#Codemotion Rome 2018 - Containers provide a consistent environment to run services. Kubernetes help us to manage and scale our container cluster. Good start for a loosely coupled microservices architecture but not enough. How do you control the flow of traffic & enforce policies between services? How do you visualize service dependencies & identify issues? How can you provide verifiable service identities, test for failures? You can implement your own custom solutions or you can rely on Istio, an open platform to connect, manage and secure microservices.

1. Confidential & Proprietary
Stop reinventing the wheel
with Istio
Mete Atamel
Developer Advocate at Google
@meteatamel

2. Confidential & Proprietary
Agenda
1. The need for Istio
Containers, Kubernetes, Istio
2. What is Istio?
Istio at the high level, setup
3. Building Blocks
Envoy, Mixer, Pilot, Istio-Auth
4. Add-ons
Grafana, Prometheus, Zipkin, ServiceGraph
5. Traffic Management
Request Routing, Discovery & Load Balancing, Failure Recovery & Injection

3. The need for Istio
Containers, Kubernetes, Istio

4. Confidential & Proprietary
Code that solves a problem
Make that code production ready (logging, tracing, auth, load balancing, etc)
A way to package and run that code consistently on different environments
A way to deploy (hopefully optimally) and manage that code
Solving a problem with software

5. Confidential & Proprietary
Code that solves a problem => You
Make that code production ready => Istio
A way to package and run that code consistently => Docker
A way to deploy and manage that code => Kubernetes
Solving a problem with software

6. Confidential & Proprietary
What is a container?
Lightweight
Hermetically sealed
Isolated
Easily deployable
Introspectable
Composable
Linux (or Windows) processes
A lightweight way to virtualize applications

7. 7
Docker: Tooling for the masses
FROM debian:latest
RUN apt-get update
RUN apt-get install -y nginx
CMD [“nginx”,”-g”,”daemon off;”]
EXPOSE 80
Docker is a container runtime and image format
Dockerfile defines the dependencies,
environment and the code to run
Container is a consistent invocation of a
Dockerfile

8. Confidential & Proprietary
Containers are not enough
Service
Discovery
Redundancy
Scheduling
Scaling up &
down
Rolling out &
back
Resiliency
Config &
Secrets
Health
Checks

9. Confidential & Proprietary
Kubernetes
Κυβερνήτης means “governor” in Greek
• Manages container clusters
• Inspired and informed by Google’s internal
container system called Borg
• Supports multiple cloud and bare-metal
environments
• 100% Open source, written in Go
Manage applications, not machines

10. Confidential & Proprietary
Microservices in Kubernetes world
Service
Pods
Each pod containers
one or more containers
Nodes
Role: frontend
Role: frontend Role: frontend Role: frontend
Replication
controller
Replicas: 3
Env: prod
microservice
labels
Service
communication
channel
Blueprint
“pod
template”
Env: prod Env: prod Env: prod registry
containers

11. Confidential & Proprietary
Kubernetes is not enough either
Dependency
Visualisation
Tracing
Metrics
Logging
Circuit
Breaking
Service
Identity &
Auth
Fault
Injection
Traffic Flow
& Policies
Failover

13. What is Istio?
Istio at the high level, setup

14. Confidential & Proprietary
Istio: High level goals
Community maturing and gathering around common
tools
Decouple application code from underlying platform and
policies

15. Confidential & Proprietary
Istio
Ιστιο means “sail”. An open platform to connect, manage, and
secure microservices.
● Platform support: Kubernetes, Mesos, Cloud Foundry
● Observability: Metrics, logs, traces, dependency visualisation
● Service Identity & Security: Provide verifiable identity to
services, service-to-service authentication
● Traffic Management: Dynamically control traffic between
services, ingress/egress routing, fault injection
● Policy enforcement: Precondition checking, quota
management between services

16. Confidential & Proprietary
Istio: At the very high level
Users
Cloud SQL
frontend
pictures payments
auth
External
Payment
Processor

17. Confidential & Proprietary
Istio: At the very high level
Users
Cloud SQL
frontend
pictures payments
auth
External
Payment
Processor
proxy
proxy
proxy
proxy
ingress

