Agenda
Workshop runs from 12:00 PM to 5:00 PM
- Lunch at 14:30 PM
Multiple sections - theory + exercises
- Introduction to Containers
- Docker and Kubernetes
- Istio Service Mesh
- Traffic Routing
- Resiliency
- Security
2 / 112
Introduction
- I am Peter (@pjausovec)
- Software Engineer at Oracle
- Working on "cloud-native" stuff
- Books:
- Cloud Native: Using Containers, Functions, and Data to Build Next-Gen Apps
- SharePoint Development
- VSTO For Dummies
- Courses:
- Kubernetes Course (https://startkubernetes.com)
- Istio Service Mesh Course (https://learnistio.com)
3 / 112
By helpameout - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=20337780
5 / 112
6 / 112
Virtualization
- 2006: VMWare Server
- Run multiple OS on the same host
- Expensive: multiple kernels, OS ...
7 / 112
8 / 112
Docker
- First public release in 2013
- Containers existed in Linux for >10 years
- Slice the OS to securely run multiple applications
- Namespaces, cGroups
9 / 112
10 / 112
11 / 112
12 / 112
What is Docker?
Docker Engine (daemon) + CLI
13 / 112
Dockerfile
FROM ubuntu:18.04WORKDIR /appCOPY hello.sh /appRUN chmod +x hello.shRUN apt-get updateRUN apt-get install curl -yCMD ["./hello.sh"]14 / 112
Docker image
- Collection of layers from
Dockerfile(one layer per command) - Layers are stacked on top of each other
- Each layer is a delta from the layer before it
- All layers are read-only
15 / 112
Docker image
16 / 112
Image names
- Image = repository + image name + tagmycompany/hello-world:1.0.1
- All images get a default tag called latest
- Tag = version or variant of an image
17 / 112
Docker Registry
- Place to store your Docker images
- Public and private repositories
- Docker Hub (https://hub.docker.com)
- Every cloud provider has its own
- You can also store images locally, on your Docker host
18 / 112
19 / 112
20 / 112
21 / 112
Container Orchestration
- Provision and deploy containers onto nodes
- Resource management/scheduling containers
- Health monitoring
- Scaling
- Connect to networking
- Internal load balancing
22 / 112
Kubernetes Overview
- Most popular choice for cluster management and scheduling container-centric workloads
- Open source project for running and managing containers
- K8S = KuberneteS
Definitions
Portable, extensible, open-source platform for managing containerized workloads and services
Container-orchestration system for automating application deployment, scaling, and management
23 / 112
Kubernetes Architecture
24 / 112
25 / 112
26 / 112
Kubernetes Resources
Multiple resources defined in the Kubernetes API
- namespaces
- pods
- services
- secrets
- ...
Custom resources as well!
- CRD (Custom Resource Definition)
27 / 112
28 / 112
Pods
- Smallest deployable/manageable/scalable unit
- Logic grouping of containers
- All running on the same node
- Share namespace, network, and volumes
- Has a unique IP
- Controlled by a ReplicaSet
29 / 112
Pods
apiVersion: v1kind: Podmetadata: name: myapp-pod labels: app: myappspec: containers: - name: myapp-container image: busybox command: ['sh', '-c', 'echo Hello Minsk! && sleep 3600']30 / 112
ReplicaSet
- Ensures specified number of pod replicas is running
- Creates and deletes pods as needed
- Selector + Pod template + Replica count
31 / 112
apiVersion: apps/v1kind: ReplicaSetmetadata: name: myapp labels: app: myappspec: replicas: 5 selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: myapp-container image: busybox command: ['sh', '-c', 'echo Hello Minsk! && sleep 3600']32 / 112
Demo
Pods and ReplicaSets
33 / 112
Deployments
- Describes desired state
- Manages updates
- Controlled roll-out from actual state to the desired state
34 / 112
apiVersion: apps/v1kind: Deploymentmetadata: name: myapp labels: app: myappspec: replicas: 5 selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: myapp-container image: busybox command: ['sh', '-c', 'echo Hello Minsk! && sleep 3600']35 / 112
36 / 112
37 / 112
38 / 112
39 / 112
40 / 112
Services
- Define a logical set of pods
- Pods are determined using labels (selector)
- Reliable, fixed IP address
- Automatic DNS entries
- E.g.
hello-web.default
- E.g.
