Bringing Istio to Production Kubernetes Master Class Series
Bringing Istio to Production Kubernetes Master Class Series #Rancherk 8 s June 4, 2019
Braden Wright Senior Cloud Architect Root Level Technology Matthew Scheer Marketing Manager Rancher matthew@rancher. com #Rancher. K 8 s 2
Rancher Master Class Series: • Trying to keep this to 40 -45 minutes • Questions are always welcome • Use the questions tab to write your questions • We may respond to all, so mark your question as private if needed. #Rancherk 8 s 3
This session is being recorded! http: //youtube. com/c/rancher #Rancherk 8 s 4
Join the conversation on Slack http: //slack. rancher. io #masterclass #Rancher. K 8 s 5
Upcoming Classes http: //rancher. com/kubernetes-master-class/ #Rancher. K 8 s 6
Istio in Production Braden Wright Staff Cloud Architect Linked. In Git. Hub Code for Demo
Service Mesh to the Rescue ● ● ● What happens if we have an outage with a Database? What happens if there is slowness in Authoring Service ABC? What happens if I want to experimentally roll out a new feature in Data Service XYZ? What if I need to rate limit certain services? How do I ensure secure connection between services? How do I test how my applications respond under component failure?
Service Mesh Example No Service Mesh
Service Mesh Lay of the Land ● ● Istio / Envoy (Lyft/IBM/Google, C++ / Go) Linkerd (Buoyant, Scala) Conduit (Buoyant, Rust / Go) Consul (Hashi. Corp) Envoy 1. 0. 0 since Sept 2016, Open Sourced Oct 2016, CNCF
Istio Overview ● Reliability (retries, timeouts, mitigating cascading failures) ● Troubleshooting (observability, monitoring, tracing, diagnostics) ● Performance (throughput, latency, load balancing) ● Security (managing secrets, m. TLS, authz, SDS) ● Dynamic topology (service discovery, custom routing, shadow traffic)
What Features are Important? ● Istio Install (Helm) ● Routing b/t Services (Virtual Service) ● Exposing Outside the Cluster (Public Gateway) ● VPN Only Access to Cluster (Private Gateway) ● DNS (External DNS) ● SSL at Edge (Cert. Manager) Bonus ● Egress (Service. Entry) ● Observability (Prometheus, Jaeger, Kiali)
Istio Install ● Use Helm (or GKE enable) ● Pin Docker Images ● Download Chart / Don’t Use Helm Repo Git. Hub Issue #12923
Demo: Terraform Setup ● ● ● GKE Cluster Setup DNS Iam Binding and K 8 s Secret ○ Lets. Encrypt needs to publish to Cloud. DNS ○ DNS Chart needs to publish to Cloud. DNS Setup Namespaces ○ prd-app, prd-system, istio-system Outside of Terraform: ● VPN ● Enable GCP APIs ● Cloud. DNS domain creation ● Cloud. DNS name server setup
Virtual Services A Virtual. Service defines a set of traffic routing rules to apply when a host is addressed. Each routing rule defines matching criteria for traffic of a specific protocol. If the traffic is matched, then it is sent to a named destination service (or subset/version of it) defined in the registry. ● ● ● Defines set of Traffic Routing Rules ○ HTTP, HTTPS, TCP, TLS ○ path, hostname, port, sni, headers, etc Set CORS policy, headers Rate Limit, Fault Injection
Virtual Services
Destination Rules
Gateways ● L 3 ● Needs Service, Pod ● Expose Ports ● Pod, Service, Gateway ● SSL Configuration ● HTTP Redirect ● external. Traffic. Policy
Virtual Services with Gateways ● Attach a Gateway to a Virtual. Service to expose it outside of the cluster
Demo: Public Gateway
Private & Public Gateways
Demo: Public & Private Gateway
External DNS ● External DNS chart scans K 8 s for Resources, such as Services, Ingresses, Gateways. It then publishes the DNS record to an External Provider (e. g. , Cloud. DNS) ● External DNS Chart ● Istio Limitations ○ Gateways, 1 install per Domain ○ Lack of Support for Virtual. Services
Demo: DNS Chart
SSL ● Installs Cert. Manager chart ● Use DNS Challenge with ● Lets. Encrypt (DNS must be publicly exposed)
Demo: SSL
Future: SSL via SDS and Cert. Manager ● ● ● The ingress gateway can dynamically add, delete, or update its key/certificate pairs and its root certificate. You do not have to restart the ingress gateway. No secret volume mount is needed. Once you create a kubernetes secret, that secret is captured by the gateway agent and sent to ingress gateway as key/certificate or root certificate. The gateway agent can watch multiple key/certificate pairs. You only need to create secrets for multiple hosts and update the gateway definitions.
Istio Implementation Overview
Egress / Service. Entry
Demo: Egress & Service. Entry
Closing Remarks
Get started in two easy steps Step 1: Prepare a Linux Host Rancher requires a single host installed with either Ubuntu 16. 04 (kernel v 3. 10+) or RHEL/Cent. OS 7. 3 as well as at least 2 GB of memory, 20 GB of local disk and a supported version of Docker. Step 2: Start the server To install and run Rancher server, execute the following Docker command on your host: $ sudo docker run -d --restart=unless-stopped -p 80: 80 -p 443: 443 rancher/rancher: latest 32
Rancher is an Enterprise Container Management Platform Self Service Kubernetes Environments Dev. Ops - User Interface - Monitoring - Service - Logging Catalog - Alerting - CI/CD RKE EKS Unified Cluster Operations - Provisioning - Auth/RBAC - Policy GKE - Security - Capacity - Cost AKS Central IT Any Infrastructure #Rancher. K 8 s 33
Rancher Quick Start Guide https: //rancher. com/docs/rancher/v 2. x/en/quick-start-guide/ 34
Rancher, Rancher. OS, RKE are in Git. Hub http: //github. com/rancher 35
Thank you @Rancher_Labs · #Rancherk 8 s Rancher. com/kubernetes-master-class 36
- Slides: 36