ebook img

Istio: Up and Running: Using a Service Mesh to Connect, Secure, Control, and Observe PDF

270 Pages·2019·8.115 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Istio: Up and Running: Using a Service Mesh to Connect, Secure, Control, and Observe

Istio Up & Running Using a Service Mesh to Connect, Secure, Control, and Observe Lee Calcote & Zack Butcher Istio: Up and Running Using a Service Mesh to Connect, Secure, Control, and Observe Lee Calcote and Zack Butcher BBeeiijjiinngg BBoossttoonn FFaarrnnhhaamm SSeebbaassttooppooll TTookkyyoo Istio: Up and Running by Lee Calcote and Zack Butcher Copyright © 2020 Lee Calcote and Zack Butcher. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or [email protected]. Acquisitions Editor: Nikki McDonald Proofreader: Christina Edwards Development Editor: Corbin Collins Indexer: Ellen Troutman Production Editor: Deborah Baker Cover Designer: Karen Montgomery Interior Designer: David Futato Illustrator: Rebecca Demarest Copyeditor: Octal Publishing, LLC October 2019: First Edition Revision History for the First Edition 2019-09-26: First Release 2019-11-27: Second Release See http://oreilly.com/catalog/errata.csp?isbn=9781492043782 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Istio: Up and Running, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. 978-1-492-04378-2 [LSCH] Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1. Introducing the Service Mesh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 What Is a Service Mesh? 1 Fundamentals 1 Sailing into a Service Mesh 2 Client Libraries: The First Service Meshes? 3 Why Do You Need One? 5 Don’t We Already Have This in Our Container Platforms? 6 Landscape and Ecosystem 7 Landscape 7 Ecosystem 7 The Critical, Fallible Network 8 The Value of a Service Mesh 8 The Istio Service Mesh 11 The Origin of Istio 11 The Current State of Istio 12 Cadence 13 Releases 14 Feature Status 15 Future 15 What Istio Isn’t 15 It’s Not Just About Microservices 16 Terminology 16 2. Cloud Native Approach to Uniform Observability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 What Does It Mean to Be Cloud Native? 21 The Path to Cloud Native 22 iii Packaging and Deployment 24 Application Architecture 24 Development and Operations Processes 24 Cloud Native Infrastructure 25 What Is Observability? 25 Pillars of Telemetry 27 Logs 27 Metrics 27 Traces 28 Combining Telemetry Pillars 29 Why Is Observability Key in Distributed Systems? 30 Uniform Observability with a Service Mesh 32 Client Libraries 32 Interfacing with Monitoring Systems 33 3. Istio at a Glance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Service Mesh Architecture 35 Planes 36 Istio Control-Plane Components 37 Service Proxy 39 Istio Data-Plane Components 40 Gateways 42 Extensibility 44 Customizable Sidecars 45 Extensible Adapters 46 Scale and Performance 47 Deployment Models 48 4. Deploying Istio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Preparing Your Environment for Istio 49 Docker Desktop as the Installation Environment 49 Configuring Docker Desktop 50 Installing Istio 54 Istio Installation Options 56 Registering Istio’s Custom Resources 57 Installing Istio Control-Plane Components 59 Deploying the Bookinfo Sample Application 62 Deploying the Sample App with Automatic Sidecar Injection 64 Networking with the Sample App 65 Uninstalling Istio 67 Helm-Based Installations 67 Install Helm 67 iv | Table of Contents Install with Helm Template 68 Confirming a Helm-Based Installation 69 Uninstalling a Helm-Based Installation 69 Other Environments 69 5. Service Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 What Is a Service Proxy? 72 An iptables Primer 73 Envoy Proxy Overview 74 Why Envoy? 75 Envoy in Istio 76 Sidecar Injection 77 Manual Sidecar Injection 77 Ad Hoc Sidecarring 79 Automatic Sidecar Injection 80 Kubernetes Init Containers 82 Sidecar Resourcing 83 Envoy’s Functionality 83 Core Constructs 84 Certificates and Protecting Traffic 85 6. Security and Identity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Access Control 90 Authentication 90 Authorization 90 Identity 91 SPIFFE 91 Key Management Architecture 93 Citadel 94 Node Agents 96 Envoy 97 Pilot 97 mTLS 98 Configuring Istio Auth Policies 98 Authentication Policy: Configuring mTLS 98 Authorization Policy: Configuring Who Can Talk to Whom 102 7. Pilot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Configuring Pilot 105 Mesh Configuration 106 Networking Configuration 108 Service Discovery 108 Table of Contents | v Configuration Serving 109 Debugging and Troubleshooting Pilot 111 istioctl 111 Troubleshooting Pilot 112 Tracing Configuration 114 Listeners 114 Routes 117 Clusters 120 8. Traffic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Understanding How Traffic Flows in Istio 123 Understanding Istio’s Networking APIs 124 ServiceEntry 125 DestinationRule 128 VirtualService 131 Gateway 136 Traffic Steering and Routing 144 Resiliency 150 Load-Balancing Strategy 150 Outlier Detection 151 Retries 152 Timeouts 153 Fault Injection 154 Ingress and Egress 155 Ingress 155 Egress 156 9. Mixer and Policies in the Mesh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Architecture 159 Enforcing Policy 161 Understanding How Mixer Policies Work 163 Reporting Telemetry 163 Attributes 165 Sending Reports 165 Checking Caches 166 Adapters 166 In-Process Adapters 167 Out-of-Process Adapters 167 Creating a Mixer Policy and Using Adapters 167 Mixer Configuration 168 Open Policy Agent Adapter 169 Prometheus Adapter 170 vi | Table of Contents 10. Telemetry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Adapter Models 175 Reporting Telemetry 176 Metrics 176 Configuring Mixer to Collect Metrics 176 Setting Up Metrics Collection and Querying for Metrics 177 Traces 179 Disabling Tracing 180 Logs 181 Metrics 184 Visualization 184 11. Debugging Istio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Introspecting Istio Components 187 Troubleshooting with a Management Plane 189 Parlaying with kubectl 189 Workload Preparedness 191 Application Configuration 191 Network Traffic and Ports 191 Services and Deployments 192 Pods 193 Istio Installation, Upgrade, and Uninstall 194 Installation 194 Upgrade 194 Uninstallation 195 Troubleshooting Mixer 195 Troubleshooting Pilot 196 Debugging Galley 196 Debugging Envoy 198 Envoy’s Administrative Console 198 503 or 404 Requests 198 Sidecar Injection 199 Version Compatibility 201 12. Real-World Considerations for Application Deployment. . . . . . . . . . . . . . . . . . . . . . . . . 203 Control-Plane Considerations 204 Galley 204 Pilot 206 Mixer 208 Citadel 211 Case Study: Canary Deployment 212 Cross-Cluster Deployments 218 Table of Contents | vii 13. Advanced Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Types of Advanced Topologies 221 Single-Cluster Meshes 221 Multiple-Cluster Meshes 222 Use Cases 225 Choosing a Topology 226 Cross-Cluster or Multicluster? 227 Configuring Cross-Cluster 230 Configure DNS and Deploy Bookinfo 231 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 viii | Table of Contents

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.