, the packet’s-eye view Ingress Routing apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" @mt165
36. Istio, the packet’s-eye view Ingress Routing apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo spec: hosts: - "*" gateways: - bookinfo-gateway http: - match: - uri: exact: /productpage - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage port: number: 9080 @mt165
37. Istio, the packet’s-eye view Traffic Mirroring apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: httpbin spec: hosts: - httpbin http: - route: - destination: host: httpbin subset: v1 weight: 100 mirror: host: httpbin subset: v2 @mt165
38. Istio, the packet’s-eye view Traffic Shifting apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v1 weight: 50 - destination: host: reviews subset: v3 weight: 50 @mt165
39. Istio, the packet’s-eye view Canary Deployments ● ● Send a small amount of traffic Test on traffic with specific headers / cookies / user-agents / etc @mt165
40. Istio, the packet’s-eye view Circuit Breaking apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: httpbin spec: host: httpbin trafficPolicy: outlierDetection: consecutiveErrors: 1 interval: 1s baseEjectionTime: 3m maxEjectionPercent: 100 @mt165
41. Istio, the packet’s-eye view Fault Injection apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings spec: hosts: - ratings http: - route: - destination: host: ratings subset: v1 fault: delay: percent: 100 fixedDelay: 7s @mt165
42. Istio: the packet’s-eye view @mt165 Mixer
43. Istio: the packet’s-eye view @mt165 Control Plane API Pilot Config to Envoys Envoy SvcA Service A Service B
44. Istio: the packet’s-eye view @mt165 Control Plane API Pilot Config to Envoys Mixer Policy checks, Telemetry Envoy Envoy SvcA SvcB Service A Service B
45. Istio: the packet’s-eye view @mt165 IP 5-tuple (src_addr, src_port, dst_addr, dst_port, proto)
46. Istio: the packet’s-eye view @mt165 IP Router Architecture BGP OSPF ARP CONTROL PLANE Router Information Base DATA PLANE Forwarding Information Base User process Kernel module Interrupt STP
47. Istio: the packet’s-eye view @mt165 IP Router Architecture BGP OSPF ARP CONTROL PLANE PILOT Router Information Base DATA PLANE Forwarding Information Base STP User process MIXER Kernel module Interrupt ENVOY
48. Istio: the packet’s-eye view @mt165 Control Plane API Pilot Config to Envoys REPORT prom ES Mixer Mixer fat client Mixer fat client Envoy Envoy SvcA Service A RBAC Rate limit CHECK SvcB Service B
49. Istio: the packet’s-eye view @mt165 Demo: Tracing
50. Istio: the packet’s-eye view @mt165 Demo: Metrics
51. Istio: the packet’s-eye view @mt165 Demo: Service Graph
52. Istio: the packet’s-eye view Logs apiVersion: "config.istio.io/v1alpha2" kind: logentry metadata: name: newlog namespace: istio-system spec: severity: '"info"' timestamp: request.time variables: source: source.labels["app"] source.workload.name "unknown" user: source.user "unknown" destination: destination.labels["app"] destination.workload.name "unknown" responseCode: response.code 0 responseSize: response.size 0 latency: response.duration "0ms" monitored_resource_type: '"UNSPECIFIED"' @mt165
53. Istio: the packet’s-eye view Logs apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: newlogtofluentd namespace: istio-system spec: match: "true" # match for all requests actions: - handler: handler.fluentd instances: - newlog.logentry @mt165
54. Istio: the packet’s-eye view Logs apiVersion: "config.istio.io/v1alpha2" kind: fluentd metadata: name: handler namespace: istio-system spec: address: "fluentd-es.logging:24224" @mt165
55. Istio: the packet’s-eye view ACLs / Authorization apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRole metadata: name: details-reviews-viewer namespace: default spec: rules: - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"] methods: ["GET"] @mt165
56. Istio: the packet’s-eye view ACLs / Authorization apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: bind-details-reviews namespace: default spec: subjects: - user: "cluster.local/ns/default/sa/bookinfo-productpage" roleRef: kind: ServiceRole name: "details-reviews-viewer" @mt165
