丁成银 多云环境使用k8s Istio Spinnaker管理应用的最佳实践

文字内容
1. 多云环境使用 k8s/istio/spinnaker管理应用的 最佳实践 Chandler Ding Customer Engineer, Google Cloud
4. Chandler Ding Customer Engineer, Google Cloud
5. Agenda Why Multicloud? Dev and Devops Experience Architecture Applications Routing, Resilience, Security
6. Multicloud Zero vendor lock-in Cost & Control Resiliency & Availability Services & Innovation Technology / Business Partnerships
7. Multicloud CHOICE
8. BigQuery Cloud Spanner Describe workloads Abstraction Developer MongoDB Kafka
9. CHOICE HETEROGENOUS
10. To PaaS or Not to PaaS
11. Opinionated Systems vs Freedom of Choice
12. HETEROGENEOU S CULTURE & TOOLING HOMOGENEOUS
13. GCP Devops Tooling Automation Control On Prem / Other Cloud
14. SERVICE MESH Connect and secure applications CI / CD Manage applications ORCHESTRATION CONTAINERIZATION Run applications Package applications
15. ISTIO Connect and secure applications SPINNAKER Manage applications KUBERNETES DOCKER Run applications Package applications
16. 01 Running Applications with Kubernetes
17. Kubernetes is a declarative way to describe your applications API KUBERNETES CLOUD RESOURCES VM VPC STORAGE ROUTERS FW LB IAM
18. Kubernetes is a declarative way to describe your applications API KUBERNETES GCP VM VPC STORAGE ROUTERS On Prem / Cloud FW LB IAM VM VPC STORAGE ROUTERS FW LB IAM
19. Cluster Architecture & Management Kubernetes Cluster 1 Kubernetes Cluster 2 Kubernetes Cluster 3 Kubernetes Cluster 4 Kubernetes Cluster 5 Kubernetes Cluster 6 GCP GCP GCP On Prem On Prem Cloud
20. Cluster Independence & Cluster Consistency Cluster 1 Cluster 2 Cluster 3 Cluster 4 Namespace Developer Namespace Team_Dev Namespace Team_Eng Cluster 5 Cluster 6
21. Namespace Developer Namespace Team_Dev Prod Namespace Team_Eng Namespace Developer Namespace Team_Dev Stage Namespace Team_Eng Namespace Developer Namespace Team_Dev Namespace Team_Eng Dev
22. Federation vs Cluster Independence
23. 02 Managing applications with Spinnaker
24. An application in Kubernetes Cluster 1 ING SVC Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6
25. An application in Kubernetes Cluster 1 Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6 ING ING ING ING ING ING SVC SVC SVC SVC SVC SVC Application
26. CICD/ on Google Cloud Source Repository Source Cloud Build Container Cloud Registry Storage Build/ Test Artifact storage Deploy
27. CICD/ on Google Cloud Source Repository Source CSR Bitbucke t Cloud Build Container Cloud Registry Storage Build/ Test Artifact storage Jenkins Circle CI quay Docker Hub Deploy jenkins Codefresh
28. Spinnaker Spinnaker is an open-source, multi-cloud, continuous delivery platform Application deployment Application management
29. Application centric management Multicloud/Multicluster Status and heath Safe Actions
30. Deployment Sequencing Pipelines Stages
31. Deployment Strategies
32. Canary Analysis
33. Canary Analysis
34. Canary Report
35. Automatic Canary Analysis
36. Safe Deployments Execution Windows Manual Judgements Manual Rollbacks Automated Rollbacks Trigger a pipeline that does a rollback on a failed deployment
37. Security Providers Build/Bake Monitoring Triggers Notifications Storage Stages
38. 03 Connecting and Securing Applications with Istio
39. Everybody got all fired up about kubernetes and microservices and then were like ‘Oh, s--t, what’s going on?’ Istio gives us a view of our entire system and lets us find trouble spots. – An early adopter who will remain nameless
