+ - 0:00:00
Notes for current slide
Notes for next slide

Istio Service Mesh Patterns

Slides: https://slides.peterj.dev/oracle-doag-2019

1 / 64

Safe Harbor

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, coe, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and princing of any features or functionality described for Oracle's products may change and remains at the sole discretion of Oracle Corporation.

Statements in this presentation relating to Oracle's future plans, expectations, beliefts, intentions and prospects are "forward-looking statements" and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that affect our business is contained in Oracle's Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q under the heading "Risk Factors." These filings are available on the SEC's website or on Oracle's website at http://www.oracle.com/investor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events.

2 / 64

Introduction

3 / 64

Service Mesh

4 / 64

Dedicated infrastructure layer to connect, manage, and secure workloads by managing the communication between them

5 / 64

Istio service mesh

  • Open source service mesh
    • Google, IBM, Lyft
  • Well-defined API
  • Can be deployed on-premise, in the cloud
    • Kubernetes
    • Mesos

6 / 64

Service Mesh - Code outside of the service

7 / 64

A calling B - 1

8 / 64

A calling B - 2

9 / 64

A calling B - 3

10 / 64

Service Mesh - Architecture

Data plane (proxies)

  • Run next to each service instance (or one per host)
    • Istio uses Envoy proxy
  • Intercept all incoming/outgoing requests (iptables)
  • Configure on how to handle traffic
  • Emits metric

Control plane

  • Validates rules
  • Translates high-level rules to proxy configuration
  • Updates the proxies/configuration
  • Collects metrics from proxies

12 / 64

Service Mesh - Features

Connect

  • Layer 7 routing and traffic management
    • %-based traffic split (URIs, header, scheme, method, ...)
    • Circuit breakers, timeouts and retries

Manage

  • Telemetry (proxies collect metrics automatically -> tools: Grafana, Jaeger, Kiali)
  • Visibility into service communication without code changes

Secure

  • Secure communication between services (mutual TLS)
  • Identity + cert for each service

13 / 64

Istio Architecture

14 / 64

Traffic Management

15 / 64

Istio Pilot

16 / 64

Istio Pilot

17 / 64

Traffic Split

18 / 64

Service Mesh - Istio

Traffic Management Resources

  • Gateway
  • VirtualService
  • DestinationRule
  • ServiceEntry
  • Sidecar

19 / 64

Service Mesh - Virtual Service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: serviceb-vs
spec:
hosts:
- service-b.default.svc.cluster.local
http:
- route:
- destination:
host: service-b.default.svc.cluster.local
subset: v1
weight: 98
- destination:
host: service-b.default.svc.cluster.local
subset: v2
weight: 2

20 / 64

Service Mesh - Destination Rule

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: serviceb-dr
spec:
host: service-b.default.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

21 / 64

Subsets - 1

22 / 64

Subsets - 2

23 / 64

Destination rule

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: serviceb-dr
spec:
host: service-b.default.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2

24 / 64

Virtual service

...
http:
- route:
- destination:
host: service-b.default.svc.cluster.local
subset: v1
weight: 30

25 / 64

Subsets - 3

26 / 64

Subsets - 4

27 / 64

Subsets - 5

28 / 64

Service Mesh - Service Entry

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: movie-db
spec:
hosts:
- api.themoviedb.org
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL

29 / 64

Service Mesh - Gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "hello.example.com"

30 / 64

Gateway - 1

31 / 64

Gateway - 2

32 / 64

Gateway - 3

33 / 64

Gateway - 4

34 / 64

Service Mesh - Sidecar

apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: prod-us-west-1
spec:
egress:
- hosts:
- 'prod-us-west-1/*'
- 'prod-apis/*'
- 'istio-system/*'

35 / 64

Service Mesh - Traffic Management

  • Define subsets in DestinationRule
  • Define route rules in VirtualService
  • Define one or more destinations with weights

36 / 64

Demo

Istio Traffic Routing

37 / 64

Service Resiliency

38 / 64

Resiliency

Ability to recover from failures and continue to function

39 / 64

Return the service to a fully functioning state after failure

40 / 64

Resiliency

High availability

  • Healthy
  • No significant downtime
  • Responsive
  • Meeting SLAs

Disaster recovery

  • Design can't handle the impact of failures
  • Data backup & archiving

41 / 64

Resiliency Strategies

  • Load Balancing
  • Timeouts and retries
  • Circuit breakers and bulkhead pattern
  • Data replication
  • Graceful degradation
  • Rate limiting

