1 of 22

Istio - Get Started with Istio and Kubernetes

Mohan Pawar

2 of 22

Containers are Future Deployment Units.

3 of 22

The Dev people managing infrastructure just want a PaaS. The only requirement is:

It has to be build by them.

4 of 22

Kubernetes Key Concept

Pod: Group of tightly coupled containers and volume

Replication Controller: A loop that drives the current state to desired state

Service: A set of running pods that work together

Volumes: Pod level storage and configuration

5 of 22

Evolving Stack...

Connect, Manage and Secure Services

End application

Packaging

e.g. tarball

Better cluster

Deployment

6 of 22

Istio

  • Policy - Create a policy between the application.
  • Observability - Observer the behaviour
  • Security - per application instance
  • Reliability - consistent performance according to specification

“Kubernetes changed how we deploy applications, Istio is going to change how we connect, manage and secure them.”

7 of 22

We must treat the data center itself as one massive warehouse-scale computer

8 of 22

Istio Architecture

9 of 22

Istio Key Components

Pilot: Responsible for configuring the Envoy and Mixer at runtime.

Enovy: Sidecar proxies per micro-service to handle ingress/egress traffic b/w services in the cluster and from a service to external services.

Mixer: Enforce policies such as ACLs, rate limit, quotas, auth, request tracing and telemetry collection at an infrastructure level.

Ingress/Egress: Configure path based routing

Istio CA: Secure service-to-service communication over TLS, automate key, certificate generation, distribution, rotation, and revocation

10 of 22

Design Goals

  • Maximum Transparency
  • Incrementality
  • Portability
  • Policy Uniformity

11 of 22

Traffic Management

12 of 22

Pilot

13 of 22

Rule Configurations

Split Traffic between Service Versions

  • Multiple Registered instances with specified tags
  • Routing based on load-balancing policy
  • Or Round-robin by default

“You could write your own custom rule”

14 of 22

Istio Auth Arch.

15 of 22

Mixer

  • Precondition Checking: consumer is authenticated, in the whitelists, passes ACL checks, etc.
  • Quota Management: enables services to allocate the free quota on a number of dimensions
    • e.g. Rate limits
  • Telemetry Reporting: enable services to report logging and monitoring.

16 of 22

Demo Time

  • Deploying Book Info Application using Istio and Kubernetes

17 of 22

BookInfo Application

18 of 22

Roadmap [ Istio 0.4 ]

  • Support for additional logging, tracing, rate limiting, etc. adapters.
  • Configuration rollout and management.
  • Support for multiple clusters in a single mesh.
  • Client oriented telemetry collection and distribution.
  • Global load balancing with auto-scaling.
  • Basic Authorization using RBAC.
  • Support for backward compatibility and istio upgrades.

19 of 22

An open platform to connect, manage and secure microservices

20 of 22

Zero code changes to application code

21 of 22

Q/A

22 of 22

Thank you

Ask any further questions.

/in/mohan08p

@mohan08p