Kubernetes容器应用基于Istio的灰度发布实践 张超盟 @ Huawei Cloud BU 2018.08.25 Service Mesh Meetup #3 深圳站 Agenda • Istio & Kubernetes • Istio & Kubernetes上的灰度发布 An open platform to connect, manage, and secure microservices 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 治理位置--； } 微服务角度看Istio: 服务网格 服务网格控制面 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.ns svcc.ns svcb svcd svce svce.ns svcd.ns svcd.ns Kube-proxy Backend Pod2 Labels:app=svcb Port:9379 svca 基础设施(Kubernetes)看Istio: 能力增强 服务部署运 维 服务治理 • 调用链追踪 • 动态路由 • 熔断限流 • 负载均衡 • 服务发现 • 扩缩容 • 运维 • 部署 Kubernetes Istio Istio治理的不只是微服务，只要有访问的服务，都可以被治理。 Istio关键能力

1 Kubernetes容器应用基于Istio的灰度发布实践 张超盟 @ Huawei Cloud BU 2018.08.25 Service Mesh Meetup #3 深圳站2 Agenda • Istio & Kubernetes • Istio & Kubernetes上的灰度发布3 An open platform to connect, manage, and secure 通信基础 服务发现 负载均衡 熔断容错 动态路由 … for (封装++) { 应用侵入--； 治理位置--； }6 微服务角度看Istio: 服务网格 服务网格控制面7 从基础设施(Kubernetes)看Istio: 服务访问 Node svca svcc svcb.n s svcc.ns svcb svcd svce svce.n s svcd.n s svcd.n Backend Pod2 Labels:app=svcb Port:9379 svca8 基础设施(Kubernetes)看Istio: 能力增强 服务部署运 维 服务治理 • 调用链追踪 • 动态路由 • 熔断限流 • 负载均衡 • 服务发现 • 扩缩容 • 运维 • 部署 Kubernetes Istio9 Istio治理的不只是微服务，只要有访问的服务，都可以被治理。10 Istio关键能力

Optimal Canary Deployments using Istio and how it scores over Spring Cloud and Kubernetes Presented by Archna Gupta What is a Canary Release or Deployment? • A canary deployment, or canary release Canary Releases Using Kubernetes Deployment POD POD POD POD S E R V I C E (Load balancer) www.my-application.com External Traffic 75% 25% Deployment Canary Releases Using Kubernetes Deployment POD Using Kubernetes Deployment POD S E R V I C E (Load balancer) www.my-application.com External Traffic POD POD 0% 100% Deployment Deployment Deployment Canary Releases Using Kubernetes – Across

Istio and all of its components. Istio is a modern service mesh technology stack often used within Kubernetes clusters to provide service-to-service communication, manages TLS certificates, provides workload overall design and archi- tecture of Istio as it is deployed within common environments such as Kubernetes clusters. • Istio Pilot: The service running within the istiod service that handles service discovery injection) to focus testing efforts. Istio does not currently have a reference design for what an ideal Kubernetes cluster with Istio running within it. Instead, NCC Group used various hosting options (i.e. Minikube

microservices (200+ namespaces) ● 100K RPS at peak on API Gateway ● 1 main production Google Kubernetes Engine (GKE) cluster ● 12k+ pods ● 750+ nodes Istio at Mercari 7 Istio at Mercari Apr 2019 Istio at Mercari Stabilizing Istio 10 Stabilizing Istio ● Istio sidecar proxy specifications ● Kubernetes shortcomings with sidecar containers ○ Controlling containers lifecycle ○ Autoscaling pods with any other container in a pod 14 Kubernetes shortcomings with sidecar containers Stabilizing Istio Pod A is the Kubernetes atomic unit Pod App container

控 2018.11.25 徐运元关于我 2008年毕业于浙江大学，曾在思科和浙大网新有超过 9年的工作经验和5年的云计算领域工作经验，带领团 队完成公司第一代基于Kubernetes的云平台开发和第 二代基于Kubernetes的DevOps云平台开发。目前致力 于公司基于Istio的微服务平台打造。 来自于浙江大学SEL实验室目录 CONTENTS 微服务平台的监控演进 Mixer组件的功能介绍 logfile APP logfile Kubernetes console APP logfile APP logfile APP logfile Kubernetes console DC2 DMZ Intranet APP logfile APP logfile APP logfile Kubernetes console APP logfile logfile APP logfile APP logfile Kubernetes console search &analysis Prometheus TSDB基于请求和日志的关联性改进架构 A Agent B Agent C Agent Request(Transaction ID) A(application) Trasanctionid（CA SDK support）

applicable to so�ware applications. Istio is platform and language agnostic, but is o�en used on top of Kubernetes. It offers users easy access to features such as observability, traffic management and security of Istioʼs overall availability. Kubernetes Istio extends Kubernetes and is exposed to vulnerabilities in Kubernetes itself. Simultaneously, Istio must extend Kubernetes properly and may contain vulnerabilities Ingress Resources Istio offers two models for managing ingress traffic to the cluster: 1. The Kubernetes ingress resource 2. Istio Gateway These resources are exposed to the outside world and represent

mesh ○ Istio control plane services (Pilot, Mixer, CA) accessible from the VMs ○ (optional) Kubernetes DNS server accessible from the VMs ● Onboard steps ○ Setup Internal Load Balancers (ILBs) for representation for the workloads themselves #IstioCon V1.6-1.8 Better VM Workload Abstraction Item Kubernetes Virtual Machine Basic schedule unit Pod WorkloadEntry Component Deployment WorkloadGroup Service class: vm #IstioCon V1.6-1.8 Better VM Workload Abstraction ● Workload Entry ○ single non-Kubernetes workload ○ mTLS using service account ○ work with an Istio ServiceEntry ● Workload Group ○

Native at scale without a modern application- aware network Cloud!=Cloud Native Bare metal VMs Kubernetes VMs ● Monolith was decoupled to Microservices ● External and internal traffic starts to look Go developers ● Istio Security Scanner ● Envoy Gateway: Manages Envoy Proxy as a standalone or Kubernetes-based application gateway ● Tetrate Istio Distro: Simple, safe enterprise-grade Istio distro ● Security vulnerabilities ○ Config scanning ● GitHub Envoy Gateway ● API standarization ● Support Kubernetes Gateway API Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management

kubectl apply docker pull Local Kubernetes Local Registry #IstioCon Local Machine Local Cluster + Registry docker push kubectl apply docker pull Local Kubernetes Local Registry + Fast! Image including enabling alpha features and multicluster - Local resource utilization - Some overhead of Kubernetes and docker images - Attaching a debugger is not trivial #IstioCon Fully Local go run ./pi