41 / 112
kind: ServiceapiVersion: v1metadata: name: myapp labels: app: myappspec: selector: app: myapp ports: - port: 80 name: http targetPort: 300042 / 112
Services
ClusterIP
- Service is exposed on a cluster-internal iP (default)
NodePort
- Uses the same static port on each cluster node to expose the service
LoadBalancer
- Uses cloud providers' load balancer to expose the service
ExternalName
- Maps the service to a DNS name
43 / 112
Ingress
- Exposes HTTP/HTTPS routes from outside the cluster to services within the cluster
- Ingress controller uses a load balancer to handle the traffic (based on the ingress rules)
- Fanout and name based virtual hosting support:
- blog.example.com -> blog-service.default
- chat.example.com -> chat-service.default
44 / 112
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata: name: ingress-example annotations: nginx.ingress.kubernetes.io/rewrite-target: /spec: rules: - host: blog.example.com http: paths: - path: / backend: serviceName: blog-service servicePort: 3000 - path: /api backend: serviceName: blog-api servicePort: 808045 / 112
Config Maps
- Stores configuration values (key-value pairs)
- Values consumed in pods as:
- environment variables
- files
- Helps separating app code from configuration
- Needs to exist before they are consumed by pods (unless marked as optional)
- Need to be in the same namespace as pods
46 / 112
apiVersion: v1 kind: ConfigMapmetadata: name: hello-kube-config namespace: default data: count: 1 hello: world47 / 112
Secrets
- For storing and managing small amount of sensitive data (passwords, tokens, keys)
- Referenced as files in a volume, mounted from a secret
- Base64 encoded
- Types: generic, Docker registry, TLS
48 / 112
Namespaces
- Provides unique scope for resources
my-namespace.my-serviceanother-namespace.my-service
- (Most) Kubernetes resources live inside a namespace
- Can't be nested
49 / 112
Service Mesh
51 / 112
Dedicated infrastructure layer to connect, manage, and secure workloads by managing the communication between them
52 / 112
53 / 112
Service Mesh - Architecture
Data plane (proxies)
- Run next to each service instance (or one per host)
- Istio uses Envoy proxy
- Intercept all incoming/outgoing requests (
iptables) - Configure on how to handle traffic
- Emits metric
Control plane
- Validates rules
- Translates high-level rules to proxy configuration
- Updates the proxies/configuration
- Collects metrics from proxies
54 / 112
Service Mesh - Features
Connect
- Layer 7 routing and traffic management
- %-based traffic split (URIs, header, scheme, method, ...)
- Circuit breakers, timeouts and retries
Manage
- Telemetry (proxies collect metrics automatically)
- Visibility into service communication without code changes
Secure
- Secure communication between services (mutual TLS)
- Identity + cert for each service
55 / 112
56 / 112
Traffic Management
57 / 112
58 / 112
59 / 112
60 / 112
Service Mesh - Istio
Traffic Management Resources
- Gateway
- VirtualService
- DestinationRule
- ServiceEntry
- Sidecar
61 / 112
Service Mesh - Virtual Service
apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: service-bspec: hosts: - service-b.default.svc.cluster.local http: - route: - destination: host: service-b subset: v1 weight: 98 - destination: host: service-b subset: v2 weight: 262 / 112
Service Mesh - Destination Rule
apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata: name: service-bspec: host: service-b.default.svc.cluster.local subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 trafficPolicy: tls: mode: ISTIO_MUTUAL63 / 112
64 / 112
65 / 112
Destination rule
apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata: name: service-bspec: host: service-b.default.svc.cluster.local subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v266 / 112
Virtual service
... http: - route: - destination: host: service-b subset: v1 weight: 3067 / 112
68 / 112
69 / 112
70 / 112
Service Mesh - Service Entry
apiVersion: networking.istio.io/v1alpha3kind: ServiceEntrymetadata: name: movie-dbspec: hosts: - api.themoviedb.org ports: - number: 443 name: https protocol: HTTPS resolution: DNS location: MESH_EXTERNAL71 / 112
Service Mesh - Gateway
apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata: name: gatewayspec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "hello.example.com"72 / 112
73 / 112
74 / 112
75 / 112
76 / 112
Service Mesh - Sidecar
apiVersion: networking.istio.io/v1alpha3kind: Sidecarmetadata: name: default namespace: prod-us-west-1spec: egress: - hosts: - 'prod-us-west-1/*' - 'prod-apis/*' - 'istio-system/*'77 / 112
Service Mesh - Traffic Management
- Define subsets in DestinationRule
- Define route rules in VirtualService
- Define one or more destinations with weights
78 / 112
Demo
Istio Traffic Routing
79 / 112
Service Resiliency
81 / 112
Resiliency
