Bringing Istio to Production Kubernetes Master Class Series

Bringing Istio to Production Kubernetes Master Class Series #Rancherk 8 s June 4, 2019

Braden Wright Senior Cloud Architect Root Level Technology Matthew Scheer Marketing Manager Rancher matthew@rancher. com #Rancher. K 8 s 2

Rancher Master Class Series: • Trying to keep this to 40 -45 minutes • Questions are always welcome • Use the questions tab to write your questions • We may respond to all, so mark your question as private if needed. #Rancherk 8 s 3

This session is being recorded! http: //youtube. com/c/rancher #Rancherk 8 s 4

Join the conversation on Slack http: //slack. rancher. io #masterclass #Rancher. K 8 s 5

Upcoming Classes http: //rancher. com/kubernetes-master-class/ #Rancher. K 8 s 6

Istio in Production Braden Wright Staff Cloud Architect Linked. In Git. Hub Code for Demo

Service Mesh to the Rescue ● ● ● What happens if we have an outage with a Database? What happens if there is slowness in Authoring Service ABC? What happens if I want to experimentally roll out a new feature in Data Service XYZ? What if I need to rate limit certain services? How do I ensure secure connection between services? How do I test how my applications respond under component failure?

Service Mesh Example No Service Mesh

Service Mesh Lay of the Land ● ● Istio / Envoy (Lyft/IBM/Google, C++ / Go) Linkerd (Buoyant, Scala) Conduit (Buoyant, Rust / Go) Consul (Hashi. Corp) Envoy 1. 0. 0 since Sept 2016, Open Sourced Oct 2016, CNCF

Istio Overview ● Reliability (retries, timeouts, mitigating cascading failures) ● Troubleshooting (observability, monitoring, tracing, diagnostics) ● Performance (throughput, latency, load balancing) ● Security (managing secrets, m. TLS, authz, SDS) ● Dynamic topology (service discovery, custom routing, shadow traffic)

What Features are Important? ● Istio Install (Helm) ● Routing b/t Services (Virtual Service) ● Exposing Outside the Cluster (Public Gateway) ● VPN Only Access to Cluster (Private Gateway) ● DNS (External DNS) ● SSL at Edge (Cert. Manager) Bonus ● Egress (Service. Entry) ● Observability (Prometheus, Jaeger, Kiali)

Istio Install ● Use Helm (or GKE enable) ● Pin Docker Images ● Download Chart / Don’t Use Helm Repo Git. Hub Issue #12923

Demo: Terraform Setup ● ● ● GKE Cluster Setup DNS Iam Binding and K 8 s Secret ○ Lets. Encrypt needs to publish to Cloud. DNS ○ DNS Chart needs to publish to Cloud. DNS Setup Namespaces ○ prd-app, prd-system, istio-system Outside of Terraform: ● VPN ● Enable GCP APIs ● Cloud. DNS domain creation ● Cloud. DNS name server setup

Virtual Services A Virtual. Service defines a set of traffic routing rules to apply when a host is addressed. Each routing rule defines matching criteria for traffic of a specific protocol. If the traffic is matched, then it is sent to a named destination service (or subset/version of it) defined in the registry. ● ● ● Defines set of Traffic Routing Rules ○ HTTP, HTTPS, TCP, TLS ○ path, hostname, port, sni, headers, etc Set CORS policy, headers Rate Limit, Fault Injection

Virtual Services

Destination Rules

Gateways ● L 3 ● Needs Service, Pod ● Expose Ports ● Pod, Service, Gateway ● SSL Configuration ● HTTP Redirect ● external. Traffic. Policy

Virtual Services with Gateways ● Attach a Gateway to a Virtual. Service to expose it outside of the cluster

Demo: Public Gateway

Private & Public Gateways

Demo: Public & Private Gateway

External DNS ● External DNS chart scans K 8 s for Resources, such as Services, Ingresses, Gateways. It then publishes the DNS record to an External Provider (e. g. , Cloud. DNS) ● External DNS Chart ● Istio Limitations ○ Gateways, 1 install per Domain ○ Lack of Support for Virtual. Services

Demo: DNS Chart

SSL ● Installs Cert. Manager chart ● Use DNS Challenge with ● Lets. Encrypt (DNS must be publicly exposed)

Demo: SSL

Future: SSL via SDS and Cert. Manager ● ● ● The ingress gateway can dynamically add, delete, or update its key/certificate pairs and its root certificate. You do not have to restart the ingress gateway. No secret volume mount is needed. Once you create a kubernetes secret, that secret is captured by the gateway agent and sent to ingress gateway as key/certificate or root certificate. The gateway agent can watch multiple key/certificate pairs. You only need to create secrets for multiple hosts and update the gateway definitions.

Istio Implementation Overview

Egress / Service. Entry

Demo: Egress & Service. Entry

Closing Remarks

Get started in two easy steps Step 1: Prepare a Linux Host Rancher requires a single host installed with either Ubuntu 16. 04 (kernel v 3. 10+) or RHEL/Cent. OS 7. 3 as well as at least 2 GB of memory, 20 GB of local disk and a supported version of Docker. Step 2: Start the server To install and run Rancher server, execute the following Docker command on your host: $ sudo docker run -d --restart=unless-stopped -p 80: 80 -p 443: 443 rancher/rancher: latest 32

Rancher is an Enterprise Container Management Platform Self Service Kubernetes Environments Dev. Ops - User Interface - Monitoring - Service - Logging Catalog - Alerting - CI/CD RKE EKS Unified Cluster Operations - Provisioning - Auth/RBAC - Policy GKE - Security - Capacity - Cost AKS Central IT Any Infrastructure #Rancher. K 8 s 33

Rancher Quick Start Guide https: //rancher. com/docs/rancher/v 2. x/en/quick-start-guide/ 34

Rancher, Rancher. OS, RKE are in Git. Hub http: //github. com/rancher 35

Thank you @Rancher_Labs · #Rancherk 8 s Rancher. com/kubernetes-master-class 36