18. 18
$ gcloud container clusters create hello-istio
--enable-kubernetes-alpha
--machine-type=n1-standard-2
--num-nodes=4
--no-enable-legacy-authorization
--zone europe-west1-b
Creating cluster hello-istio...done.
Created [https://container.googleapis.com/v1/projects/dotnet-atamel/zones/europe-west1-b/clusters/hello-istio]
NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS
hello-istio europe-west1-b 1.7.12-gke.0 ALPHA 35.190.192.251 n1-standard-2 1.7.12-gke.0 4 RUNNING
$ kubectl create clusterrolebinding cluster-admin-binding
--clusterrole=cluster-admin
--user=$(gcloud config get-value core/account)
clusterrolebinding "cluster-admin-binding" created

19. Confidential & Proprietary
Demo: Install Istio

20. Building Blocks
Envoy, Mixer, Pilot, Istio-Auth

21. Confidential & Proprietary
Istio Architecture
Mixer Istio-Auth
frontend payments
proxy proxy
Pilot
Discovery & config
data to Envoy sidecars
TLS certs
to Envoy sidecars
Policy checks,
telemetry
Traffic transparently proxied —
unaware of Envoy sidecars
Control Plane
HTTP/1.1, HTTP/2, gRPC with
or without TLS

22. Confidential & Proprietary
Envoy Proxy
A high-performance proxy in C++, to mediate all
inbound/outbound traffic
● Dynamic service discovery
● Load balancing, TLS termination
● HTTP/2 & gRPC proxying
● Circuit breakers, health checks, rich metrics
Deployed as a sidecar to the relevant service in the
same Kubernetes pod

23. Confidential & Proprietary
Pilot
Responsible for managing Envoy proxies in the service mesh.
● Service discovery for Envoy
● Traffic management capabilities for routing (A/B testing, canary
deployments)
● Resiliency (timeouts, retries, circuit breakers)
● Converts high level routing rules into Envoy specific configurations and
propogates them to sidecars at runtime

24. Confidential & Proprietary
Pilot

25. Confidential & Proprietary
Mixer
1. Precondition Checking. Enables callers to verify a number of
preconditions before responding to an incoming request from a service
consumer.
2. Quota Management. Enables services to allocate and free quota (eg.
rate limits)
3. Telemetry Reporting. Enables services to report logging and monitoring

26. Confidential & Proprietary
Istio-Auth
1. Provides each service with a strong identity
2. Provides service-to-service and end-user authentication using mutual
TLS
3. Provides a key management system to automate key and certificate
generation, distribution, rotation, and revocation

27. Confidential & Proprietary
Demo: Deploy App

28. Add-ons
Grafana, Prometheus, Zipkin, ServiceGraph

29. Confidential & Proprietary
Grafana: Analytics and monitoring

30. Confidential & Proprietary
Prometheus: Query metrics

31. Confidential & Proprietary
Zipkin: Tracing

32. Confidential & Proprietary
ServiceGraph

33. Confidential & Proprietary
Demo: Install add-ons

34. Traffic Management
Request Routing, Discovery & Load Balancing, Failure Recovery &
Injection

35. Confidential & Proprietary
Traffic Management
Istio’s traffic management decouples traffic flow and infrastructure scaling
Dynamic request routing for A/B testing, gradual rollouts, canary releases
Discovery & load balancing across services
Failure recovery using timeouts, retries, and circuit breakers
Fault injection to test the compatibility of recovery policies across services

36. Confidential & Proprietary
Request Routing

38. Confidential & Proprietary
Discovery & Load Balancing

39. Confidential & Proprietary
Failure Recovery
Out-of-the-box opt-in failure recovery features:
● Timeouts
● Bounded retries with timeout budgets and variable jitter between retries
● Limits on number of concurrent connections
● Periodic health checks on each member of the load balancing pool
● Fine-grained circuit breakers (passive health checks) – applied per
instance in the load balancing pool

40. Confidential & Proprietary
Fault Injection
Systematic fault injection to identify weaknesses in failure recovery policies
● HTTP/gRPC error codes
● Delay injection
frontend movies
proxy proxy
stars
proxy
timeout: 100ms
retries: 3
300ms
timeout: 200ms
retries: 2
400ms

41. Confidential & Proprietary
Demo: Change routes

42. Confidential & Proprietary
Demo: Cleanup

43. Confidential & Proprietary
Thank you!
Mete Atamel
@meteatamel