Ability to recover from failures and continue to function
82 / 112
Return the service to a fully functioning state after failure
83 / 112
Resiliency
High availability
- Healthy
- No significant downtime
- Responsive
- Meeting SLAs
Disaster recovery
- Design can't handle the impact of failures
- Data backup & archiving
84 / 112
Resiliency Strategies
- Load Balancing
- Timeouts and retries
- Circuit breakers and bulkhead pattern
- Data replication
- Graceful degradation
- Rate limiting
85 / 112
Service Mesh - Timeouts
apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: service-bspec: hosts: - service-b.default.svc.cluster.local http: - route: - destination: host: service-b subset: v1 timeout: 5s86 / 112
Service Mesh - Retries
apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: service-bspec: hosts: - service-b.default.svc.cluster.local http: - route: - destination: host: service-b subset: v1 retries: attempts: 3 perTryTimeout: 3s retryOn: gateway-error,connect-failure87 / 112
Service Mesh - Circuit Breakers
apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata: name: service-bspec: host: service-b.default.svc.cluster.local trafficPolicy: tcp: maxConnections: 1 http: http1MaxPendingRequests: 1 maxRequestsPerConnection: 1 outlierDetection: consecutiveErrors: 1 interval: 1s baseEjectionTime: 3m maxEjectionPercent: 10088 / 112
Service Mesh - Delays
apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: service-bspec: hosts: - service-b.default.svc.cluster.local http: - route: - destination: host: service-b subset: v1 fault: delay: percentage: 50 fixedDelay: 2s89 / 112
Service Mesh - Aborts
apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: service-bspec: hosts: - service-b.default.svc.cluster.local http: - route: - destination: host: service-b subset: v1 fault: abort: percentage: 50 httpStatus: 40490 / 112
Demo
Service Resiliency
91 / 112
Security
93 / 112
94 / 112
Access Control
Can a principal perform an action on an object?
95 / 112
Access Control
Can a principal perform an action on an object?
Principal = user
Action = delete
Object = file
96 / 112
Authentication (authn)
- Verify credential is valid/authentic
- Istio: X.509 certificates
- Identity encoded in certificate
97 / 112
Authorization (authz)
- Is principal allowed to perform an action on an object?
- Istio: RBAC policies
- Role-based access control
98 / 112
Authentication and authorization work together
99 / 112
Identity - SPIFFE
- SPIFFE (Secure Production Identity Framework for Everyone)
- Specially formed X.509 certificate with an ID (e.g.
spiffe://cluster.local/ns/default/sa/default) - Kubernetes: service account is used
100 / 112
Identity - SPIFFE
Concepts:
- Identity (URI)
spiffe://cluster.local/ns/default/sa/default
- Encoding of identity into SVID (SPIFFE Verifiable Identity Document)
- X.509 and Subject Alternate Name (SAN) field
- API for issuing and retrieving SVIDs
101 / 112
Key management
- Citadel
- Certificate authority (CA)
- Signs certificate requests that create X.509 certificates
- Citadel (node) agents (SDS - secret discovery service)
- Broker between Citadel and Envoy proxies
- Envoy
102 / 112
Mutual TLS (mTLS)
Flow
Traffic from client gets routed to the client side proxy
Client side proxy starts mTLS handshake
- Secure naming check: verify service account in the cert can run the target service
Client and server side proxies establish mTLS connection
Server side proxy forwards traffic to the server service
103 / 112
Istio Auth Policies
Authn policy:
- Controls how proxies communicate with one another
- mTLS on/off
Authz policy:
- Requires authn
- Configures which identities are allowed to communicate
104 / 112
Configuring mTLS/JWT
- Policy resource (
authentication.istio.io/v1alpha1.Policy) Scope:
- Mesh < namespace < service
Also supports JWT
105 / 112
Configuring authorization
Who can talk to whom
- Uses RBAC (role-based access control)
Service role
- Actions that can be performed on service by any principal with the role
Service role binding
- Assigns roles to principals (principals = service identities = ServiceAccounts)
106 / 112
Configuring RBAC
- ClusterRbacConfig resource (
rbac.istio.io/v1alpha1) - Multiple modes:
- On, off
- On with inclusion, on with exclusion
107 / 112
Istio vs. Linkerd vs. Consul Connect?
- Linkerd: Kubernetes only
- Consul: agent per-node + proxies
- Linkerd: no circut breaking*
- Consul: no failure injection
https://github.com/linkerd/linkerd2/issues/2846
109 / 112
How to get started?
- Do you need a service mesh?
- Start small and slow:
- Learn and understand the resources
- Apply to a subset of services
- Understand the metrics, logs, dashboards
- Repeat
110 / 112
Thank you
FEEDBACK
Slides: https://slides.peterj.dev/jfuture-2019
Exercises: https://github.com/peterj/jfuture
Contact
111 / 112
Table of Contents
112 / 112