42 / 64

Service Mesh - Timeouts

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: service-b
spec:
hosts:
- service-b.default.svc.cluster.local
http:
- route:
- destination:
host: service-b.default.svc.cluster.local
subset: v1
timeout: 5s

43 / 64

Service Mesh - Retries

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: service-b
spec:
hosts:
- service-b.default.svc.cluster.local
http:
- route:
- destination:
host: service-b.default.svc.cluster.local
subset: v1
retries:
attempts: 3
perTryTimeout: 3s
retryOn: gateway-error,connect-failure

44 / 64

Service Mesh - Circuit Breakers

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: service-b
spec:
host: service-b.default.svc.cluster.local
trafficPolicy:
tcp:
maxConnections: 1
http:
http1MaxPendingRequests: 1
maxRequestsPerConnection: 1
outlierDetection:
consecutiveErrors: 1
interval: 1s
baseEjectionTime: 3m
maxEjectionPercent: 100

45 / 64

Service Mesh - Delays

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: service-b
spec:
hosts:
- service-b.default.svc.cluster.local
http:
- route:
- destination:
host: service-b
subset: v1
fault:
delay:
percentage: 50
fixedDelay: 2s

46 / 64

Service Mesh - Aborts

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: service-b
spec:
hosts:
- service-b.default.svc.cluster.local
http:
- route:
- destination:
host: service-b
subset: v1
fault:
abort:
percentage: 30
httpStatus: 404

47 / 64

Demo

Service Resiliency

48 / 64

Security

49 / 64
50 / 64

Access Control

Can a principal perform an action on an object?

51 / 64

Access Control

Can a principal perform an action on an object?


Principal = user

Action = delete

Object = file

52 / 64

Authentication (authn)

  • Verify credential is valid/authentic
  • Istio: X.509 certificates
  • Identity encoded in certificate

53 / 64

Authorization (authz)

  • Is principal allowed to perform an action on an object?
  • Istio: RBAC policies
    • Role-based access control

54 / 64

Authentication and authorization work together

55 / 64

Identity - SPIFFE

  • SPIFFE (Secure Production Identity Framework for Everyone)
  • Specially formed X.509 certificate with an ID (e.g. spiffe://cluster.local/ns/default/sa/default)
  • Kubernetes: service account is used

https://spiffe.io/

56 / 64

Mutual TLS (mTLS)

Flow

  1. Traffic from client gets routed to the client side proxy

  2. Client side proxy starts mTLS handshake

    • Secure naming check: verify service account in the cert can run the target service
  3. Client and server side proxies establish mTLS connection

  4. Server side proxy forwards traffic to the server service

57 / 64

Configuring mTLS/JWT

  • Policy resource (authentication.istio.io/v1alpha1.Policy)
  • Scope:

    • Mesh < namespace < service
  • Also supports JWT

58 / 64

Configuring authorization

  • Who can talk to whom

    • Uses RBAC (role-based access control)
  • Service role

    • Actions that can be performed on service by any principal with the role
  • Service role binding

    • Assigns roles to principals (principals = service identities = ServiceAccounts)

59 / 64

Configuring RBAC

  • ClusterRbacConfig resource (rbac.istio.io/v1alpha1)
  • Multiple modes:
    • On, off
    • On with inclusion, on with exclusion

60 / 64

How to get started?

  • Do you need a service mesh?
  • Start small and slow:
    • Learn and understand the resources
    • Apply to a subset of services
    • Understand the metrics, logs, dashboards

61 / 64

Resources

62 / 64

Safe Harbor

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, coe, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and princing of any features or functionality described for Oracle's products may change and remains at the sole discretion of Oracle Corporation.

Statements in this presentation relating to Oracle's future plans, expectations, beliefts, intentions and prospects are "forward-looking statements" and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that affect our business is contained in Oracle's Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q under the heading "Risk Factors." These filings are available on the SEC's website or on Oracle's website at http://www.oracle.com/investor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events.

2 / 64
Paused

Help

Keyboard shortcuts

, , Pg Up, k Go to previous slide
, , Pg Dn, Space, j Go to next slide
Home Go to first slide
End Go to last slide
Number + Return Go to specific slide
b / m / f Toggle blackout / mirrored / fullscreen mode
c Clone slideshow
p Toggle presenter mode
t Restart the presentation timer
?, h Toggle this help
Esc Back to slideshow