istio - HackMD

--- title: istio tags: istio, service mesh --- ## What's istio * Istio is a service mesh. * An observability tool. * Implement network mechanism. * Integrate with many useful tools. * Handle microservice challenges. -- More service owner. -- More network interactions. -- Much difficult to monitor/oberve. -- e.g. Twitter microservices. ![](https://i.imgur.com/tJd1zd6.png) ## Architecture * Without istio, we need to inplement network mechanism by ourself. ![](https://i.imgur.com/bUus9vr.png) * With istio, we just need to set configuration to control plane. ![](https://i.imgur.com/780bfN2.png) * Istio architecture ![](https://i.imgur.com/674d2gg.png) * Compare K8S native with istio ![](https://i.imgur.com/UEkGwhb.png) ## Demo ```yaml= ## Install istio istioctl install --set meshConfig.accessLogFile=/dev/stdout ## Label the namespace that will host the application with istio-injection=enabled kubectl label namespace default istio-injection=enabled ## Deploy application kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml ``` #### Bookinfo architecture ![](https://i.imgur.com/BkzQ7k7.png) #### K8S common network topology ![](https://i.imgur.com/Za1anCG.png) ```yaml=+ ## Define the ingress gateway kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml ## Apply default destination rules kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml ## Show the page without any service rule. ## Set Istio to route to the v1 version of the service. kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml ## Transfer 50% of the traffic from reviews:v1 to reviews:v3 kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml ## Export application export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}') export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].port}') export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT ## Send request for i in $(seq 1 100); do curl -s -o /dev/null "http://$GATEWAY_URL/productpage"; done ``` ## Traffic management * Virtual services -- Configure how requests are routed to a service within an Istio service mesh. -- e.x. Useful in A/B testing.(Envoy default distributes traffic using round-robin load balancing between all service instances) ``` apiVersion: networking.istio.io/v1beta1 kind: VirtualService ... spec: hosts: - reviews http: - route: - destination: host: reviews subset: v1 weight: 50 - destination: host: reviews subset: v3 weight: 50 ``` -- e.x. Specify traffic behavior for one or more hostnames. ``` apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo spec: hosts: - bookinfo.com http: - match: - uri: prefix: /reviews route: - destination: host: reviews - match: - uri: prefix: /ratings route: - destination: host: ratings ``` * Destination rules -- Configure what happens to traffic for that destination. -- Load balancing policy (Random, Weighted, Least requests) ``` apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: loadBalancer: simple: RANDOM subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3 ``` * Gateways -- Manage inbound and outbound traffic for your mesh. ``` apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" ``` ``` apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: httpbin-credential # must be the same as secret hosts: - httpbin.example.com ``` * Service entries -- Add an entry to the service registry. ``` apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: svc-entry spec: hosts: - ext-svc.example.com ports: - number: 443 name: https protocol: HTTPS ``` * Sidecars -- Fine-tune the set of ports and protocols that an Envoy proxy accepts. -- Limit the set of services that the Envoy proxy can reach. ``` apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name: default namespace: bookinfo spec: egress: - hosts: - "./*" - "istio-system/*" ``` ## Network resilience and testing * Timeouts -- A timeout is the amount of time that an Envoy proxy should wait for replies from a given service. ``` apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings spec: hosts: - ratings http: - route: - destination: host: ratings subset: v1 timeout: 10s ``` * Retries -- A retry setting specifies the maximum number of times an Envoy proxy attempts to connect to a service. ``` apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings spec: hosts: - ratings http: - route: - destination: host: ratings subset: v1 retries: attempts: 3 perTryTimeout: 2s ``` * Circuit breakers -- Set limits for calls to individual hosts within a service, such as the number of concurrent connections or how many times calls to this host have failed. ``` apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews subsets: - name: v1 labels: version: v1 trafficPolicy: connectionPool: tcp: maxConnections: 100 ``` * Fault injection -- Introduces errors into a system to ensure that it can withstand and recover from error conditions.(Delays/HTTP error codes) --e.x.Introduces a 5 second delay for 1 out of every 1000 requests. ``` apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings spec: hosts: - ratings http: - fault: delay: percentage: value: 0.1 fixedDelay: 5s route: - destination: host: ratings subset: v1 ``` ## Observability ![](https://i.imgur.com/5GBft1x.png) * **Log** -- Nothing special ``` $kubectl logs -l app=sleep -c istio-proxy [2020-03-06T09:31:27.354Z] "GET /status/418 HTTP/1.1" 418 - "-" 0 135 11 10 "-" "curl/7.60.0" "d209e46f-9ed5-9b61-bbdd-43e22662702a" "httpbin:8000" "172.30.146.73:80" outbound|8000||httpbin.default.svc.cluster.local - 172.21.13.94:8000 172.30.146.82:60290 - ``` * **Metrics** * Prometheus - Collecting Metrics ![](https://i.imgur.com/ORjtWmE.png) ``` ## Install Prometheus kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/prometheus.yaml istioctl dashboard prometheus ``` * Customizing Istio Metrics * Istio uses the Envoy proxy to generate metrics and provides its configuration in the EnvoyFilter. * e.x. Add request_host and destination_port dimensions to the requests_total metric. ``` apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: values: telemetry: v2: prometheus: configOverride: inboundSidecar: metrics: - name: requests_total dimensions: destination_port: string(destination.port) request_host: request.host outboundSidecar: metrics: - name: requests_total dimensions: destination_port: string(destination.port) request_host: request.host gateway: metrics: - name: requests_total dimensions: destination_port: string(destination.port) request_host: request.host ``` * Istio exposes all standard [Envoy attributes](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes). * Grafana - Visualizing Metrics ![](https://i.imgur.com/zBGVliM.png) ``` ## Install Grafana kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/grafana.yaml istioctl dashboard grafana ``` * **Tracing** -- The default sampling rate is 1%. -- Applications need to propagate the appropriate HTTP headers ([Link](https://istio.io/latest/docs/tasks/observability/distributed-tracing/overview/)) so that when the proxies send span information, the spans can be correlated correctly into a single trace. * Zipkin ![](https://i.imgur.com/ThQx9Jb.png) ``` kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/extras/zipkin.yaml istioctl dashboard zipkin ``` * Jaeger ![](https://i.imgur.com/VZSSjib.png) ``` kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/jaeger.yaml istioctl dashboard jaeger for i in $(seq 1 100); do curl -s -o /dev/null "http://bookinfo.com/productpage"; done ``` * **Visualizing Mesh** * Kiali ![](https://i.imgur.com/WDmpfts.png) ``` kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/kiali.yaml istioctl dashboard kiali ``` * View the graph by namespace. * Creating weighted routes. (Service(Left side bar) => Action(Drop down list)) ![](https://i.imgur.com/0GMkQZb.png) * Validating Istio configuration 1. Change a service to adnormal. 2. Navigate to the Services list by clicking Services on the left hand navigation bar. 3. Notice the error icon 4. Click the YAML tab to view the YAML for this Istio destination rule resource. 5. Notice the color highlights ## Useful commands ``` ## kubectl edit mutatingwebhookconfiguration istio-sidecar-injector ```