57. Istio: the packet’s-eye view Rate Limiting apiVersion: "config.istio.io/v1alpha2" kind: memquota metadata: name: handler namespace: istio-system spec: quotas: - name: requestcount.quota.istio-system maxAmount: 500 validDuration: 1s @mt165
58. Istio: the packet’s-eye view Rate Limiting apiVersion: "config.istio.io/v1alpha2" kind: quota metadata: name: requestcount namespace: istio-system spec: dimensions: source: request.headers["x-forwarded-for"] "unknown" destination: destination.labels["app"] destination.workload.name "unknown" destinationVersion: destination.labels["version"] "unknown" @mt165
59. Istio: the packet’s-eye view Rate Limiting apiVersion: config.istio.io/v1alpha2 kind: rule metadata: name: quota namespace: istio-system spec: actions: - handler: handler.memquota instances: - requestcount.quota @mt165
60. Istio: the packet’s-eye view Rate Limiting apiVersion: config.istio.io/v1alpha2 kind: QuotaSpec metadata: name: request-count namespace: istio-system spec: rules: - quotas: - charge: 1 quota: requestcount @mt165
61. Istio: the packet’s-eye view Rate Limiting apiVersion: config.istio.io/v1alpha2 kind: QuotaSpecBinding metadata: name: request-count namespace: istio-system spec: quotaSpecs: - name: request-count namespace: istio-system services: - name: productpage namespace: default @mt165
62. Istio: the packet’s-eye view @mt165 Citadel, mTLS, Egress
63. Istio: the packet’s-eye view @mt165 Control Plane API Pilot Config to Envoys Mixer Policy checks, Telemetry Envoy Envoy SvcA SvcB Service A Service B
64. Istio: the packet’s-eye view @mt165 Control Plane API Pilot Config to Envoys Mixer Policy checks, Telemetry Citadel TLS certs to Envoys Envoy Envoy SvcA SvcB Service A Service B
65. Istio: the packet’s-eye view @mt165 Control Plane API Pilot Config to Envoys Mixer Policy checks, Telemetry Citadel TLS certs to Envoys Envoy Envoy SvcA SvcB Service A Service B
66. Istio: the packet’s-eye view @mt165 Control Plane API etcd API Server Pilot Config to Envoys istioctl Mixer Policy checks, Telemetry Citadel TLS certs to Envoys Envoy Envoy SvcA SvcB Service A Service B
67. Istio: the packet’s-eye view @mt165 Control Plane API Pilot Config to Envoys Mixer Citadel TLS certs to Envoys Policy checks, Telemetry Envoy Envoy Envoy Envoy Envoy Envoy Envoy Envoy SvcA SvcB Envoy Ingress Envoy Service A Service B Egress
68. Istio: the packet’s-eye view Egress Routing apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: https-wikipedia-org spec: hosts: - wikipedia.org ports: - number: 443 name: https protocol: HTTPS location: MESH_EXTERNAL resolution: DNS endpoints: - address: istio-egressgateway.istio-system.svc.cluster.local ports: http: 443 @mt165
69. Istio: the packet’s-eye view Egress Routing apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: https-wikipedia-org-egress spec: selector: istio: egressgateway servers: - port: number: 443 name: https-wikipedia-org-egress-443 protocol: TLS # Mark as TLS as we are passing HTTPS through. hosts: - wikipedia.org tls: mode: PASSTHROUGH @mt165
70. Istio: the packet’s-eye view Egress Routing apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: egress-wikipedia-org spec: hosts: - wikipedia.org gateways: - https-wikipedia-org-egress tls: - match: - ports: 443 sniHosts: - wikipedia.org route: - destination: host: egress-wikipedia-org @mt165
71. Istio: the packet’s-eye view Egress Routing apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: egress-https-wikipedia-org spec: hosts: - egress-wikipedia-org ports: - number: 443 name: https protocol: HTTPS location: MESH_EXTERNAL resolution: DNS endpoints: - address: wikipedia.org ports: http: 443 @mt165
72. Istio: the packet’s-eye view Recap We learned: ● ● ● How a packet traverses an Istio/Envoy/Kubernetes system What control plane calls are made in that process A useful mental model for reasoning about, and debugging Istio @mt165
73. Do you need a Service Mesh? Thanks! @mt165 @mt165pro

相关幻灯片