40. Service Mesh Transparently automate application network functions.
41. Separating applications from network functions
42. Secure, Monitor, Manage Intelligent routing Resilience Security & policy Telemetry ● Dynamic route configuration ● A/B tests ● Canaries ● Gradually upgrade versions ● Timeouts ● Retries ● Health checks ● Circuit breakers ● Mutual TLS ● Organizational policy ● Access policies ● Rate Limiting ● Service Dependencies ● Traffic Flow ● Distributed Tracing
43. Client Client Load Balancer Internet Load Balancer Backend Backend Edge Proxy Middle Proxy Service Client Library Backend Embedded Client Library Service Backend Sidecar Proxy Load Balancer Source : https://blog.envoyproxy.io/introduction-to-modern-network-load-balancing-and-proxyinga57f6ff80236
44. Envoy Lightweight L4/L7 Proxy Lightweight Resilient and Scalable HTTP/2 and gRPC Health checks, circuit breakers, timeouts, retry budgets No hot reloads - API driven config updates
45. Envoy Configuration Configured with Aggregated Discovery Services, ADS Listeners Routes What Envoy listens for (LDS) Where traffic can be sent (RDS) Clusters How to send traffic (CDS) Endpoint s Hosts able to receive traffic (EDS)
46. Istio Security Observability Traffic Management
47. Istio Architecture Service A proxy HTTP/1.1, HTTP/2, gRPC or TCP -- with or without mTLS Service B proxy Policy checks, telemetry Config data to Envoys Pilot TLS certs to Envoys Mixer Control Plane API Citadel
48. Routing Rules Custom discovery Service Topology Eureka Kubernetes Configures data plane Consul Pilot Rules API Platform Adapter Sidecar / Envoy Configuration Abstract Model Pilot Envoy API Service discovery & traffic rules Ingress Envoy Sidecar Envoy Sidecar Envoy Egress Envoy Ingress Agent Agent Agent
49. Mixer Telemetry pictures proxy proxy Extensible via Adapters API: /pictures Latency: 10ms Status Code: 503 src: 10.0.0.1 dst: 10.0.0.2 InfluxDB Prometheus Mixer Custom Policy / Quota Enforcement frontend
50. Citadel frontend payments Envoy Envoy SAN: "spiffe://example.local/ns/prod/sa/foo" Namespace: prod Service account: foo SAN: "spiffe://example.local/ns/prod/sa/bar" Namespace: prod Service account: bar Citadel
51. ISTIO Connect and secure applications SPINNAKER Manage applications KUBERNETES DOCKER Run applications Package applications
52. 04 One more thing ...or two
53. TD control path Traffic Director Data path (traffic) GCP-managed Control plane: configuration of service proxies, traffic control, global LB, health checking Traffic Director Open xDSv2 APIs Frontend HTTP/1.1, HTTP/2, gRPC, TCP, TLS Proxy Self-managed docker service Shopping Cart Payments Proxy Proxy VM-based service GKE service Data planeservices created with sidecar open service proxies like Envoy
54. Traffic Director: Deploy service instances anywhere Traffic Director Frontend Shopping Cart Payments Proxy Proxy Proxy app-web-us-central1 app-cart-us-central1 app-payment-us-central1 Frontend Shopping Cart Payments Proxy Proxy Proxy app-web-asia-southeast1 Web Front-end app-cart-asia-southeast1 Shopping cart app-payment-asia-southeast1 Payment
55. Traffic Director: Cross-region failover and overflow
56. Introducing Google Cloud’s Anthos Google Cloud All Major Clouds Anthos lets you build and manage modern hybrid and multi-cloud applications without lock-in Build once, to run anywhere, across your existing on-premise infrastructure and all major public cloud providers On-Premise Data Center
57. Anthos: Bringing the cloud to you. Solutions CI/CD Serverless Core Services On-prem Marketplace Cloud Service management Logging & monitoring Config. management
58. Hybrid done right A software-based stack means no hardware purchase required. Zero to deployed in less than a few hours rather than months. Built on open software for uniformity; one platform that can run both onprem and in the cloud without lock-in Infrastructure abstracted away focus on building apps not managing infrastructure.